860824901d1ea71595e1a75792939b4de900e86b53c1aa3646c96b337dc8460c

Resubmissions

15/06/2024, 22:46

240615-2p62ca1hkl 8

Analysis

max time kernel
168s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

password-is-eulen.rar
Size

7.3MB
MD5

66d9bcc0f9dd17489d5a990d1838debc
SHA1

66a58bb6815d8f55cdee382ce5dad19478e88824
SHA256

860824901d1ea71595e1a75792939b4de900e86b53c1aa3646c96b337dc8460c
SHA512

7f4d00e168424f783ea54999b634f96a3a5354049459bef6fd389b79e832dd44aafcf8178cff761dc3d683b49bd2cb40e7f3a6b1cc0b3aa567c9bb803cbf6d12
SSDEEP

196608:MRQeq77iLxkM+zyp+uYqGLoFE8PCLyRyYMHWjLqsheTpas:Ve/1rp+3vLy3rjWsktr

Score

8^/10

execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
392	powershell.exe
5340	powershell.exe
5608	powershell.exe
5328	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
1180	Loader.exe
1184	Loader.exe
4960	Loader.exe
2852	Loader.exe
2352	Loader.exe
1860	Loader.exe
5940	Loader.exe
6040	Loader.exe
5532	Loader.exe
5692	Loader.exe

