9e238a2d2579ef463df4a3564cc72d47c1ac66520df1c8e4cfababa00512c93d

Analysis

max time kernel
150s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nitro gen.exe
Size

15.8MB
MD5

d59bf9b2992822503563ff912fa2cfff
SHA1

52fa6707ae1061191a6984dd660cceb380030bf9
SHA256

9e238a2d2579ef463df4a3564cc72d47c1ac66520df1c8e4cfababa00512c93d
SHA512

5160c03ee26abecc65e1d1840b752340ad2a1a1e8094012030b6a1d2785ee0add04760f48d4c6ea6f35277e0dce538a070b24d4e1a0b34193aa13d57c9bc5a93
SSDEEP

196608:gsjoMmDsq5UQajwuLIcmtSJurErvI9pWjgtgZ3ZdahF0xH1AYQHxYhkiXtQGN+jz:no9DqUDtSJurEUWjagZew2/m6bjE9h6

Score

8^/10

execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
1380	powershell.exe
2464	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nitro gen.exe	nitro gen.exe

Loads dropped DLL 48 IoCs

pid	Process
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023476-95.dat	upx
behavioral2/memory/3548-98-0x00007FF909010000-0x00007FF9096D4000-memory.dmp	upx
behavioral2/files/0x000700000002344e-101.dat	upx
behavioral2/files/0x0007000000023470-106.dat	upx
behavioral2/memory/3548-107-0x00007FF91C950000-0x00007FF91C975000-memory.dmp	upx
behavioral2/memory/3548-109-0x00007FF91FFE0000-0x00007FF91FFEF000-memory.dmp	upx
behavioral2/files/0x000700000002344c-110.dat	upx
behavioral2/memory/3548-113-0x00007FF91D1E0000-0x00007FF91D1FA000-memory.dmp	upx
behavioral2/files/0x000700000002347b-120.dat	upx
behavioral2/files/0x0007000000023454-128.dat	upx
behavioral2/files/0x0007000000023459-133.dat	upx
behavioral2/files/0x0007000000023479-138.dat	upx
behavioral2/files/0x0007000000023450-140.dat	upx
behavioral2/files/0x000700000002346f-141.dat	upx
behavioral2/memory/3548-147-0x00007FF91C590000-0x00007FF91C5A4000-memory.dmp	upx
behavioral2/memory/3548-146-0x00007FF91C8B0000-0x00007FF91C8BD000-memory.dmp	upx
behavioral2/memory/3548-145-0x00007FF91CA10000-0x00007FF91CA1D000-memory.dmp	upx
behavioral2/memory/3548-148-0x00007FF908880000-0x00007FF908DA9000-memory.dmp	upx
behavioral2/memory/3548-151-0x00007FF918330000-0x00007FF918363000-memory.dmp	upx
behavioral2/memory/3548-153-0x00007FF917C10000-0x00007FF917CDD000-memory.dmp	upx
behavioral2/files/0x0007000000023471-152.dat	upx
behavioral2/memory/3548-150-0x00007FF91E4B0000-0x00007FF91E4BF000-memory.dmp	upx
behavioral2/files/0x0007000000023457-149.dat	upx
behavioral2/memory/3548-144-0x00007FF91C8C0000-0x00007FF91C8D9000-memory.dmp	upx
behavioral2/memory/3548-143-0x00007FF91C8E0000-0x00007FF91C916000-memory.dmp	upx
behavioral2/memory/3548-142-0x00007FF91C920000-0x00007FF91C94D000-memory.dmp	upx
behavioral2/files/0x0007000000023455-137.dat	upx
behavioral2/files/0x0007000000023474-136.dat	upx
behavioral2/files/0x0007000000023456-130.dat	upx
behavioral2/files/0x0007000000023453-127.dat	upx
behavioral2/files/0x0007000000023452-126.dat	upx
behavioral2/files/0x000700000002344f-124.dat	upx
behavioral2/files/0x000700000002344d-123.dat	upx
behavioral2/files/0x000700000002344b-122.dat	upx
behavioral2/files/0x000700000002347a-119.dat	upx
behavioral2/files/0x0007000000023451-114.dat	upx
behavioral2/memory/3548-155-0x00007FF918150000-0x00007FF918166000-memory.dmp	upx
behavioral2/memory/3548-157-0x00007FF918130000-0x00007FF918142000-memory.dmp	upx
behavioral2/memory/3548-160-0x00007FF918050000-0x00007FF918074000-memory.dmp	upx
behavioral2/memory/3548-161-0x00007FF909010000-0x00007FF9096D4000-memory.dmp	upx
behavioral2/memory/3548-163-0x00007FF908500000-0x00007FF90867F000-memory.dmp	upx
behavioral2/files/0x0007000000023473-162.dat	upx
behavioral2/memory/3548-165-0x00007FF91C950000-0x00007FF91C975000-memory.dmp	upx
behavioral2/memory/3548-167-0x00007FF918030000-0x00007FF918048000-memory.dmp	upx
behavioral2/files/0x000700000002345f-168.dat	upx
behavioral2/memory/3548-166-0x00007FF908880000-0x00007FF908DA9000-memory.dmp	upx
behavioral2/memory/3548-171-0x00007FF91C580000-0x00007FF91C58B000-memory.dmp	upx
behavioral2/memory/3548-173-0x00007FF918000000-0x00007FF918027000-memory.dmp	upx
behavioral2/memory/3548-176-0x00007FF9080B0000-0x00007FF9081CB000-memory.dmp	upx
behavioral2/memory/3548-175-0x00007FF91C590000-0x00007FF91C5A4000-memory.dmp	upx
behavioral2/files/0x0007000000023460-172.dat	upx
behavioral2/files/0x0007000000023423-178.dat	upx
behavioral2/files/0x000700000002341f-185.dat	upx
behavioral2/files/0x000700000002341e-184.dat	upx
behavioral2/files/0x0007000000023426-188.dat	upx
behavioral2/memory/3548-192-0x00007FF918130000-0x00007FF918142000-memory.dmp	upx
behavioral2/memory/3548-194-0x00007FF917FF0000-0x00007FF917FFC000-memory.dmp	upx
behavioral2/memory/3548-195-0x00007FF917FE0000-0x00007FF917FEB000-memory.dmp	upx
behavioral2/memory/3548-193-0x00007FF918050000-0x00007FF918074000-memory.dmp	upx
behavioral2/memory/3548-191-0x00007FF918120000-0x00007FF91812B000-memory.dmp	upx
behavioral2/memory/3548-198-0x00007FF917BF0000-0x00007FF917BFB000-memory.dmp	upx
behavioral2/memory/3548-204-0x00007FF9080B0000-0x00007FF9081CB000-memory.dmp	upx
behavioral2/memory/3548-205-0x00007FF917BC0000-0x00007FF917BCC000-memory.dmp	upx
behavioral2/memory/3548-207-0x00007FF917B90000-0x00007FF917BA2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
30	discord.com
31	discord.com
44	discord.com
47	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	api.ipify.org
15	api.ipify.org
16	api.ipify.org

