2177b545fb5cf6551b0ab3712b906360452f09a91eade477c19e0524ed2edb4d

Analysis

max time kernel
145s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12/05/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReShadeSetup.exe
Size

26.4MB
MD5

45e3752e45783970e8147d5be54eb354
SHA1

f074c6e9825fcb554ac6b63eea3e870cf8114c86
SHA256

2177b545fb5cf6551b0ab3712b906360452f09a91eade477c19e0524ed2edb4d
SHA512

db5a03ab4bd0e6d76cc12f6f8394b53a2ec5ee755e39cbdbe054770f50b88e8dcdc4a1c77ef9292fea6c76e3eea11ef01aac863bd965e49684ec28e7d6b5c6b7
SSDEEP

786432:LrJioW+e5RY2j6+s7LWB75zupeoztZ026e5g8QT:VW+eHY2qHWB75ip509

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReShadeSetup.exe	ReShadeSetup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReShadeSetup.exe	ReShadeSetup.exe

Loads dropped DLL 44 IoCs

pid	Process
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
6	discord.com
7	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
4	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ReShadeSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ReShadeSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3820	ReShadeSetup.exe
3820	ReShadeSetup.exe
1128	powershell.exe
1128	powershell.exe
4704	powershell.exe
4704	powershell.exe
1532	powershell.exe
1532	powershell.exe
4504	powershell.exe
4504	powershell.exe
740	powershell.exe
740	powershell.exe
2180	powershell.exe
2180	powershell.exe
1956	powershell.exe
1956	powershell.exe
3456	powershell.exe
3456	powershell.exe
4872	powershell.exe
4872	powershell.exe
2552	powershell.exe
2552	powershell.exe
3364	powershell.exe
3364	powershell.exe
4652	powershell.exe
4652	powershell.exe
2168	powershell.exe
2168	powershell.exe
3188	powershell.exe
3188	powershell.exe
3020	powershell.exe
3020	powershell.exe
5016	powershell.exe
5016	powershell.exe
1068	powershell.exe
1068	powershell.exe
2808	powershell.exe
2808	powershell.exe
2732	powershell.exe
2732	powershell.exe
3080	powershell.exe
3080	powershell.exe
5108	powershell.exe
5108	powershell.exe
392	powershell.exe
392	powershell.exe
3964	powershell.exe
3964	powershell.exe
4500	powershell.exe
4500	powershell.exe
4848	powershell.exe
4848	powershell.exe
1036	powershell.exe
1036	powershell.exe
1212	powershell.exe
1212	powershell.exe
2412	powershell.exe
2412	powershell.exe
4924	powershell.exe
4924	powershell.exe
3196	powershell.exe
3196	powershell.exe
1616	powershell.exe
1616	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	ReShadeSetup.exe
Token: SeIncreaseQuotaPrivilege	5008	wmic.exe
Token: SeSecurityPrivilege	5008	wmic.exe
Token: SeTakeOwnershipPrivilege	5008	wmic.exe
Token: SeLoadDriverPrivilege	5008	wmic.exe
Token: SeSystemProfilePrivilege	5008	wmic.exe
Token: SeSystemtimePrivilege	5008	wmic.exe
Token: SeProfSingleProcessPrivilege	5008	wmic.exe
Token: SeIncBasePriorityPrivilege	5008	wmic.exe
Token: SeCreatePagefilePrivilege	5008	wmic.exe
Token: SeBackupPrivilege	5008	wmic.exe
Token: SeRestorePrivilege	5008	wmic.exe
Token: SeShutdownPrivilege	5008	wmic.exe
Token: SeDebugPrivilege	5008	wmic.exe
Token: SeSystemEnvironmentPrivilege	5008	wmic.exe
Token: SeRemoteShutdownPrivilege	5008	wmic.exe
Token: SeUndockPrivilege	5008	wmic.exe
Token: SeManageVolumePrivilege	5008	wmic.exe
Token: 33	5008	wmic.exe
Token: 34	5008	wmic.exe
Token: 35	5008	wmic.exe
Token: 36	5008	wmic.exe
Token: SeIncreaseQuotaPrivilege	5008	wmic.exe
Token: SeSecurityPrivilege	5008	wmic.exe
Token: SeTakeOwnershipPrivilege	5008	wmic.exe
Token: SeLoadDriverPrivilege	5008	wmic.exe
Token: SeSystemProfilePrivilege	5008	wmic.exe
Token: SeSystemtimePrivilege	5008	wmic.exe
Token: SeProfSingleProcessPrivilege	5008	wmic.exe
Token: SeIncBasePriorityPrivilege	5008	wmic.exe
Token: SeCreatePagefilePrivilege	5008	wmic.exe
Token: SeBackupPrivilege	5008	wmic.exe
Token: SeRestorePrivilege	5008	wmic.exe
Token: SeShutdownPrivilege	5008	wmic.exe
Token: SeDebugPrivilege	5008	wmic.exe
Token: SeSystemEnvironmentPrivilege	5008	wmic.exe
Token: SeRemoteShutdownPrivilege	5008	wmic.exe
