4a95ec6637a706b8a841dc7a1c0a7d4779e4526036fde2523c96a27056df7aac

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swapper-v2.exe
Size

53.2MB
MD5

57038ddd0431081287886edc4ce212f7
SHA1

7c07c177671527d5527ba4e0d640d3767b43a01f
SHA256

4a95ec6637a706b8a841dc7a1c0a7d4779e4526036fde2523c96a27056df7aac
SHA512

e3b9fbf86d1061d25368ff852c2292844c9e17ebfcd6418d33cefe7598b2ab7d975e7fb251d8282cc609008ed5daae27c940104fabdafb8f2928763d4ba4b124
SSDEEP

1572864:INQOrHnqf3Gd6xdnj+YV5szPE7DBzqrGN4+14:IN7jnyo6VV7BX94

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3772	powershell.exe
2008	powershell.exe
2964	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	Swapper-v2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	Swapper-v2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	attrib.exe

Loads dropped DLL 64 IoCs

pid	Process
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023833-726.dat	upx
behavioral2/memory/4768-730-0x00007FFFEFE60000-0x00007FFFF02CE000-memory.dmp	upx
behavioral2/files/0x000700000002343d-732.dat	upx
behavioral2/files/0x0007000000023475-738.dat	upx
behavioral2/files/0x000700000002343b-739.dat	upx
behavioral2/files/0x0007000000023440-743.dat	upx
behavioral2/memory/4768-765-0x00007FFFF5DC0000-0x00007FFFF5DED000-memory.dmp	upx
behavioral2/memory/4768-764-0x00007FFFFF930000-0x00007FFFFF949000-memory.dmp	upx
behavioral2/files/0x0007000000023447-763.dat	upx
behavioral2/files/0x0007000000023443-769.dat	upx
behavioral2/files/0x0007000000023835-773.dat	upx
behavioral2/memory/4768-778-0x00007FFFFFDC0000-0x00007FFFFFDD9000-memory.dmp	upx
behavioral2/memory/4768-783-0x00007FFFF0F60000-0x00007FFFF0F8B000-memory.dmp	upx
behavioral2/memory/4768-782-0x00007FFFEFB40000-0x00007FFFEFBFC000-memory.dmp	upx
behavioral2/memory/4768-781-0x00007FFFF5D90000-0x00007FFFF5DBE000-memory.dmp	upx
behavioral2/files/0x0007000000023474-787.dat	upx
behavioral2/memory/4768-790-0x00007FFFEF700000-0x00007FFFEFA75000-memory.dmp	upx
behavioral2/files/0x000700000002343a-792.dat	upx
behavioral2/files/0x0007000000023442-793.dat	upx
behavioral2/files/0x000700000002384e-794.dat	upx
behavioral2/files/0x000700000002343f-798.dat	upx
behavioral2/files/0x000700000002344e-802.dat	upx
behavioral2/files/0x0007000000023842-803.dat	upx
behavioral2/memory/4768-807-0x00007FFFF0B60000-0x00007FFFF0B86000-memory.dmp	upx
behavioral2/memory/4768-808-0x00007FFFEF550000-0x00007FFFEF668000-memory.dmp	upx
behavioral2/memory/4768-806-0x00007FFFFD4F0000-0x00007FFFFD4FB000-memory.dmp	upx
behavioral2/memory/4768-805-0x00007FFFF0E10000-0x00007FFFF0E24000-memory.dmp	upx
behavioral2/memory/4768-804-0x00007FFFEF670000-0x00007FFFEF6F7000-memory.dmp	upx
behavioral2/files/0x000700000002344d-800.dat	upx
behavioral2/memory/4768-796-0x00007FFFFF0E0000-0x00007FFFFF0F0000-memory.dmp	upx
behavioral2/memory/4768-795-0x00007FFFFEE20000-0x00007FFFFEE35000-memory.dmp	upx
behavioral2/memory/4768-789-0x00007FFFEFA80000-0x00007FFFEFB38000-memory.dmp	upx
behavioral2/memory/4768-788-0x00007FFFF0E30000-0x00007FFFF0E5E000-memory.dmp	upx
behavioral2/files/0x0007000000023476-785.dat	upx
behavioral2/files/0x0007000000023446-784.dat	upx
behavioral2/memory/4768-780-0x00007FFFFF150000-0x00007FFFFF15D000-memory.dmp	upx
behavioral2/memory/4768-779-0x00007FFFFFBE0000-0x00007FFFFFBED000-memory.dmp	upx
behavioral2/memory/4768-777-0x00007FFFFFBF0000-0x00007FFFFFC24000-memory.dmp	upx
behavioral2/files/0x0007000000023845-776.dat	upx
behavioral2/files/0x0007000000023836-771.dat	upx
behavioral2/files/0x0007000000023837-768.dat	upx
behavioral2/files/0x0007000000023444-767.dat	upx
behavioral2/files/0x0007000000023831-766.dat	upx
behavioral2/files/0x0007000000023445-761.dat	upx
behavioral2/files/0x0007000000023441-757.dat	upx
behavioral2/files/0x000700000002343e-755.dat	upx
behavioral2/files/0x0007000000023498-811.dat	upx
behavioral2/memory/4768-814-0x00007FFFF0DF0000-0x00007FFFF0E08000-memory.dmp	upx
behavioral2/memory/4768-813-0x00007FFFF8670000-0x00007FFFF867A000-memory.dmp	upx
behavioral2/files/0x000700000002343c-754.dat	upx
behavioral2/files/0x0007000000023841-750.dat	upx
behavioral2/memory/4768-740-0x00007FFFFFD90000-0x00007FFFFFDB4000-memory.dmp	upx
behavioral2/memory/4768-741-0x00007FFFFFCE0000-0x00007FFFFFCEF000-memory.dmp	upx
behavioral2/memory/4768-816-0x00007FFFEF230000-0x00007FFFEF3A1000-memory.dmp	upx
behavioral2/memory/4768-815-0x00007FFFF0D30000-0x00007FFFF0D4F000-memory.dmp	upx
behavioral2/memory/4768-817-0x00007FFFEF1F0000-0x00007FFFEF228000-memory.dmp	upx
