hxxp://ss[.]imaxolotlicek[.]eu

Analysis

max time kernel
133s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ss.imaxolotlicek.eu

Score

8^/10

execution pyinstaller spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
908	ss.exe
928	ss.exe
2884	ss.exe
1532	ss.exe
5376	ss.exe
3388	ss.exe

Loads dropped DLL 64 IoCs

pid	Process
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
928	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
1532	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe
3388	ss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
23	api.ipify.org
24	api.ipify.org
28	api.ipify.org

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1112	powershell.exe
3216	powershell.exe
176	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000002a9dc-104.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 298982.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ss.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1956	msedge.exe
1956	msedge.exe
1992	msedge.exe
1992	msedge.exe
4624	identity_helper.exe
4624	identity_helper.exe
2896	msedge.exe
2896	msedge.exe
1344	msedge.exe
1344	msedge.exe
1112	powershell.exe
1112	powershell.exe
3216	powershell.exe
3216	powershell.exe
176	powershell.exe
176	powershell.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	ss.exe
Token: SeDebugPrivilege	1532	ss.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3388	ss.exe
Token: SeDebugPrivilege	176	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe
1992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2220	1992	msedge.exe	77
PID 1992 wrote to memory of 2220	1992	msedge.exe	77
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1940	1992	msedge.exe	78
PID 1992 wrote to memory of 1956	1992	msedge.exe	79
PID 1992 wrote to memory of 1956	1992	msedge.exe	79
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80
PID 1992 wrote to memory of 4164	1992	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ss.imaxolotlicek.eu
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c32f3cb8,0x7ff8c32f3cc8,0x7ff8c32f3cd8
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Users\Admin\Downloads\ss.exe
  "C:\Users\Admin\Downloads\ss.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- - C:\Users\Admin\Downloads\ss.exe
    "C:\Users\Admin\Downloads\ss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10""
      4⤵
      PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,630007842089329764,6229684068499461860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3748

C:\Users\Admin\Downloads\ss.exe
"C:\Users\Admin\Downloads\ss.exe"
1⤵
- Executes dropped EXE
PID:2884
- C:\Users\Admin\Downloads\ss.exe
  "C:\Users\Admin\Downloads\ss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10""
    3⤵
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216

C:\Users\Admin\Downloads\ss.exe
"C:\Users\Admin\Downloads\ss.exe"
1⤵
- Executes dropped EXE
PID:5376
- C:\Users\Admin\Downloads\ss.exe
  "C:\Users\Admin\Downloads\ss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10""
    3⤵
    PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Get-StartApps | Sort-Object LastAccessTime -Descending | Select-Object -First 10"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
11.2MB

MD5
8792209ea7b1e76ccadccf75729d5a31

SHA1
16b8172b6863ce50263eff8922f7ee6d6add1e06

SHA256
90646dc55c7cea14e06f0535541aa7982fefb0b239d84f4b97c6c8843ba54442

SHA512
a031597c1037003330998ea19077421a3c862fdae1b093548db8e3d2ac44f304956204ca289bc020b6c99a69ed77068af78e9e97a3dd1942f880c00e911e908e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a755a16bb2f119bf65465240acf94643

SHA1
b312229d78760274c8bfb38552ac5e1cbeb64d16

SHA256
2e504ba43e2d686ec4fe0bd52aa61cc40a547fce1f9286e4461abddc26444b41

SHA512
08fd9ca2cb198a3f72b0cc3b61cbf6de491d699d25dedc4efbcc3360348d6a8b70b44c6e65268fbab294d68496ae9caa11d4998696351c1382f652b92b325933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
988e5e3a6a847f54fc34d06b783dce0d

SHA1
e55ab3ac8f1d099dd2b2b500dd3c2c38f5fad304

SHA256
4df3e2db0cd7b999f9f55739caf42db1fa51115fd74ac35ff3fa0528d80995dc

SHA512
9e211320b453b7f9469a8699d38ef7cdfd9620bb530bef16250a90ef669151cdabc3345efcc51dbd6d030aa85ad5cebbdbd999f773cb13710037015f17895555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a939ad0256be9a99e06275e343ef92d

SHA1
dfd97c145e50811aeec96eef1b64c5e304f448c6

SHA256
20814f6c6e756b44d33cd3883d10ff562194198a7e1452f2d16105122ac07a68

SHA512
c3e33966c24b637e16580622d54b4db021ec8101a75ff0dc0a997469f4c7eea4f1cfb7c7b8b791443d7a803964e0c671b33d3849952b61e5f35f8e13d87bd77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a737d3c26952e64e05ea26c3dca202d

SHA1
29c1a70ed1ffdd951fa31a542a49a5d5aa71ee23

SHA256
89056440093ba60d37dae9e0c35e4a0779ec4e8653f68464ad33577a880d0aee

SHA512
dde9dd195c8c69aa70df6113799382bd40fa38fa439611307bc51935996e5f5f68d9b406cfb98c7b405d078b28e3d0ce5c7542149c9d1d416869defc7b20e719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e05577e80ec9ecdfcf7b15899b81f714