Token: SeUndockPrivilege	5008	wmic.exe
Token: SeManageVolumePrivilege	5008	wmic.exe
Token: 33	5008	wmic.exe
Token: 34	5008	wmic.exe
Token: 35	5008	wmic.exe
Token: 36	5008	wmic.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 3820	1084	ReShadeSetup.exe	82
PID 1084 wrote to memory of 3820	1084	ReShadeSetup.exe	82
PID 3820 wrote to memory of 5008	3820	ReShadeSetup.exe	84
PID 3820 wrote to memory of 5008	3820	ReShadeSetup.exe	84
PID 3820 wrote to memory of 1128	3820	ReShadeSetup.exe	87
PID 3820 wrote to memory of 1128	3820	ReShadeSetup.exe	87
PID 3820 wrote to memory of 4704	3820	ReShadeSetup.exe	89
PID 3820 wrote to memory of 4704	3820	ReShadeSetup.exe	89
PID 3820 wrote to memory of 2732	3820	ReShadeSetup.exe	91
PID 3820 wrote to memory of 2732	3820	ReShadeSetup.exe	91
PID 3820 wrote to memory of 2696	3820	ReShadeSetup.exe	92
PID 3820 wrote to memory of 2696	3820	ReShadeSetup.exe	92
PID 2732 wrote to memory of 4184	2732	cmd.exe	95
PID 2732 wrote to memory of 4184	2732	cmd.exe	95
PID 3820 wrote to memory of 1640	3820	ReShadeSetup.exe	96
PID 3820 wrote to memory of 1640	3820	ReShadeSetup.exe	96
PID 3820 wrote to memory of 1532	3820	ReShadeSetup.exe	98
PID 3820 wrote to memory of 1532	3820	ReShadeSetup.exe	98
PID 1640 wrote to memory of 4768	1640	cmd.exe	100
PID 1640 wrote to memory of 4768	1640	cmd.exe	100
PID 3820 wrote to memory of 4504	3820	ReShadeSetup.exe	101
PID 3820 wrote to memory of 4504	3820	ReShadeSetup.exe	101
PID 3820 wrote to memory of 2492	3820	ReShadeSetup.exe	103
PID 3820 wrote to memory of 2492	3820	ReShadeSetup.exe	103
PID 3820 wrote to memory of 740	3820	ReShadeSetup.exe	105
PID 3820 wrote to memory of 740	3820	ReShadeSetup.exe	105
PID 3820 wrote to memory of 2180	3820	ReShadeSetup.exe	107
PID 3820 wrote to memory of 2180	3820	ReShadeSetup.exe	107
PID 3820 wrote to memory of 4500	3820	ReShadeSetup.exe	109
PID 3820 wrote to memory of 4500	3820	ReShadeSetup.exe	109
PID 3820 wrote to memory of 1956	3820	ReShadeSetup.exe	111
PID 3820 wrote to memory of 1956	3820	ReShadeSetup.exe	111
PID 3820 wrote to memory of 3456	3820	ReShadeSetup.exe	113
PID 3820 wrote to memory of 3456	3820	ReShadeSetup.exe	113
PID 3820 wrote to memory of 3176	3820	ReShadeSetup.exe	115
PID 3820 wrote to memory of 3176	3820	ReShadeSetup.exe	115
PID 3820 wrote to memory of 4872	3820	ReShadeSetup.exe	117
PID 3820 wrote to memory of 4872	3820	ReShadeSetup.exe	117
PID 3820 wrote to memory of 2552	3820	ReShadeSetup.exe	119
PID 3820 wrote to memory of 2552	3820	ReShadeSetup.exe	119
PID 3820 wrote to memory of 4988	3820	ReShadeSetup.exe	121
PID 3820 wrote to memory of 4988	3820	ReShadeSetup.exe	121
PID 3820 wrote to memory of 3364	3820	ReShadeSetup.exe	123
PID 3820 wrote to memory of 3364	3820	ReShadeSetup.exe	123
PID 3820 wrote to memory of 4652	3820	ReShadeSetup.exe	125
PID 3820 wrote to memory of 4652	3820	ReShadeSetup.exe	125
PID 3820 wrote to memory of 2344	3820	ReShadeSetup.exe	127
PID 3820 wrote to memory of 2344	3820	ReShadeSetup.exe	127
PID 3820 wrote to memory of 2168	3820	ReShadeSetup.exe	129
PID 3820 wrote to memory of 2168	3820	ReShadeSetup.exe	129
PID 3820 wrote to memory of 3188	3820	ReShadeSetup.exe	131
PID 3820 wrote to memory of 3188	3820	ReShadeSetup.exe	131
PID 3820 wrote to memory of 572	3820	ReShadeSetup.exe	133
PID 3820 wrote to memory of 572	3820	ReShadeSetup.exe	133
PID 3820 wrote to memory of 3020	3820	ReShadeSetup.exe	135
PID 3820 wrote to memory of 3020	3820	ReShadeSetup.exe	135
PID 3820 wrote to memory of 5016	3820	ReShadeSetup.exe	137
PID 3820 wrote to memory of 5016	3820	ReShadeSetup.exe	137
PID 3820 wrote to memory of 1272	3820	ReShadeSetup.exe	139
PID 3820 wrote to memory of 1272	3820	ReShadeSetup.exe	139
PID 3820 wrote to memory of 1068	3820	ReShadeSetup.exe	141
PID 3820 wrote to memory of 1068	3820	ReShadeSetup.exe	141
PID 3820 wrote to memory of 2808	3820	ReShadeSetup.exe	143
PID 3820 wrote to memory of 2808	3820	ReShadeSetup.exe	143