Loads dropped DLL 64 IoCs

pid	Process
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
1184	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
1860	Loader.exe
1860	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
1860	Loader.exe
1860	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
2852	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
1860	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe
6040	Loader.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002327f-26.dat	upx
behavioral1/memory/1184-30-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp	upx
behavioral1/files/0x0007000000023272-32.dat	upx
behavioral1/files/0x000700000002327d-34.dat	upx
behavioral1/memory/1184-35-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp	upx
behavioral1/memory/1184-37-0x00007FFD88DE0000-0x00007FFD88DEF000-memory.dmp	upx
behavioral1/files/0x0007000000023279-53.dat	upx
behavioral1/files/0x0007000000023278-52.dat	upx
behavioral1/files/0x0007000000023277-51.dat	upx
behavioral1/files/0x0007000000023276-50.dat	upx
behavioral1/files/0x0007000000023275-49.dat	upx
behavioral1/files/0x0007000000023274-48.dat	upx
behavioral1/files/0x0007000000023273-47.dat	upx
behavioral1/files/0x0007000000023271-46.dat	upx
behavioral1/files/0x0007000000023284-45.dat	upx
behavioral1/files/0x0007000000023283-44.dat	upx
behavioral1/files/0x0007000000023282-43.dat	upx
behavioral1/files/0x000700000002327e-40.dat	upx
behavioral1/files/0x000700000002327c-39.dat	upx
behavioral1/memory/1184-59-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp	upx
behavioral1/memory/1184-61-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp	upx
behavioral1/memory/1184-63-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp	upx
behavioral1/memory/1184-65-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp	upx
behavioral1/memory/1184-69-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp	upx
behavioral1/memory/1184-68-0x00007FFD76320000-0x00007FFD76339000-memory.dmp	upx
behavioral1/memory/1184-71-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp	upx
behavioral1/memory/1184-72-0x00007FFD762E0000-0x00007FFD76313000-memory.dmp	upx
behavioral1/memory/1184-74-0x00007FFD76210000-0x00007FFD762DD000-memory.dmp	upx
behavioral1/memory/1184-77-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp	upx
behavioral1/memory/1184-78-0x00007FFD75CE0000-0x00007FFD76209000-memory.dmp	upx
behavioral1/memory/1184-83-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp	upx
behavioral1/memory/1184-84-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp	upx
behavioral1/memory/1184-81-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp	upx
behavioral1/memory/1184-86-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp	upx
behavioral1/memory/1184-87-0x00007FFD75A70000-0x00007FFD75B8B000-memory.dmp	upx
behavioral1/memory/1184-133-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp	upx
behavioral1/memory/2852-135-0x00007FFD6CAE0000-0x00007FFD6D1A4000-memory.dmp	upx
behavioral1/memory/2852-154-0x00007FFD72920000-0x00007FFD72945000-memory.dmp	upx
behavioral1/memory/2852-155-0x00007FFD88200000-0x00007FFD8820F000-memory.dmp	upx
behavioral1/memory/1184-161-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp	upx
behavioral1/memory/1184-167-0x00007FFD75CE0000-0x00007FFD76209000-memory.dmp	upx
behavioral1/memory/1184-170-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp	upx
behavioral1/memory/1184-169-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp	upx
behavioral1/memory/1184-156-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp	upx
behavioral1/memory/1184-171-0x00007FFD75A70000-0x00007FFD75B8B000-memory.dmp	upx
behavioral1/memory/1184-163-0x00007FFD76320000-0x00007FFD76339000-memory.dmp	upx
behavioral1/memory/1184-162-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp	upx
behavioral1/memory/1184-166-0x00007FFD76210000-0x00007FFD762DD000-memory.dmp	upx
behavioral1/memory/1184-165-0x00007FFD762E0000-0x00007FFD76313000-memory.dmp	upx
behavioral1/memory/1184-164-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp	upx
behavioral1/memory/1184-160-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp	upx
behavioral1/memory/1184-159-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp	upx
behavioral1/memory/1184-158-0x00007FFD88DE0000-0x00007FFD88DEF000-memory.dmp	upx
behavioral1/memory/1184-157-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp	upx
behavioral1/memory/1184-140-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp	upx
behavioral1/memory/2852-200-0x00007FFD890C0000-0x00007FFD890ED000-memory.dmp	upx
behavioral1/memory/2852-203-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp	upx
behavioral1/memory/2852-204-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp	upx
behavioral1/memory/2852-202-0x00007FFD7A190000-0x00007FFD7A1B4000-memory.dmp	upx
behavioral1/memory/1860-201-0x00007FFD75DF0000-0x00007FFD764B4000-memory.dmp	upx
behavioral1/memory/1860-208-0x00007FFD88DC0000-0x00007FFD88DCF000-memory.dmp	upx
behavioral1/memory/2852-209-0x00007FFD75DB0000-0x00007FFD75DE3000-memory.dmp	upx
behavioral1/memory/2852-210-0x00007FFD6CAE0000-0x00007FFD6D1A4000-memory.dmp	upx
behavioral1/memory/2852-211-0x00007FFD75CE0000-0x00007FFD75DAD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