behavioral2/memory/4768-830-0x00007FFFEF140000-0x00007FFFEF14C000-memory.dmp	upx
behavioral2/memory/4768-838-0x00007FFFEF090000-0x00007FFFEF0AC000-memory.dmp	upx
behavioral2/memory/4768-837-0x00007FFFEF100000-0x00007FFFEF112000-memory.dmp	upx
behavioral2/memory/4768-836-0x00007FFFEF0B0000-0x00007FFFEF0BB000-memory.dmp	upx
behavioral2/memory/4768-835-0x00007FFFEF0C0000-0x00007FFFEF0E9000-memory.dmp	upx
behavioral2/memory/4768-834-0x00007FFFEF0F0000-0x00007FFFEF0FC000-memory.dmp	upx
behavioral2/memory/4768-833-0x00007FFFEF120000-0x00007FFFEF12D000-memory.dmp	upx
behavioral2/memory/4768-839-0x00007FFFEEDB0000-0x00007FFFEF08F000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com
38	discord.com
40	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4148	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{CF541E71-F728-4CB6-9BD7-C38AB3C0D3D5}	Swapper-v2.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
4768	Swapper-v2.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
2964	powershell.exe
2964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	Swapper-v2.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4704	wmic.exe
Token: SeSecurityPrivilege	4704	wmic.exe
Token: SeTakeOwnershipPrivilege	4704	wmic.exe
Token: SeLoadDriverPrivilege	4704	wmic.exe
Token: SeSystemProfilePrivilege	4704	wmic.exe
Token: SeSystemtimePrivilege	4704	wmic.exe
Token: SeProfSingleProcessPrivilege	4704	wmic.exe
Token: SeIncBasePriorityPrivilege	4704	wmic.exe
Token: SeCreatePagefilePrivilege	4704	wmic.exe
Token: SeBackupPrivilege	4704	wmic.exe
Token: SeRestorePrivilege	4704	wmic.exe
Token: SeShutdownPrivilege	4704	wmic.exe
Token: SeDebugPrivilege	4704	wmic.exe
Token: SeSystemEnvironmentPrivilege	4704	wmic.exe
Token: SeRemoteShutdownPrivilege	4704	wmic.exe
Token: SeUndockPrivilege	4704	wmic.exe
Token: SeManageVolumePrivilege	4704	wmic.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 4768	668	Swapper-v2.exe	86
PID 668 wrote to memory of 4768	668	Swapper-v2.exe	86
PID 4768 wrote to memory of 2108	4768	Swapper-v2.exe	87
PID 4768 wrote to memory of 2108	4768	Swapper-v2.exe	87
PID 4768 wrote to memory of 4108	4768	Swapper-v2.exe	93
PID 4768 wrote to memory of 4108	4768	Swapper-v2.exe	93
PID 4108 wrote to memory of 3844	4108	cmd.exe	95
PID 4108 wrote to memory of 3844	4108	cmd.exe	95
PID 4768 wrote to memory of 2588	4768	Swapper-v2.exe	96
PID 4768 wrote to memory of 2588	4768	Swapper-v2.exe	96
PID 2588 wrote to memory of 5068	2588	cmd.exe	98
PID 2588 wrote to memory of 5068	2588	cmd.exe	98
PID 4768 wrote to memory of 2120	4768	Swapper-v2.exe	99
PID 4768 wrote to memory of 2120	4768	Swapper-v2.exe	99
PID 4768 wrote to memory of 2156	4768	Swapper-v2.exe	101
PID 4768 wrote to memory of 2156	4768	Swapper-v2.exe	101
PID 2156 wrote to memory of 2008	2156	cmd.exe	103
PID 2156 wrote to memory of 2008	2156	cmd.exe	103
PID 2156 wrote to memory of 3772	2156	cmd.exe	104
PID 2156 wrote to memory of 3772	2156	cmd.exe	104
PID 2156 wrote to memory of 2964	2156	cmd.exe	106
PID 2156 wrote to memory of 2964	2156	cmd.exe	106
PID 4768 wrote to memory of 2496	4768	Swapper-v2.exe	112
PID 4768 wrote to memory of 2496	4768	Swapper-v2.exe	112
PID 2496 wrote to memory of 2120	2496	cmd.exe	114
PID 2496 wrote to memory of 2120	2496	cmd.exe	114
PID 4768 wrote to memory of 4704	4768	Swapper-v2.exe	115
PID 4768 wrote to memory of 4704	4768	Swapper-v2.exe	115
PID 4768 wrote to memory of 4504	4768	Swapper-v2.exe	117
PID 4768 wrote to memory of 4504	4768	Swapper-v2.exe	117
PID 4504 wrote to memory of 4148	4504	cmd.exe	119
PID 4504 wrote to memory of 4148	4504	cmd.exe	119
PID 4768 wrote to memory of 1264	4768	Swapper-v2.exe	120
PID 4768 wrote to memory of 1264	4768	Swapper-v2.exe	120
PID 1264 wrote to memory of 4220	1264	cmd.exe	122
PID 1264 wrote to memory of 4220	1264	cmd.exe	122
PID 4768 wrote to memory of 3280	4768	Swapper-v2.exe	123
PID 4768 wrote to memory of 3280	4768	Swapper-v2.exe	123
PID 3280 wrote to memory of 3012	3280	cmd.exe	125
PID 3280 wrote to memory of 3012	3280	cmd.exe	125
PID 4768 wrote to memory of 4464	4768	Swapper-v2.exe	126
PID 4768 wrote to memory of 4464	4768	Swapper-v2.exe	126
PID 4464 wrote to memory of 1232	4464	cmd.exe	128
PID 4464 wrote to memory of 1232	4464	cmd.exe	128
PID 4768 wrote to memory of 3088	4768	Swapper-v2.exe	129
PID 4768 wrote to memory of 3088	4768	Swapper-v2.exe	129
PID 3088 wrote to memory of 3940	3088	cmd.exe	131
PID 3088 wrote to memory of 3940	3088	cmd.exe	131