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2344	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
3548	nitro gen.exe
1016	taskmgr.exe
1016	taskmgr.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
1016	taskmgr.exe
1016	taskmgr.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
1016	taskmgr.exe
4016	powershell.exe
4016	powershell.exe
1016	taskmgr.exe
4016	powershell.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1016	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3548	nitro gen.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe
Token: 35	3540	WMIC.exe
Token: 36	3540	WMIC.exe
Token: SeDebugPrivilege	1016	taskmgr.exe
Token: SeSystemProfilePrivilege	1016	taskmgr.exe
Token: SeCreateGlobalPrivilege	1016	taskmgr.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	WMIC.exe
Token: SeSecurityPrivilege	4532	WMIC.exe
Token: SeTakeOwnershipPrivilege	4532	WMIC.exe
Token: SeLoadDriverPrivilege	4532	WMIC.exe
Token: SeSystemProfilePrivilege	4532	WMIC.exe
Token: SeSystemtimePrivilege	4532	WMIC.exe
Token: SeProfSingleProcessPrivilege	4532	WMIC.exe
Token: SeIncBasePriorityPrivilege	4532	WMIC.exe
Token: SeCreatePagefilePrivilege	4532	WMIC.exe
Token: SeBackupPrivilege	4532	WMIC.exe
Token: SeRestorePrivilege	4532	WMIC.exe
Token: SeShutdownPrivilege	4532	WMIC.exe
Token: SeDebugPrivilege	4532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4532	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3548	3524	nitro gen.exe	85
PID 3524 wrote to memory of 3548	3524	nitro gen.exe	85
PID 3548 wrote to memory of 624	3548	nitro gen.exe	86
PID 3548 wrote to memory of 624	3548	nitro gen.exe	86
PID 3548 wrote to memory of 3104	3548	nitro gen.exe	92
PID 3548 wrote to memory of 3104	3548	nitro gen.exe	92
PID 3104 wrote to memory of 3540	3104	cmd.exe	94
PID 3104 wrote to memory of 3540	3104	cmd.exe	94
PID 3548 wrote to memory of 760	3548	nitro gen.exe	97
PID 3548 wrote to memory of 760	3548	nitro gen.exe	97
PID 3548 wrote to memory of 936	3548	nitro gen.exe	99
PID 3548 wrote to memory of 936	3548	nitro gen.exe	99
PID 760 wrote to memory of 2340	760	cmd.exe	101
PID 760 wrote to memory of 2340	760	cmd.exe	101
PID 936 wrote to memory of 1660	936	cmd.exe	102
PID 936 wrote to memory of 1660	936	cmd.exe	102
PID 936 wrote to memory of 1380	936	cmd.exe	103
PID 936 wrote to memory of 1380	936	cmd.exe	103
PID 936 wrote to memory of 2464	936	cmd.exe	104
PID 936 wrote to memory of 2464	936	cmd.exe	104
PID 936 wrote to memory of 4016	936	cmd.exe	105
PID 936 wrote to memory of 4016	936	cmd.exe	105
PID 3548 wrote to memory of 2248	3548	nitro gen.exe	106
PID 3548 wrote to memory of 2248	3548	nitro gen.exe	106
PID 2248 wrote to memory of 4532	2248	cmd.exe	108
PID 2248 wrote to memory of 4532	2248	cmd.exe	108
PID 3548 wrote to memory of 4888	3548	nitro gen.exe	110
PID 3548 wrote to memory of 4888	3548	nitro gen.exe	110
PID 3548 wrote to memory of 4308	3548	nitro gen.exe	112
PID 3548 wrote to memory of 4308	3548	nitro gen.exe	112
PID 4308 wrote to memory of 2344	4308	cmd.exe	114
PID 4308 wrote to memory of 2344	4308	cmd.exe	114
PID 3548 wrote to memory of 3616	3548	nitro gen.exe	115
PID 3548 wrote to memory of 3616	3548	nitro gen.exe	115
PID 3616 wrote to memory of 1412	3616	cmd.exe	117
PID 3616 wrote to memory of 1412	3616	cmd.exe	117
PID 3548 wrote to memory of 2500	3548	nitro gen.exe	118
PID 3548 wrote to memory of 2500	3548	nitro gen.exe	118
PID 2500 wrote to memory of 1304	2500	cmd.exe	120
PID 2500 wrote to memory of 1304	2500	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\nitro gen.exe
  "C:\Users\Admin\AppData\Local\Temp\nitro gen.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:1304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI35242\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
f2bf3f3cdce0e6a8a29bd7fad094736b