5616	tasklist.exe
5020	tasklist.exe
1060	tasklist.exe
1792	tasklist.exe
5348	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1792	powershell.exe
1792	powershell.exe
1748	powershell.exe
1748	powershell.exe
1792	powershell.exe
1748	powershell.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
5340	powershell.exe
5292	powershell.exe
5292	powershell.exe
5340	powershell.exe
5340	powershell.exe
5292	powershell.exe
5608	powershell.exe
5608	powershell.exe
5740	powershell.exe
5740	powershell.exe
5608	powershell.exe
5740	powershell.exe
5352	powershell.exe
5352	powershell.exe
5328	powershell.exe
5328	powershell.exe
5352	powershell.exe
5328	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2604	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2604	7zFM.exe
Token: 35	2604	7zFM.exe
Token: SeSecurityPrivilege	2604	7zFM.exe
Token: SeDebugPrivilege	1060	tasklist.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: 36	2856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2856	WMIC.exe
Token: SeSecurityPrivilege	2856	WMIC.exe
Token: SeTakeOwnershipPrivilege	2856	WMIC.exe
Token: SeLoadDriverPrivilege	2856	WMIC.exe
Token: SeSystemProfilePrivilege	2856	WMIC.exe
Token: SeSystemtimePrivilege	2856	WMIC.exe
Token: SeProfSingleProcessPrivilege	2856	WMIC.exe
Token: SeIncBasePriorityPrivilege	2856	WMIC.exe
Token: SeCreatePagefilePrivilege	2856	WMIC.exe
Token: SeBackupPrivilege	2856	WMIC.exe
Token: SeRestorePrivilege	2856	WMIC.exe
Token: SeShutdownPrivilege	2856	WMIC.exe
Token: SeDebugPrivilege	2856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2856	WMIC.exe
Token: SeRemoteShutdownPrivilege	2856	WMIC.exe
Token: SeUndockPrivilege	2856	WMIC.exe
Token: SeManageVolumePrivilege	2856	WMIC.exe
Token: 33	2856	WMIC.exe
Token: 34	2856	WMIC.exe
Token: 35	2856	WMIC.exe
Token: 36	2856	WMIC.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2604	7zFM.exe
2604	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2604	3116	cmd.exe	91
PID 3116 wrote to memory of 2604	3116	cmd.exe	91
PID 1180 wrote to memory of 1184	1180	Loader.exe	100
PID 1180 wrote to memory of 1184	1180	Loader.exe	100
PID 1184 wrote to memory of 4748	1184	Loader.exe	103
PID 1184 wrote to memory of 4748	1184	Loader.exe	103
PID 1184 wrote to memory of 4884	1184	Loader.exe	105
PID 1184 wrote to memory of 4884	1184	Loader.exe	105
PID 1184 wrote to memory of 1248	1184	Loader.exe	106
PID 1184 wrote to memory of 1248	1184	Loader.exe	106
PID 1184 wrote to memory of 1432	1184	Loader.exe	109
PID 1184 wrote to memory of 1432	1184	Loader.exe	109
PID 4748 wrote to memory of 1748	4748	cmd.exe	135
PID 4748 wrote to memory of 1748	4748	cmd.exe	135
PID 1184 wrote to memory of 1596	1184	Loader.exe	112
PID 1184 wrote to memory of 1596	1184	Loader.exe	112
PID 4884 wrote to memory of 1792	4884	cmd.exe	133
PID 4884 wrote to memory of 1792	4884	cmd.exe	133
PID 1432 wrote to memory of 1060	1432	cmd.exe	115
PID 1432 wrote to memory of 1060	1432	cmd.exe	115
PID 1248 wrote to memory of 724	1248	cmd.exe	116
PID 1248 wrote to memory of 724	1248	cmd.exe	116
PID 4960 wrote to memory of 2852	4960	Loader.exe	119
PID 4960 wrote to memory of 2852	4960	Loader.exe	119
PID 1596 wrote to memory of 2856	1596	cmd.exe	130
PID 1596 wrote to memory of 2856	1596	cmd.exe	130
PID 2352 wrote to memory of 1860	2352	Loader.exe	122
PID 2352 wrote to memory of 1860	2352	Loader.exe	122
PID 2852 wrote to memory of 924	2852	Loader.exe	123
PID 2852 wrote to memory of 924	2852	Loader.exe	123
PID 2852 wrote to memory of 2716	2852	Loader.exe	124
PID 2852 wrote to memory of 2716	2852	Loader.exe	124
PID 2852 wrote to memory of 1776	2852	Loader.exe	126
PID 2852 wrote to memory of 1776	2852	Loader.exe	126
PID 2852 wrote to memory of 4232	2852	Loader.exe	129
PID 2852 wrote to memory of 4232	2852	Loader.exe	129
PID 2852 wrote to memory of 1284	2852	Loader.exe	131
PID 2852 wrote to memory of 1284	2852	Loader.exe	131
PID 4232 wrote to memory of 1792	4232	cmd.exe	133
PID 4232 wrote to memory of 1792	4232	cmd.exe	133
PID 1284 wrote to memory of 4548	1284	cmd.exe	134
PID 1284 wrote to memory of 4548	1284	cmd.exe	134
PID 1776 wrote to memory of 1748	1776	cmd.exe	135
PID 1776 wrote to memory of 1748	1776	cmd.exe	135
PID 924 wrote to memory of 392	924	cmd.exe	136
PID 924 wrote to memory of 392	924	cmd.exe	136
PID 2716 wrote to memory of 2740	2716	cmd.exe	137
PID 2716 wrote to memory of 2740	2716	cmd.exe	137
PID 1860 wrote to memory of 3420	1860	Loader.exe	138
PID 1860 wrote to memory of 3420	1860	Loader.exe	138
PID 1860 wrote to memory of 2108	1860	Loader.exe	139
PID 1860 wrote to memory of 2108	1860	Loader.exe	139
PID 1860 wrote to memory of 2136	1860	Loader.exe	140
PID 1860 wrote to memory of 2136	1860	Loader.exe	140
PID 1860 wrote to memory of 5140	1860	Loader.exe	144
PID 1860 wrote to memory of 5140	1860	Loader.exe	144
PID 1860 wrote to memory of 5244	1860	Loader.exe	146
PID 1860 wrote to memory of 5244	1860	Loader.exe	146
PID 2108 wrote to memory of 5292	2108	cmd.exe	148
PID 2108 wrote to memory of 5292	2108	cmd.exe	148
PID 2136 wrote to memory of 5300	2136	cmd.exe	149
PID 2136 wrote to memory of 5300	2136	cmd.exe	149
PID 3420 wrote to memory of 5340	3420	cmd.exe	150
PID 3420 wrote to memory of 5340	3420	cmd.exe	150