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Swapper-v2.exe
"C:\Users\Admin\AppData\Local\Temp\Swapper-v2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Local\Temp\Swapper-v2.exe
  "C:\Users\Admin\AppData\Local\Temp\Swapper-v2.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5068
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\AssertLock.ods

Filesize
1.4MB

MD5
da6daf8ae186029b3e8d9ecfdbf558ae

SHA1
de82b7dd1163e1399b0245c99efed6477b342de7

SHA256
7db8ad4a1f924e7e17c5d6eaa88d58c7844b382f9738870c3af21353b7f69b72

SHA512
23419ec99a241cc9ac9b6d3989c6487bc337d5fb0016c65e2128f271cea177a5722899608369f62446dc608ba6c487bee4175a939508c59cd33a430d3bf01994

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\BackupExit.mht

Filesize
1.0MB

MD5
2be13acc83bcc9a9dcadfc90ed63ac42

SHA1
6f9ccc0f975b1e526b04f02d6c145c5768a941d7

SHA256
f1da1ad3b3005935655ee7d49a0f4cf780acbe9ace71e8949cf9666bcba62d28

SHA512
9ae4d6a51e1dd1de9f34f221cf9cac074eafe875d2be34c43db2fc8879a7646af32b015af82929bcac87a7860c0895ed912673beffaa43b4bd8dae31399209fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\EditBackup.vdx

Filesize
469KB

MD5
5480e9cdc290f827cd43f1c61112b343

SHA1
0817bbcbecfb29c8feae947b1a085eaac1e9a982

SHA256
2c0a4e4a1752396af88f7044fb458b5f6fea1f6295ae9e651cd2e4e98a41782d

SHA512
ca29cd7b0f07a0e37c59df7c7b1e6ab8776a23bca30076b44f772c4cc572e1269c1455dc06003349f58b4f14b478f87d1e7dff79373f194bfc828781c5527a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\FindSync.rtf

Filesize
653KB

MD5
fd847567a051155e1c7737a8d05e6e45

SHA1
eb723b24b76bcb82f2e00ed7c6c7cc29c88a26b1

SHA256
8f2e51e260cf2e355b10703ed9502ec1c5e0a6d142ffa7c0cd06ae176d86d756

SHA512
e136580661acf5f58d91b49a671e7d27638589326693e5f71f4d56ef300e4c0e8ebcc8b4ab52722e047a8847bc1ee08e9ae90de6b3d77aa14c71230857ae8575

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\LimitUnregister.odt

Filesize
410KB

MD5
04068a716dcf3e281e0e08a216af7b20

SHA1
b8c45d809edd720c24e1f1029456bae33f5613d3

SHA256
926fdb16d3f2853760e0cd1d5d9b3912fe5ca0bd0ee8a3f2011ee6679026deed

SHA512
e09ad2f51e4b891f4897c74df1cb3ebc99e3f74671ff3d220ac10058565864a52feb59092083a2f057623a5da02ba5c6194e9d5a789a9031c6fa7c317f615f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\ResumePublish.txt

Filesize
467KB

MD5
8751860ba3d26db178a49b43ec7f9d30

SHA1
29f7160adaa4f8bdbdb8dabac62a18f82d3de9d6

SHA256
45acf45bf6a4a87e63fa18f3963403aa78ab325f9e24e3be525a26b9897c99f9

SHA512
112f221b8f8d75a417b2c7f6a197b624d12b5d37d59fd68da1cd021007e65db9c19d043312763b8212f0f63b6837fd14b563be1dc78dada72c7820772d152305

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\SetGet.odt

Filesize
760KB

MD5
20533a7f05172e3e4891af64bec1962a

SHA1
ad6d7e99e80ad43e368eceb592b417f931098f48

SHA256
b3e3e0b6cd7532f9ffa00e19c65fec0668dc47f94e3da1014c466945847cf052

SHA512
f9be7adad16c786c7dd021503e082fd6c6f3f7ef63e97514017102b2728259a9d8334d388d41c42cb8c7c30965ab2e23cbf5682a9a1ba5d8e1ff08721f291e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gK0JjmeHU\Common Files\SuspendUnblock.rtf

Filesize
493KB

MD5
c7e43bf4d08f648b6af7f3945a3324b6

SHA1
a3b64897b9c9711ffe1eb04fe89d30e5b05c7dcb

SHA256
d08524f97058ee0fbe783c7056b0bd8ad99196b9f7b196e63b7078ded7f2136e

SHA512
bbf4e636c3a00d285943bc98cc4237f0e3d9a8c6401d5d7f62c9a4e7582c556e874b0f4fa3c741fe21de0c85276bdaa917ed7c2514f89147fa1a36d6e7830d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_asyncio.pyd

Filesize
34KB

MD5
6f7e93a4a41fb719dcc2eec804e48049

SHA1
4ea2b6d20fac377cedd76b648664aec59ac9a384

SHA256
3939fa93efb35bbdead8ed294605a764a08828cdf1d88b7bc835edf8409e835b

SHA512
fd4a566d248915da049ceed3f8bfa49590e62401d05e94b06eac84227ea9473519629e7679e68d36b47054ca8526655b792d74bf66bb9350494ff8178855d212