SHA1
0b9984356498830a29134c788771741d88902180

SHA256
568aacdf8f7625971c20f016c4c1ed1ed6845774c9e5600562b85d32ca786f8e

SHA512
1c90a607f8f6eaf2efb15ebcc5cfbdf01a55cd82e0690aaa90fa1f7e593baca0fe8c18679f20db36259968a17dde80725391ab5554a0bead23f6fb5f306ede83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a1d4efb779807e99e69d68f9c0353a5

SHA1
44112970bb7cc230404e02e95c0cb4440e9cd76f

SHA256
89b84d5732477dace1175747a6c96edcfa2b5d9d04e77a07a2296acec0b77aa7

SHA512
a67082d5c81e00be6e80780402c02982f799582c9b4900cec80e0143c41ff5ba96aed93bd96c139fdcbc63a6e1c1f208739b58f4a62213f1fe12a2e36b77f898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b249446e4ea0ffb09b160c942edb7980

SHA1
7b34c8f4f998c2394c18195fa851c766e86e76da

SHA256
5d6ccc8b9875a8861b07378da225948d5edd8052f846da55f7cb5d24ed435ebd

SHA512
c95ddf7c24022c7b87bd69f70dd771f206df2da11ae0a225fae385c36b9af69ade3c79f7dafc5447571c0057bd54d20989228078484b94f44292e94ec8d0be8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53762\tcl\encoding\euc-cn.enc

Filesize
84KB

MD5
c5aa0d11439e0f7682dae39445f5dab4

SHA1
73a6d55b894e89a7d4cb1cd3ccff82665c303d5c

SHA256
1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00

SHA512
eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_tkinter.pyd

Filesize
64KB

MD5
276791cca50a8b8a334d3f4f9ff520e2

SHA1
c0d73f309ef98038594c6338c81606a9947bd7f8

SHA256
a1c74836bad3d9b0aaec8dccd92e552b5ad583bfea7ef21cd40713a265d94f7e

SHA512
ef1ed2eacf86885531fc0963c84c1c99773d963d5a709030df6cfee5027604e1402a55b6fe26019a3ab922fd27895d0e2ef5572a50195372b1bfb1539eac0dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\tcl86t.dll

Filesize
1.7MB

MD5
108d97000657e7b1b95626350784ed23

SHA1
3814e6e5356b26e6e538f2c1803418eb83941e30

SHA256
3d2769e69d611314d517fc9aad688a529670af94a7589f728107180ae105218f

SHA512
9475cd1c8fe2e769ed0e8469d1f19cdf808f930cccc3baf581888a705f195c9be02652168d9c1c25ba850502f94e7eb87687c2c75f0f699c38309bc92b9004a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\tk86t.dll

Filesize
1.5MB

MD5
4cdd92e60eb291053d2ad12bf0710749

SHA1
31424e8d35459ba43672f05abba1e37c23f74536

SHA256
b30576b60aee548838243601952a05b70a9fc937f5a607f6b1413cd5ed04d900

SHA512
80c3bb58817578708e14ba173bfbe8f62fb54efa22feb8ff08b9eefa4462b74062654f956f965c7caa8aa16295229b58ef9eea8d2c4c94652bde1e61038e6ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9082\zlib1.dll

Filesize
143KB

MD5
fa87d95aa4f9348d3f3b75d62a23658d

SHA1
b8829e2ec83b1950ae013be60ed3e7616ce2ed80

SHA256
21feea753a6f991f01bcf9d30afada06eca3a105e97d5d81998ef359c4fc86a3

SHA512
cb965cfc905b7c588bd2009d4915973a004de658b6153de9fe2ae8b27c5612b56de14b95499ec050b70d16f89f0313cd81a3afa827a30c38aa206e44c11ef283

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eaymz0jj.x5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ss.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/928-1142-0x00007FF8AEF30000-0x00007FF8AEF5A000-memory.dmp

Filesize
168KB

Download
memory/928-2133-0x00007FF8AEF30000-0x00007FF8AEF5A000-memory.dmp

Filesize
168KB

Download
memory/1112-2119-0x000001C3ECE70000-0x000001C3ECE92000-memory.dmp

Filesize
136KB

Download
memory/1112-2120-0x000001C3ECF00000-0x000001C3ECF0A000-memory.dmp

Filesize
40KB

Download
memory/1532-3013-0x00007FF8AD2B0000-0x00007FF8AD2DA000-memory.dmp

Filesize
168KB

Download
memory/1532-3014-0x00007FF8AD2B0000-0x00007FF8AD2DA000-memory.dmp

Filesize
168KB

Download
memory/3388-4853-0x00007FF8AFEA0000-0x00007FF8AFECA000-memory.dmp

Filesize
168KB

Download