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\password-is-eulen.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\password-is-eulen.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2604

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\Desktop\Loader.exe
  "C:\Users\Admin\Desktop\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()"
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2856

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\Desktop\Loader.exe
  "C:\Users\Admin\Desktop\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()"
      4⤵
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2856
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4548

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\Desktop\Loader.exe
  "C:\Users\Admin\Desktop\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()"
      4⤵
      PID:5300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5880

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
PID:5940
- C:\Users\Admin\Desktop\Loader.exe
  "C:\Users\Admin\Desktop\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'"
    3⤵
    PID:6136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()""
    3⤵
    PID:4892
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()"
      4⤵
      PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3696

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
PID:5532
- C:\Users\Admin\Desktop\Loader.exe
  "C:\Users\Admin\Desktop\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'"
    3⤵
    PID:5856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:3572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()""
    3⤵
    PID:4004
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Connecting to the server #2! Please try again...', 0, 'Error', 0+16);close()"
      4⤵
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\blank.aes

Filesize
113KB

MD5
b4bcc054e431e1638ca4a8fcd81ec89e

SHA1
727822f5f77d8d89ab8b177d800e0ff43f660154

SHA256
880a625e4c002f3a53ecfeb022a4a04c991beb4b84eacbfbc16b82b4e04e22d3

SHA512
108be697109e47cbf8a1eaf449d1a400dc403f8c8cf04c8eda60e1a46b3e37521e23d80017bfb703668c2174a00b3fccf7d0b8ffda615a85af6bba253368d1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\blank.aes

Filesize
113KB

MD5
78a1b98e5ac5336063824c3bdd3463c3

SHA1
3b887040d033f73834b4c9854e18fe645deb494d

SHA256
af7c75d5af6cc7f5fac506d352591ebf0527b153ce18db355a3e0d6dfe2c0f56

SHA512
4faf4656ec078c6d3a39d616b79a0a81bce3176e7eb55a16677cd40a97043825a494227ee53d532b801c722a3dde458ce28b220f2ac48d8ca20d07abc85e2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djwv3c2h.smw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
7.4MB

MD5
7e5ca19bbb822f510e97fe915f40902a

SHA1
12ae21309b01636f8564bb317c42f5b09d58f90b

SHA256
6d8a55a3677ed0c3d836595853f8961aa549e0c2ab2c2a3352fd374b773c1aa2

SHA512
011e7c525d7f330c2b545698bb48dfb3eece9e7a3d2e66e595ccd58938d10ba110b8a56383f13998719f71ccf6954632fc8800a91e3ae0ad07320c63baf0008f

Download Submit
memory/1184-35-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp