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_bz2.pyd

Filesize
46KB

MD5
5f1fcfa6577ed6ecf4099650873ee9d0

SHA1
7f65d93c52f7bbddcad0420822700c3e43881f78

SHA256
f68775b81e881f2bddeda06442e44d2c6820db2dbab37fa1852dc411d8e28a85

SHA512
590d7961656e52b7979deb6b20a344bcac184041ba0f22f58d6422b8f60877260eab57032e41b6375360ff62879f336a7b453494dc435f332198965107857575

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
e3bcdf92f94fac36d74ca4d57fc651ed

SHA1
519264bc498e253a62f540d8f106343c6772ef68

SHA256
8fa7db27750c4351d403271dc525a411840844cc913415eca2b1866c5e9dbd7f

SHA512
520eb876eb2a090d126780f0e8457ebb948337499db815a23dc5231d2ae80aef2f9ada14f13aa347e8aec5385a1ed85cdc8b3162ed4ca5976b77228f97a85806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_ctypes.pyd

Filesize
56KB

MD5
c8b1e1f994b23a47ebae0a1f3a2f314c

SHA1
5636ed108b67958988586fdb7bf7aa9bc841960c

SHA256
4ad24645396dee635c6900b48704df0ba3f9d728331d207b73d1efa67c8564c6

SHA512
b584b0cbaa10c7eeb5c292fc2c9cd52831592acdb79afa239ee516f1914c7d50db0fa78616780be2fdcf6a6b3caab7971d794cf6956699b5e9c79145c52f334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_decimal.pyd

Filesize
103KB

MD5
c369a14a7020a3603182a4f5cd22e53a

SHA1
372cea2b33218f57281dcd0613b617ccb3908963

SHA256
04769e2f8182c32c780f0bc9324f30a1a2a904b5395e2fcffabbc0cc4fcbff5c

SHA512
371584f1835485a4acbf77d621cd90c74bf6d870f239ee72b65116f4b7909a6344de09a79615b096789d83bd708af0fd3dcb2220c5cccf76661bdcabdf5f8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_hashlib.pyd

Filesize
33KB

MD5
12c1703b7464bd94098ee976fbf8672c

SHA1
e73dfb0e9c78ad209fa1a6decd863658d706eba6

SHA256
228f1f78216051c90e5a9cd5aadce01f5c100fe4e60cccd8bcb92fdcbcdda145

SHA512
5b17bcb7e05f0efe15e5362c56d81691f01cdac2737f87486d6cfdfd137d94129b497b6e958a2de6e3f437f4d768da23117d4ad88d22149c9ca4feb474623092

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_lzma.pyd

Filesize
84KB

MD5
b45eca52c04371b2812c9104c7698738

SHA1
4da64729787e58d24ca7dda23c50aedbffe2fc22

SHA256
c31b390ad7834ec10dec2ea2af9d110ffd0483df920046c74236ef736b10fbd7

SHA512
0404effb490fda47f1899c931b7de137038ae7afbfad9aa0155e49066f0b7cd74ba3a92628022197d657114a7d84451521bf0a47037252c158b5c83d0ea1d15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_multiprocessing.pyd

Filesize
25KB

MD5
f4db581d86747315baffc7a8e049d4c0

SHA1
f70b84cb641e3f837f44e42c3dfcc91e7e835b32

SHA256
3098b2380f875700f2e3c2b8a61b9f49f91d8d1b0e76a520eaaf4c53d6d9166e

SHA512
b17d3c8d1fa0a9335f9d71be893ac140248f523c8569a65365b0df63a11e8682d750b44c9c0396c0431033d6b6f1dd9eb2692bdc6d4cfdad7544f27c900b6b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_overlapped.pyd

Filesize
30KB

MD5
f1569470ac25543f29e565a756bddc0c

SHA1
a95e4e22c139aa18da289edb1152842b14ead373

SHA256
f0690bf7cfbe91a29b4f820ed943211bafd40426c7cd325841259973c1badf10

SHA512
c712887b73d593b349222bf181d8b0ca3bac8ec3290453ef24eb2d6572f8dbefe64eaa9023e0a0eae6dfebcd6d2c8f7aa594c5ec0d73ee1d21eedc1f22e48b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_queue.pyd

Filesize
24KB

MD5
20268609ecebf39a029a6f912222a112

SHA1
1bf5d03a451040d99ce8556e5ab731c73b27f268

SHA256
8120ef496869391ea2625009d8151e9989267912ea398f5fe2fba10b0476b8bf

SHA512
321cb5d5f52e41940030b935fda3b7f184928071f7645c87c5509d2c58c37ccb320fb73527d26aa0f2624b96a15015f9dbb608b5f8e291f2c4af9c4dd08cb923

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_socket.pyd

Filesize
41KB

MD5
7c65a201e922e8be1f176a4c2db7e377

SHA1
78183e083ecb283de6be50bbecca83c93bdceafb

SHA256
bd3edf2966e386649aa773a86d4aaf6c9d858bcc794d23953ad1abca2c3c9b3e

SHA512
f5ce05753a233f7ae3c7404011ede284c2ee2c3e51d5fa19b10be372c4e6e518cb9ff8a707295d750951e04a828c438e8be0611ef3476fc8fc60473174f6071b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_sqlite3.pyd

Filesize
48KB

MD5
80a1c6be1f23bdd55e6248f92d18677e

SHA1
8c48d2d1bd45d8f478e752fc0beb189be5928a65

SHA256
3212adb3f154cfa01cc366183e631726f3dc22aa4cfb7cdf2ee1a313e53656ba

SHA512
dadfa9f1dfe86ff9295d2016801ae161413ffe858ce7d99dc49dcd0bc167a8fcd16066de76e20e2de50e8b8a1222482bbbd4d548587c5543701d26ff4e410133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_ssl.pyd

Filesize
60KB

MD5
42469b54eb9a10b20c3ce8007864584d

SHA1
db42e159286406f5092366ca2307af74ed77e488

SHA256
773ab4c98a927ae385ee220a3d59240e2cb86eabc9f3e923e27539b340ca3cf3

SHA512
34c214bdaab507bb091ecff516af2ac1ce1dbc6e0dbf77da6c698e186600bc8236f99e2bb102d2b65ac42a6e4e40a14df6946f3ac97c02bbd0b7ef10aba056dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\_uuid.pyd