C:\Users\Admin\AppData\Local\Temp\ReShadeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ReShadeSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\ReShadeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ReShadeSetup.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
      4⤵
      PID:4184
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
      4⤵
      PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2180
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3456
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4652
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2808
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:392
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4924
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2100
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3600
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:3720
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:5108
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1368
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:436
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2880
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:4644
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:2116
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:932
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1928
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:1164
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c6b20332b4814799e643badffd8df2cd

SHA1
e7da1c1f09f6ec9a84af0ab0616afea55a58e984

SHA256
61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8

SHA512
d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
9d28433ea8ffbfe0c2870feda025f519

SHA1
4cc5cf74114d67934d346bb39ca76f01f7acc3e2

SHA256
fc296145ae46a11c472f99c5be317e77c840c2430fbb955ce3f913408a046284

SHA512
66b4d00100d4143ea72a3f603fb193afa6fd4efb5a74d0d17a206b5ef825e4cc5af175f5fb5c40c022bde676ba7a83087cb95c9f57e701ca4e7f0a2fce76e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\PIL\_imaging.cp312-win_amd64.pyd

Filesize
2.5MB

MD5
ff6d9c67013d8608550df0aa2278f563

SHA1
3f7ebc6cb265031575c48f06302a672c6dff742c

SHA256
a2d830dca681d54c8ea8ce7ab454cb747e3ecd944d353b6adc52dc567e512a1b

SHA512
14b2e5bd724efeadba05fc57aa89d499b74b6e602d5bd78a7b79515b56dbd2bff8198950e442678ac9135bf8ca2e5896bcfdb2bed80b80fb212ba9a98a842c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_asyncio.pyd

Filesize
69KB

MD5
70fb0b118ac9fd3292dde530e1d789b8

SHA1
4adc8d81e74fc04bce64baf4f6147078eefbab33

SHA256
f8305023f6ad81ddc7124b311e500a58914b05a9b072bf9a6d079ea0f6257793

SHA512
1ab72ea9f96c6153b9b5d82b01354381b04b93b7d58c0b54a441b6a748c81cccd2fc27bb3b10350ab376ff5ada9d83af67cce17e21ccbf25722baf1f2aef3c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_multiprocessing.pyd

Filesize
34KB

MD5
c0a06aebbd57d2420037162fa5a3142b

SHA1
1d82ba750128eb51070cdeb0c69ac75117e53b43

SHA256
5673b594e70d1fdaad3895fc8c3676252b7b675656fb88ef3410bc93bb0e7687

SHA512
ddf2c4d22b2371a8602601a05418ef712e03def66e2d8e8814853cdd989ed457efbd6032f4a4a3e9ecca9915d99c249dfd672670046461a9fe510a94da085fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_overlapped.pyd

Filesize
54KB

MD5
54c021e10f9901bf782c24d648a82b96

SHA1
cf173cc0a17308d7d87b62c1169b7b99655458bc

SHA256
2e53cc1bfa6e10a4de7e1f4081c5b952746e2d4fa7f8b9929ad818ce20b2cc9f

SHA512
e451226ece8c34c73e5b31e06fdc1d99e073e6e0651a0c5e04b0cf011e79d0747da7a5b6c5e94aca44cfceb9e85ce3d85afff081a574d1f53f115e39e9d4ff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_queue.pyd

Filesize
31KB

MD5
5aa4b057ba2331eed6b4b30f4b3e0d52

SHA1
6b9db113c2882743984c3d8b70ec49fc4a136c23

SHA256
d43dca0e00c3c11329b68177e967cf5240495c4786f5afa76ac4f267c3a5cdb9

SHA512
aa5aa3285ea5c177eca055949c5f550dbd2d2699202a29efe2077213cbc95fff2a36d99eecce249ac04d95baf149b3d8c557a67fc39ead3229f0b329e83447b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_sqlite3.pyd