Filesize
148KB

Download
memory/1184-156-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp

Filesize
6.8MB

Download
memory/1184-61-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/1184-63-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp

Filesize
144KB

Download
memory/1184-65-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp

Filesize
1.5MB

Download
memory/1184-69-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp

Filesize
52KB

Download
memory/1184-68-0x00007FFD76320000-0x00007FFD76339000-memory.dmp

Filesize
100KB

Download
memory/1184-71-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp

Filesize
6.8MB

Download
memory/1184-72-0x00007FFD762E0000-0x00007FFD76313000-memory.dmp

Filesize
204KB

Download
memory/1184-133-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp

Filesize
144KB

Download
memory/1184-77-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp

Filesize
148KB

Download
memory/1184-78-0x00007FFD75CE0000-0x00007FFD76209000-memory.dmp

Filesize
5.2MB

Download
memory/1184-83-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp

Filesize
180KB

Download
memory/1184-84-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/1184-81-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp

Filesize
80KB

Download
memory/1184-79-0x0000012C53F60000-0x0000012C54489000-memory.dmp

Filesize
5.2MB

Download
memory/1184-86-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/1184-87-0x00007FFD75A70000-0x00007FFD75B8B000-memory.dmp

Filesize
1.1MB

Download
memory/1184-59-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp

Filesize
180KB

Download
memory/1184-158-0x00007FFD88DE0000-0x00007FFD88DEF000-memory.dmp

Filesize
60KB

Download
memory/1184-74-0x00007FFD76210000-0x00007FFD762DD000-memory.dmp

Filesize
820KB

Download
memory/1184-157-0x00007FFD890C0000-0x00007FFD890E5000-memory.dmp

Filesize
148KB

Download
memory/1184-30-0x00007FFD76620000-0x00007FFD76CE4000-memory.dmp

Filesize
6.8MB

Download
memory/1184-140-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp

Filesize
1.5MB

Download
memory/1184-161-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp

Filesize
144KB

Download
memory/1184-167-0x00007FFD75CE0000-0x00007FFD76209000-memory.dmp

Filesize
5.2MB

Download
memory/1184-170-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/1184-169-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp

Filesize
80KB

Download
memory/1184-37-0x00007FFD88DE0000-0x00007FFD88DEF000-memory.dmp

Filesize
60KB

Download
memory/1184-171-0x00007FFD75A70000-0x00007FFD75B8B000-memory.dmp

Filesize
1.1MB

Download
memory/1184-163-0x00007FFD76320000-0x00007FFD76339000-memory.dmp

Filesize
100KB

Download
memory/1184-162-0x00007FFD76340000-0x00007FFD764BF000-memory.dmp

Filesize
1.5MB

Download
memory/1184-166-0x00007FFD76210000-0x00007FFD762DD000-memory.dmp

Filesize
820KB

Download
memory/1184-165-0x00007FFD762E0000-0x00007FFD76313000-memory.dmp

Filesize
204KB

Download
memory/1184-164-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp

Filesize
52KB

Download
memory/1184-160-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/1184-159-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp

Filesize
180KB

Download
memory/1748-126-0x000002AEA8530000-0x000002AEA8552000-memory.dmp

Filesize
136KB

Download
memory/1860-299-0x00007FFD88DC0000-0x00007FFD88DCF000-memory.dmp

Filesize
60KB

Download
memory/1860-256-0x00007FFD890C0000-0x00007FFD890E4000-memory.dmp

Filesize
144KB

Download
memory/1860-298-0x00007FFD76620000-0x00007FFD76645000-memory.dmp

Filesize
148KB

Download
memory/1860-304-0x00007FFD7EF20000-0x00007FFD7EF39000-memory.dmp

Filesize
100KB

Download
memory/1860-305-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/1860-306-0x00007FFD7A180000-0x00007FFD7A1B3000-memory.dmp