Filesize
21KB

MD5
4759a0790439d7b10a190d4a91751f04

SHA1
d7a5cc04131711003db97135e29db2753f3a252d

SHA256
ee2f712585d63ee001de052bc9229d3d0e7cb759b1894e166d9672caee8b13b6

SHA512
5275bb2c8f96719932e0fc933a530c933634579c1b53cc6ca8664a9a40e06ec47ffbc78dd538c8c19760ce8b7efef214ee6ab6338b7bc0c9f9fee50659068fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\base_library.zip

Filesize
859KB

MD5
6d649e03da81ff46a818ab6ee74e27e2

SHA1
90abc7195d2d98bac836dcc05daab68747770a49

SHA256
afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd

SHA512
e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\certifi\cacert.pem

Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
9KB

MD5
e8b4d1cb8570939208d373a453633173

SHA1
ee1fb7d18f65d56dbf4b46df9a457cf93c473b98

SHA256
595f85c233750daf228b7dc19c28327b06ac9964835a48811d126ea47ab063c1

SHA512
d9ae659e2919758825db32b26e0233689d0fdaad241a8edb9316ed1684841ad665cd3b3b5e9bbfb0375c3fe1ea8557aac11b7c824257347ee36258c779c72eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
39KB

MD5
1fad2ff24ed0e2fcf6ea8063f0d52520

SHA1
7df4dd9333c58f3fe142fcb4d48af52d6196066e

SHA256
b8b328bb6cd58475d7235578f27aef4dfeeefe1abd7198af564cb541cccf5e30

SHA512
0447b2b7f1b72c7e9c2e4b5909b90495964f1979f299fdbda0fd291daeaf07e937fbf0373e89fb78bae66694ca6ac2c37571f2e04787ba1b2db0ebde95be0e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
571796599d616a0d12aa34be09242c22

SHA1
0e0004ab828966f0c8a67b2f10311bb89b6b74ac

SHA256
6242d2e13aef871c4b8cfd75fc0f8530e8dccfeaba8f1b66280e9345f52b833b

SHA512
7362a6c887600fafc1a45413823f006589bb95a76ac052b6c7022356a7a9a6e8cd3e76f59cecf152e189323791d9626a6fdb7a98bf3a5250d517b746c3e84e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\libffi-7.dll

Filesize
23KB

MD5
4e261cbb8247260ea91860986110f805

SHA1
1563d67c2aabcb5e00e25ef293456c6481a2adc3

SHA256
ddfd0755e011ea0df26d77cf3628e2cc59653aee02bf241b54b6b08561520453

SHA512
076cdc8759f9cbbf7f8dc7b1eaba3c51f6c40ae6043b1fb55aa2fb83f81e86933d0f885a61d83300173b9bd7c589ff126e2a5d858a3f4036390d02eb1e73d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\libssl-1_1.dll

Filesize
203KB

MD5
aabafc5d0e409123ae5e4523d9b3dee2

SHA1
4d0a1834ed4e4ceecb04206e203d916eb22e981b

SHA256
84e4c37fb28b6cf79e2386163fe6bb094a50c1e8825a4bcdb4cb216f4236d831

SHA512
163f29ad05e830367af3f2107e460a587f4710b8d9d909a01e04cd8cfee115d8f453515e089a727a6466ce0e2248a56f14815588f7df6d42fe1580e1b25369cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\luna.aes

Filesize
39KB

MD5
0d19b4bd8a08bcd36a1190948809d104

SHA1
67538a209a111d10bf59c28f6c3924ac87276189

SHA256
e9c499435ec5278f171a26774f6d1cdc68fe88716f091201e21be57751698bae

SHA512
dfdebe50cee6653b5717287280c18b6ce130a3aed2627fcea54f0a3ef54787e9035c7d59e3b8e091b8d45bf741447b68b82b4ce8db1003b95661d6d2ad2c0167

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
8a8e3fdcafb2d8f07b54028edafb5b09

SHA1
9eccb4d95d1e700109e3c786713b523958b14c25

SHA256
a1a297c62345f33d3bdb7db4e4b23b3aad75057440d1218d34291b57b1538423

SHA512
a32dc4e508e0b844fa7fd1efade9af999b3bd9116bc93657d6718608b8cdee3e3b1b753ea52549d2f36a831f7bf0edd661f57693d1fa5b1b84bc0d894fcff258

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\pyexpat.pyd

Filesize
86KB

MD5
feed0b6088212af68c9a9d5839aaad82

SHA1
fe7684e423c3e05b1740e8e0d986566051ed16fb

SHA256
29759d0d3e02b0d8f4882f91f1bc7e8f2c43f5d8ac3c3a5c3b24f5f7c341ca8a

SHA512
aed1134fafec64610847cb8545ef97eb92fb0a114f9a715e7894991489b4db50a963c81587da6097c01c76c39b438e9079151507b2106c7be16679d04ef2c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\python310.dll

Filesize
1.4MB

MD5
701e2e5d0826f378a53dc5c83164c741

SHA1
62725dbee8546a7c9751679669c4aeb829bcb5a7

SHA256
9db7ebafff20370df1ae6fc5ee98962e03fcfc02ec47abed28802191f6750dd2

SHA512
df30dfba245a64f72bcf8c478d94a9902797493ce25f266fa04a0b67ad7887c8f9253404c0425285342ae771c8a44ae414887447f14d76c696f7902933367f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
202a8731825a75911a7c6ae1adc7dfac