Filesize
121KB

MD5
de8b1c6df3ed65d3c96c7c30e0a52262

SHA1
8dd69e3506c047b43d7c80cdb38a73a44fd9d727

SHA256
f3ca1d6b1ab8bb8d6f35a24fc602165e6995e371226e98ffeeed2eeec253c9df

SHA512
a532ef79623beb1195f20537b3c2288a6b922f8e9b6d171ef96090e4cc00e754a129754c19f4d9d5e4b701bcff59e63779656aa559d117ef10590cfafc7404bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_ssl.pyd

Filesize
173KB

MD5
6774d6fb8b9e7025254148dc32c49f47

SHA1
212e232da95ec8473eb0304cf89a5baf29020137

SHA256
2b6f1b1ac47cb7878b62e8d6bb587052f86ca8145b05a261e855305b9ca3d36c

SHA512
5d9247dce96599160045962af86fc9e5439f66a7e8d15d1d00726ec1b3b49d9dd172d667380d644d05cb18e45a5419c2594b4bcf5a16ea01542ae4d7d9a05c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\_wmi.pyd

Filesize
35KB

MD5
cb0564bc74258cb1320c606917ce5a71

SHA1
5b2bfc0d997cc5b7d985bfadddbfc180cb01f7cf

SHA256
0342916a60a7b39bbd5753d85e1c12a4d6f990499753d467018b21cefa49cf32

SHA512
43f3afa9801fcf5574a30f4d3e7ae6aff65c7716462f9aba5bc8055887a44bf38fba121639d8b31427e738752fe3b085d1d924de2633f4c042433e1960023f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\pyexpat.pyd

Filesize
194KB

MD5
e2d1c738d6d24a6dd86247d105318576

SHA1
384198f20724e4ede9e7b68e2d50883c664eee49

SHA256
cdc09fbae2f103196215facd50d108be3eff60c8ee5795dcc80bf57a0f120cdf

SHA512
3f9cb64b4456438dea82a0638e977f233faf0a08433f01ca87ba65c7e80b0680b0ec3009fa146f02ae1fdcc56271a66d99855d222e77b59a1713caf952a807da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\python3.DLL

Filesize
66KB

MD5
4038af0427bce296ca8f3e98591e0723

SHA1
b2975225721959d87996454d049e6d878994cbf2

SHA256
a5bb3eb6fdfd23e0d8b2e4bccd6016290c013389e06daae6cb83964fa69e2a4f

SHA512
db762442c6355512625b36f112eca6923875d10aaf6476d79dc6f6ffc9114e8c7757ac91dbcd1fb00014122bc7f656115160cf5d62fa7fa1ba70bc71346c1ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\python312.dll

Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\sqlite3.dll

Filesize
1.4MB

MD5
31cd2695493e9b0669d7361d92d46d94

SHA1
19c1bc5c3856665eca5390a2f9cd59b564c0139b

SHA256
17d547994008f1626be2877497912687cb3ebd9a407396804310fd12c85aead4

SHA512
9dd8d1b900999e8cea91f3d5f3f72d510f9cc28d7c6768a4046a9d2aa9e78a6ace1248ec9574f5f6e53a6f1bdbfdf153d9bf73dba05788625b03398716c87e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10842\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clbfn0ed.wkr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_lcduy9c\System info.txt

Filesize
751B

MD5
f0f956050934582a881d4b89e5de8348

SHA1
4dcef44b7536d76cfe4c54bb923bc1b5c969a8b9

SHA256
bfb2d8f2cf1aefd622a45121575c394ea1eac01f6955817b12f7bdbe40b81dd1

SHA512
38dbb7d09b03c1a035ce23fa010547cd275f16a02f7ab482f1acc65bf656903a8bb6a275a6e8beb16fbd19e25e51ee51b9e80937110c2d730797e0eafe8bf7f1

Download Submit
memory/1128-155-0x00007FFDEEB20000-0x00007FFDEEE94000-memory.dmp

Filesize
3.5MB

Download
memory/1128-156-0x00007FFDEEB20000-0x00007FFDEEE94000-memory.dmp

Filesize
3.5MB

Download
memory/1128-157-0x00007FFDEEB20000-0x00007FFDEEE94000-memory.dmp

Filesize
3.5MB

Download
memory/1128-163-0x0000023FF82E0000-0x0000023FF8302000-memory.dmp

Filesize
136KB

Download
memory/1128-169-0x00007FFDEEB20000-0x00007FFDEEE94000-memory.dmp

Filesize
3.5MB

Download