Filesize
204KB

Download
memory/1860-300-0x00007FFD75BE0000-0x00007FFD75C0D000-memory.dmp

Filesize
180KB

Download
memory/1860-201-0x00007FFD75DF0000-0x00007FFD764B4000-memory.dmp

Filesize
6.8MB

Download
memory/1860-208-0x00007FFD88DC0000-0x00007FFD88DCF000-memory.dmp

Filesize
60KB

Download
memory/1860-301-0x00007FFD73230000-0x00007FFD7324A000-memory.dmp

Filesize
104KB

Download
memory/1860-302-0x00007FFD890C0000-0x00007FFD890E4000-memory.dmp

Filesize
144KB

Download
memory/1860-307-0x00007FFD75D20000-0x00007FFD75DED000-memory.dmp

Filesize
820KB

Download
memory/1860-207-0x00007FFD76620000-0x00007FFD76645000-memory.dmp

Filesize
148KB

Download
memory/1860-297-0x00007FFD75DF0000-0x00007FFD764B4000-memory.dmp

Filesize
6.8MB

Download
memory/1860-311-0x00007FFD75900000-0x00007FFD75A1B000-memory.dmp

Filesize
1.1MB

Download
memory/1860-214-0x00007FFD75DF0000-0x00007FFD764B4000-memory.dmp

Filesize
6.8MB

Download
memory/1860-309-0x00007FFD76690000-0x00007FFD766A4000-memory.dmp

Filesize
80KB

Download
memory/1860-308-0x00007FFD6CC80000-0x00007FFD6D1A9000-memory.dmp

Filesize
5.2MB

Download
memory/1860-312-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/1860-303-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp

Filesize
1.5MB

Download
memory/1860-275-0x00007FFD76690000-0x00007FFD766A4000-memory.dmp

Filesize
80KB

Download
memory/1860-277-0x00007FFD75900000-0x00007FFD75A1B000-memory.dmp

Filesize
1.1MB

Download
memory/1860-276-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/1860-273-0x0000013DA16F0000-0x0000013DA1C19000-memory.dmp

Filesize
5.2MB

Download
memory/1860-272-0x00007FFD6CC80000-0x00007FFD6D1A9000-memory.dmp

Filesize
5.2MB

Download
memory/1860-271-0x00007FFD75D20000-0x00007FFD75DED000-memory.dmp

Filesize
820KB

Download
memory/1860-270-0x00007FFD7A180000-0x00007FFD7A1B3000-memory.dmp

Filesize
204KB

Download
memory/1860-269-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/1860-267-0x00007FFD76620000-0x00007FFD76645000-memory.dmp

Filesize
148KB

Download
memory/1860-268-0x00007FFD7EF20000-0x00007FFD7EF39000-memory.dmp

Filesize
100KB

Download
memory/1860-257-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp

Filesize
1.5MB

Download
memory/1860-254-0x00007FFD75BE0000-0x00007FFD75C0D000-memory.dmp

Filesize
180KB

Download
memory/1860-255-0x00007FFD73230000-0x00007FFD7324A000-memory.dmp

Filesize
104KB

Download
memory/2852-246-0x00007FFD75660000-0x00007FFD75B89000-memory.dmp

Filesize
5.2MB

Download
memory/2852-212-0x00007FFD75660000-0x00007FFD75B89000-memory.dmp

Filesize
5.2MB

Download
memory/2852-247-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp

Filesize
80KB

Download
memory/2852-245-0x00007FFD75CE0000-0x00007FFD75DAD000-memory.dmp

Filesize
820KB

Download
memory/2852-237-0x00007FFD88200000-0x00007FFD8820F000-memory.dmp

Filesize
60KB

Download
memory/2852-249-0x00007FFD75540000-0x00007FFD7565B000-memory.dmp

Filesize
1.1MB

Download
memory/2852-250-0x00007FFD890C0000-0x00007FFD890ED000-memory.dmp

Filesize
180KB

Download
memory/2852-235-0x00007FFD6CAE0000-0x00007FFD6D1A4000-memory.dmp

Filesize
6.8MB

Download
memory/2852-242-0x00007FFD76690000-0x00007FFD766A9000-memory.dmp

Filesize
100KB

Download
memory/2852-236-0x00007FFD72920000-0x00007FFD72945000-memory.dmp

Filesize
148KB

Download
memory/2852-243-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/2852-155-0x00007FFD88200000-0x00007FFD8820F000-memory.dmp