SHA1
8c71aa55ed68a6abdf3db27938989c72fcbe8e21

SHA256
30b5dbd6d41f6128b063cc7f9854944dd0497b0d9cb6ba8e18c8d55f33b7733e

SHA512
1ae115ad229c378cb952b79b2923ad5209ce89c183d8a24503cf0cb05f77b45a6f04bf15f512472d04ea787aadc5254542b00c7ccd931061843f401874ab165d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
95fed288c096235b736c0ffca46a9a5f

SHA1
bd868ccb83edb78b01c52649ee698abcb4eb0f3e

SHA256
6c4b09b003645f5a581a2406a003916847a60e689492b5d8c8be3cbbd4254244

SHA512
7adf8fc912a9b85bf2795c5d03d2f63a0cde5ae290be83411dd52099fc9d6f8d7d325f69f3bd064a242d01fd03271827a302c7a1dbe4905ac81387057c07f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\select.pyd

Filesize
24KB

MD5
7a1b8a953671d61e2ef79b55876c91a5

SHA1
701476f9f4890326acc1390d4b5939c1a63875b6

SHA256
f02fa3749ba56e11b8e55d7b426cdab61186b7d8e7b3590add9b37fa2ec2c061

SHA512
bd900c5e45e89557fef64ba008e414f0a25571fc06dcd7ebd532d66856618c56e0be73e2e5e03c74160c2fd0b7a7c356cdc9ba4bb559d88d6f8813a19a75260a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\sqlite3.dll

Filesize
608KB

MD5
f890b2bffe1a49c34db19fad541d1fed

SHA1
8a978b18fe3d35c46908a9a0d163e56da3cf8ec7

SHA256
afd37cf21f0e8ac613bd6ebfbcf97215f416466fdf34b98207bded5d67f667d7

SHA512
96e97dba2443639958ebf6a85fe9e378811b4876cc824638a15c54707d5f9fe27469ec304b7db6a2e7c916b3c7663b043e624ff13a57b75445de992fd92a06d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\unicodedata.pyd

Filesize
287KB

MD5
3cc7f1037a741695b6d3cbb4dfb02a5e

SHA1
03731fafd37b9c8e4da287299d3b09ea6482e1e3

SHA256
0c723804b1f1800d273157684771ff22035db92f83146a1a8d0d4b4d0774bb2f

SHA512
612ff0d4fe423bd4e9c6dc0bd5ef3904ffc7c5595671fc9480ebcb8947759030bd96d8a65c49401f99eaa417264922a9e1026955e29f93186571f2a89151e2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\win32\win32api.pyd

Filesize
48KB

MD5
71ec15831e6df0a2ef3bd6ba5c5df7e5

SHA1
18d2a5315668f5ae454d3466ba3b2abc13d98eb6

SHA256
1fca2edfada089e695d4ec071e4b59bfaca3bd30327f72a92a51ec2cb5de46eb

SHA512
50180c8b414787ba9c88a70abb1d28a38bb1250d81b8ffe17bd041f9ec8d99d2c68ac52df09286b77db3ac5b74395e804888804b8280eeda13a3fb160a4cd6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6682\zstandard\backend_c.cp310-win_amd64.pyd

Filesize
174KB

MD5
6aa20997ac4e2ed34c3977d46a28662e

SHA1
9618bb8038c6132f012cf5c9a8a1be24e5a65a26

SHA256
e07dda20d5403f5beca70c0db5229a7b4f81cc735ec3f9220da0475fce90146e

SHA512
6f5562e52f342c4e1ef3f763e63ef79f4796bdfadd19cb3d723cf0612368644917a62f64cd2fc8f8b93e918d69de6399fadf4c223bb2261b6154930001f43b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gy2l5sgj.jqs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3844-867-0x00000299CC150000-0x00000299CC172000-memory.dmp