Filesize
60KB

Download
memory/2852-251-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/2852-253-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-252-0x00007FFD7A190000-0x00007FFD7A1B4000-memory.dmp

Filesize
144KB

Download
memory/2852-244-0x00007FFD75DB0000-0x00007FFD75DE3000-memory.dmp

Filesize
204KB

Download
memory/2852-225-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-224-0x00007FFD7A190000-0x00007FFD7A1B4000-memory.dmp

Filesize
144KB

Download
memory/2852-274-0x000001FE470E0000-0x000001FE47609000-memory.dmp

Filesize
5.2MB

Download
memory/2852-205-0x00007FFD76690000-0x00007FFD766A9000-memory.dmp

Filesize
100KB

Download
memory/2852-216-0x00007FFD75CC0000-0x00007FFD75CD4000-memory.dmp

Filesize
80KB

Download
memory/2852-217-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/2852-218-0x00007FFD75540000-0x00007FFD7565B000-memory.dmp

Filesize
1.1MB

Download
memory/2852-248-0x00007FFD88C00000-0x00007FFD88C0D000-memory.dmp

Filesize
52KB

Download
memory/2852-215-0x000001FE470E0000-0x000001FE47609000-memory.dmp

Filesize
5.2MB

Download
memory/2852-213-0x00007FFD72920000-0x00007FFD72945000-memory.dmp

Filesize
148KB

Download
memory/2852-206-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/2852-211-0x00007FFD75CE0000-0x00007FFD75DAD000-memory.dmp

Filesize
820KB

Download
memory/2852-210-0x00007FFD6CAE0000-0x00007FFD6D1A4000-memory.dmp

Filesize
6.8MB

Download
memory/2852-209-0x00007FFD75DB0000-0x00007FFD75DE3000-memory.dmp

Filesize
204KB

Download
memory/2852-202-0x00007FFD7A190000-0x00007FFD7A1B4000-memory.dmp

Filesize
144KB

Download
memory/2852-204-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/2852-203-0x00007FFD766B0000-0x00007FFD7682F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-200-0x00007FFD890C0000-0x00007FFD890ED000-memory.dmp