Filesize
136KB

Download
memory/4768-847-0x000001D6C4430000-0x000001D6C47A5000-memory.dmp

Filesize
3.5MB

Download
memory/4768-851-0x00007FFFECAD0000-0x00007FFFECB18000-memory.dmp

Filesize
288KB

Download
memory/4768-806-0x00007FFFFD4F0000-0x00007FFFFD4FB000-memory.dmp

Filesize
44KB

Download
memory/4768-814-0x00007FFFF0DF0000-0x00007FFFF0E08000-memory.dmp

Filesize
96KB

Download
memory/4768-813-0x00007FFFF8670000-0x00007FFFF867A000-memory.dmp

Filesize
40KB

Download
memory/4768-807-0x00007FFFF0B60000-0x00007FFFF0B86000-memory.dmp

Filesize
152KB

Download
memory/4768-805-0x00007FFFF0E10000-0x00007FFFF0E24000-memory.dmp

Filesize
80KB

Download
memory/4768-804-0x00007FFFEF670000-0x00007FFFEF6F7000-memory.dmp

Filesize
540KB

Download
memory/4768-796-0x00007FFFFF0E0000-0x00007FFFFF0F0000-memory.dmp

Filesize
64KB

Download
memory/4768-740-0x00007FFFFFD90000-0x00007FFFFFDB4000-memory.dmp

Filesize
144KB

Download
memory/4768-741-0x00007FFFFFCE0000-0x00007FFFFFCEF000-memory.dmp

Filesize
60KB

Download
memory/4768-816-0x00007FFFEF230000-0x00007FFFEF3A1000-memory.dmp

Filesize
1.4MB

Download
memory/4768-815-0x00007FFFF0D30000-0x00007FFFF0D4F000-memory.dmp

Filesize
124KB

Download
memory/4768-817-0x00007FFFEF1F0000-0x00007FFFEF228000-memory.dmp

Filesize
224KB

Download
memory/4768-830-0x00007FFFEF140000-0x00007FFFEF14C000-memory.dmp

Filesize
48KB

Download
memory/4768-838-0x00007FFFEF090000-0x00007FFFEF0AC000-memory.dmp

Filesize
112KB

Download
memory/4768-837-0x00007FFFEF100000-0x00007FFFEF112000-memory.dmp

Filesize
72KB

Download
memory/4768-836-0x00007FFFEF0B0000-0x00007FFFEF0BB000-memory.dmp

Filesize
44KB

Download
memory/4768-835-0x00007FFFEF0C0000-0x00007FFFEF0E9000-memory.dmp

Filesize
164KB

Download
memory/4768-834-0x00007FFFEF0F0000-0x00007FFFEF0FC000-memory.dmp

Filesize
48KB

Download
memory/4768-833-0x00007FFFEF120000-0x00007FFFEF12D000-memory.dmp

Filesize
52KB

Download
memory/4768-839-0x00007FFFEEDB0000-0x00007FFFEF08F000-memory.dmp

Filesize
2.9MB

Download
memory/4768-832-0x00007FFFEF130000-0x00007FFFEF13C000-memory.dmp

Filesize
48KB

Download
memory/4768-829-0x00007FFFEF150000-0x00007FFFEF15B000-memory.dmp

Filesize
44KB

Download
memory/4768-828-0x00007FFFEF160000-0x00007FFFEF16B000-memory.dmp

Filesize
44KB

Download
memory/4768-827-0x00007FFFEF170000-0x00007FFFEF17C000-memory.dmp

Filesize
48KB

Download
memory/4768-826-0x00007FFFEF180000-0x00007FFFEF18E000-memory.dmp

Filesize
56KB

Download
memory/4768-825-0x00007FFFEF190000-0x00007FFFEF19C000-memory.dmp

Filesize
48KB

Download
memory/4768-824-0x00007FFFEF1A0000-0x00007FFFEF1AC000-memory.dmp

Filesize
48KB

Download
memory/4768-823-0x00007FFFEF1B0000-0x00007FFFEF1BB000-memory.dmp

Filesize
44KB

Download
memory/4768-822-0x00007FFFEF1C0000-0x00007FFFEF1CC000-memory.dmp

Filesize
48KB

Download
memory/4768-821-0x00007FFFEF1D0000-0x00007FFFEF1DB000-memory.dmp

Filesize
44KB

Download
memory/4768-820-0x00007FFFEF1E0000-0x00007FFFEF1EC000-memory.dmp

Filesize
48KB

Download
memory/4768-819-0x00007FFFF0F50000-0x00007FFFF0F5B000-memory.dmp

Filesize
44KB

Download
memory/4768-818-0x00007FFFF5D80000-0x00007FFFF5D8B000-memory.dmp

Filesize
44KB

Download
memory/4768-831-0x00007FFFEFE60000-0x00007FFFF02CE000-memory.dmp

Filesize
4.4MB

Download
memory/4768-840-0x00007FFFECCB0000-0x00007FFFEEDA3000-memory.dmp

Filesize
32.9MB

Download
memory/4768-841-0x00007FFFFFDC0000-0x00007FFFFFDD9000-memory.dmp

Filesize
100KB

Download
memory/4768-842-0x00007FFFEF700000-0x00007FFFEFA75000-memory.dmp

Filesize
3.5MB

Download
memory/4768-845-0x00007FFFF0E30000-0x00007FFFF0E5E000-memory.dmp

Filesize
184KB

Download
memory/4768-844-0x00007FFFECC60000-0x00007FFFECC81000-memory.dmp

Filesize
132KB

Download
memory/4768-843-0x00007FFFECC90000-0x00007FFFECCA7000-memory.dmp

Filesize
92KB

Download
memory/4768-846-0x00007FFFEFA80000-0x00007FFFEFB38000-memory.dmp

Filesize
736KB

Download
memory/4768-848-0x00007FFFECC30000-0x00007FFFECC52000-memory.dmp

Filesize
136KB

Download
memory/4768-789-0x00007FFFEFA80000-0x00007FFFEFB38000-memory.dmp

Filesize
736KB

Download
memory/4768-857-0x00007FFFECB60000-0x00007FFFECB90000-memory.dmp

Filesize
192KB

Download
memory/4768-856-0x00007FFFEC990000-0x00007FFFECA44000-memory.dmp

Filesize
720KB

Download
memory/4768-855-0x00007FFFECA50000-0x00007FFFECA63000-memory.dmp

Filesize
76KB

Download
memory/4768-854-0x00007FFFECA70000-0x00007FFFECA8D000-memory.dmp

Filesize
116KB

Download
memory/4768-853-0x00007FFFECA90000-0x00007FFFECAA9000-memory.dmp

Filesize
100KB

Download
memory/4768-852-0x00007FFFECAB0000-0x00007FFFECACA000-memory.dmp

Filesize
104KB

Download
memory/4768-808-0x00007FFFEF550000-0x00007FFFEF668000-memory.dmp

Filesize
1.1MB

Download
memory/4768-850-0x00007FFFECB20000-0x00007FFFECB53000-memory.dmp

Filesize
204KB

Download
memory/4768-849-0x00007FFFECB90000-0x00007FFFECC2C000-memory.dmp

Filesize
624KB

Download
memory/4768-777-0x00007FFFFFBF0000-0x00007FFFFFC24000-memory.dmp

Filesize
208KB

Download
memory/4768-779-0x00007FFFFFBE0000-0x00007FFFFFBED000-memory.dmp

Filesize
52KB

Download
memory/4768-780-0x00007FFFFF150000-0x00007FFFFF15D000-memory.dmp

Filesize
52KB

Download
memory/4768-791-0x000001D6C4430000-0x000001D6C47A5000-memory.dmp

Filesize
3.5MB

Download
memory/4768-790-0x00007FFFEF700000-0x00007FFFEFA75000-memory.dmp

Filesize
3.5MB

Download
memory/4768-781-0x00007FFFF5D90000-0x00007FFFF5DBE000-memory.dmp

Filesize
184KB

Download
memory/4768-782-0x00007FFFEFB40000-0x00007FFFEFBFC000-memory.dmp

Filesize
752KB

Download
memory/4768-783-0x00007FFFF0F60000-0x00007FFFF0F8B000-memory.dmp

Filesize
172KB

Download
memory/4768-778-0x00007FFFFFDC0000-0x00007FFFFFDD9000-memory.dmp

Filesize
100KB

Download
memory/4768-795-0x00007FFFFEE20000-0x00007FFFFEE35000-memory.dmp

Filesize
84KB

Download
memory/4768-764-0x00007FFFFF930000-0x00007FFFFF949000-memory.dmp

Filesize
100KB

Download
memory/4768-765-0x00007FFFF5DC0000-0x00007FFFF5DED000-memory.dmp

Filesize
180KB

Download
memory/4768-788-0x00007FFFF0E30000-0x00007FFFF0E5E000-memory.dmp

Filesize
184KB

Download
memory/4768-730-0x00007FFFEFE60000-0x00007FFFF02CE000-memory.dmp

Filesize
4.4MB

Download
memory/4768-984-0x00007FFFF0DF0000-0x00007FFFF0E08000-memory.dmp

Filesize
96KB

Download
memory/4768-985-0x00007FFFEFE60000-0x00007FFFF02CE000-memory.dmp

Filesize
4.4MB

Download
memory/4768-1010-0x00007FFFEF230000-0x00007FFFEF3A1000-memory.dmp

Filesize
1.4MB

Download
memory/4768-1009-0x00007FFFF0D30000-0x00007FFFF0D4F000-memory.dmp

Filesize
124KB

Download
memory/4768-997-0x00007FFFF0E30000-0x00007FFFF0E5E000-memory.dmp

Filesize
184KB

Download
memory/4768-993-0x00007FFFFF150000-0x00007FFFFF15D000-memory.dmp

Filesize
52KB

Download
memory/4768-986-0x00007FFFFFD90000-0x00007FFFFFDB4000-memory.dmp

Filesize
144KB

Download
memory/4768-1066-0x00007FFFF0D30000-0x00007FFFF0D4F000-memory.dmp

Filesize
124KB

Download
memory/4768-1067-0x00007FFFEF230000-0x00007FFFEF3A1000-memory.dmp

Filesize
1.4MB

Download
memory/4768-1065-0x00007FFFF0DF0000-0x00007FFFF0E08000-memory.dmp

Filesize
96KB

Download
memory/4768-1064-0x00007FFFF8670000-0x00007FFFF867A000-memory.dmp

Filesize
40KB

Download
memory/4768-1063-0x00007FFFEF550000-0x00007FFFEF668000-memory.dmp

Filesize
1.1MB

Download
memory/4768-1062-0x00007FFFF0B60000-0x00007FFFF0B86000-memory.dmp

Filesize
152KB

Download
memory/4768-1061-0x00007FFFFD4F0000-0x00007FFFFD4FB000-memory.dmp

Filesize
44KB

Download
memory/4768-1060-0x00007FFFF0E10000-0x00007FFFF0E24000-memory.dmp

Filesize
80KB

Download
memory/4768-1059-0x00007FFFEF090000-0x00007FFFEF0AC000-memory.dmp

Filesize
112KB

Download
memory/4768-1058-0x00007FFFFF0E0000-0x00007FFFFF0F0000-memory.dmp

Filesize
64KB

Download
memory/4768-1057-0x00007FFFFEE20000-0x00007FFFFEE35000-memory.dmp

Filesize
84KB

Download
memory/4768-1056-0x00007FFFECB60000-0x00007FFFECB90000-memory.dmp

Filesize
192KB

Download
memory/4768-1055-0x00007FFFF0E30000-0x00007FFFF0E5E000-memory.dmp

Filesize
184KB

Download
memory/4768-1054-0x00007FFFF0F60000-0x00007FFFF0F8B000-memory.dmp

Filesize
172KB

Download
memory/4768-1053-0x00007FFFECC60000-0x00007FFFECC81000-memory.dmp

Filesize
132KB

Download
memory/4768-1052-0x00007FFFF5D90000-0x00007FFFF5DBE000-memory.dmp

Filesize
184KB

Download
memory/4768-1051-0x00007FFFFF150000-0x00007FFFFF15D000-memory.dmp

Filesize
52KB

Download
memory/4768-1050-0x00007FFFFFBE0000-0x00007FFFFFBED000-memory.dmp

Filesize
52KB

Download
memory/4768-1049-0x00007FFFFFDC0000-0x00007FFFFFDD9000-memory.dmp

Filesize
100KB

Download
memory/4768-1048-0x00007FFFFFBF0000-0x00007FFFFFC24000-memory.dmp

Filesize
208KB

Download
memory/4768-1047-0x00007FFFF5DC0000-0x00007FFFF5DED000-memory.dmp

Filesize
180KB

Download
memory/4768-1046-0x00007FFFFF930000-0x00007FFFFF949000-memory.dmp

Filesize
100KB

Download
memory/4768-1045-0x00007FFFFFCE0000-0x00007FFFFFCEF000-memory.dmp

Filesize
60KB

Download
memory/4768-1044-0x00007FFFFFD90000-0x00007FFFFFDB4000-memory.dmp

Filesize
144KB

Download
memory/4768-1037-0x00007FFFEF670000-0x00007FFFEF6F7000-memory.dmp

Filesize
540KB

Download
memory/4768-1034-0x00007FFFEF700000-0x00007FFFEFA75000-memory.dmp

Filesize
3.5MB

Download
memory/4768-1033-0x00007FFFEFA80000-0x00007FFFEFB38000-memory.dmp

Filesize
736KB

Download
memory/4768-1030-0x00007FFFEFB40000-0x00007FFFEFBFC000-memory.dmp

Filesize
752KB

Download
memory/4768-1020-0x00007FFFEFE60000-0x00007FFFF02CE000-memory.dmp

Filesize
4.4MB

Download