Filesize
180KB

Download
memory/2852-135-0x00007FFD6CAE0000-0x00007FFD6D1A4000-memory.dmp

Filesize
6.8MB

Download
memory/2852-154-0x00007FFD72920000-0x00007FFD72945000-memory.dmp

Filesize
148KB

Download
memory/5692-430-0x00007FFD76990000-0x00007FFD769C3000-memory.dmp

Filesize
204KB

Download
memory/5692-431-0x00007FFD74CA0000-0x00007FFD751C9000-memory.dmp

Filesize
5.2MB

Download
memory/5692-429-0x00007FFD751D0000-0x00007FFD75894000-memory.dmp

Filesize
6.8MB

Download
memory/5692-416-0x00007FFD751D0000-0x00007FFD75894000-memory.dmp

Filesize
6.8MB

Download
memory/5692-428-0x00007FFD890C0000-0x00007FFD890CD000-memory.dmp

Filesize
52KB

Download
memory/5692-427-0x00007FFD769D0000-0x00007FFD769E9000-memory.dmp

Filesize
100KB

Download
memory/5692-426-0x00007FFD769F0000-0x00007FFD76B6F000-memory.dmp

Filesize
1.5MB

Download
memory/5692-425-0x00007FFD76B70000-0x00007FFD76B94000-memory.dmp

Filesize
144KB

Download
memory/5692-424-0x00007FFD76CA0000-0x00007FFD76CBA000-memory.dmp

Filesize
104KB

Download
memory/5692-423-0x00007FFD76BA0000-0x00007FFD76BCD000-memory.dmp

Filesize
180KB

Download
memory/5692-418-0x00007FFD89330000-0x00007FFD8933F000-memory.dmp

Filesize
60KB

Download
memory/5692-417-0x00007FFD76CC0000-0x00007FFD76CE5000-memory.dmp

Filesize
148KB

Download
memory/6040-345-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp

Filesize
180KB

Download
memory/6040-356-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp

Filesize
52KB

Download
memory/6040-355-0x00007FFD76A20000-0x00007FFD76A34000-memory.dmp

Filesize
80KB

Download
memory/6040-357-0x00007FFD76900000-0x00007FFD76A1B000-memory.dmp

Filesize
1.1MB

Download
memory/6040-392-0x00007FFD76A40000-0x00007FFD76B0D000-memory.dmp

Filesize
820KB

Download
memory/6040-391-0x00007FFD76900000-0x00007FFD76A1B000-memory.dmp

Filesize
1.1MB

Download
memory/6040-390-0x00007FFD88DC0000-0x00007FFD88DCD000-memory.dmp

Filesize
52KB

Download
memory/6040-389-0x00007FFD76A20000-0x00007FFD76A34000-memory.dmp

Filesize
80KB

Download
memory/6040-387-0x00007FFD74CA0000-0x00007FFD751C9000-memory.dmp

Filesize
5.2MB

Download
memory/6040-380-0x00007FFD7A190000-0x00007FFD7A1BD000-memory.dmp

Filesize
180KB

Download
memory/6040-386-0x00007FFD76B10000-0x00007FFD76B43000-memory.dmp

Filesize
204KB

Download
memory/6040-385-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/6040-384-0x00007FFD76B50000-0x00007FFD76B69000-memory.dmp

Filesize
100KB

Download
memory/6040-383-0x00007FFD76B70000-0x00007FFD76CEF000-memory.dmp

Filesize
1.5MB

Download
memory/6040-382-0x00007FFD77C20000-0x00007FFD77C44000-memory.dmp

Filesize
144KB

Download
memory/6040-381-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/6040-379-0x00007FFD890C0000-0x00007FFD890CF000-memory.dmp

Filesize
60KB

Download
memory/6040-378-0x00007FFD88890000-0x00007FFD888B5000-memory.dmp

Filesize
148KB

Download
memory/6040-377-0x00007FFD751D0000-0x00007FFD75894000-memory.dmp

Filesize
6.8MB

Download
memory/6040-353-0x00007FFD76A40000-0x00007FFD76B0D000-memory.dmp

Filesize
820KB

Download
memory/6040-354-0x00007FFD88890000-0x00007FFD888B5000-memory.dmp

Filesize
148KB

Download
memory/6040-352-0x00007FFD74CA0000-0x00007FFD751C9000-memory.dmp

Filesize
5.2MB

Download
memory/6040-351-0x00007FFD751D0000-0x00007FFD75894000-memory.dmp

Filesize
6.8MB

Download
memory/6040-350-0x00007FFD76B10000-0x00007FFD76B43000-memory.dmp

Filesize
204KB

Download
memory/6040-349-0x00007FFD88DE0000-0x00007FFD88DED000-memory.dmp

Filesize
52KB

Download
memory/6040-348-0x00007FFD76B50000-0x00007FFD76B69000-memory.dmp

Filesize
100KB

Download
memory/6040-347-0x00007FFD76B70000-0x00007FFD76CEF000-memory.dmp

Filesize
1.5MB

Download
memory/6040-346-0x00007FFD7EF20000-0x00007FFD7EF3A000-memory.dmp

Filesize
104KB

Download
memory/6040-340-0x00007FFD890C0000-0x00007FFD890CF000-memory.dmp

Filesize
60KB

Download
memory/6040-339-0x00007FFD88890000-0x00007FFD888B5000-memory.dmp

Filesize
148KB

Download
memory/6040-338-0x00007FFD751D0000-0x00007FFD75894000-memory.dmp

Filesize
6.8MB

Download