SHA1
7eb4af31b93ee38219eb31c2a867959bb7a3ec53

SHA256
d8a9edff4c8cbbd02cc89541cd1a9f8b1ba8381f000a86f910b4d6831bb9a034

SHA512
ea3dcdd0218f51bedafe9fb995d84a820d244673086f42276d7cb6c398c67f0e4f79ec343dd0a6fc0af03ae605aabbbd93c8c612cbfd7ddf641b9f8a8db13c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
4d651469eff9f0a3f904fcac9b1a41d2

SHA1
f9eb0d3ae58b8195e2485c6c378ce84f95c9ee54

SHA256
1b835a8c05dcc24c77fcf21ae0091ce34aca3b6b3d153415e3f0cf0142c53f9b

SHA512
0c10c6a52e2fa9bdf89229ad9964cfff6f3621eaad6f3aacebbbc8da6ff742e087c79af2d2d152c433160f25a9e45a2c41e13349cba758640163832569d37cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
b47c542168546fb875e74e49c84325b6

SHA1
2aecab080cc0507f9380756478eadad2d3697503

SHA256
55657830c9ab79875af923b5a92e7ee30e0560affc3baa236c38039b4ef987f2

SHA512
fc25087c859c76dff1126bbfe956ea6811dc3ca79e9bbfd237893144db8b7ce3cae3aeb0923f69e0bfffa5575b5442ad1891d7088dd3857b62be12b5326be50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
10KB

MD5
6315a891ea3f996fc4b5ec384841f10c

SHA1
ed76ef57517e35b7b721a8b1a3e1ffa7873aec57

SHA256
087c238e1aa9038f53f8c92e7255f7adc9cd9a60a895256962dc39a73d596382

SHA512
083859a84ff84e865cfc255ff1674134940c5a64cc703c4ae7815501d586005b6b6cabc28e52239ae24cd38a1253d634d8de87d98a4a65f45df2b34bc24c2483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_asyncio.pyd

Filesize
37KB

MD5
ff0cd3ed9552d0cf747f2c1f5dcefb27

SHA1
3131712c460b42b6e5b0aa4b9534fbf64592bc58

SHA256
a181a0c2bdb9d9adb610cd188e41a03d4e61c0bea68ec0d7978658e5aa754910

SHA512
b0c49eef1d78c4c43da83dc0fcacc3407b1583c26e684e05d5c820b023dbf154b16c7f9844e9e9887b04db3f034e562058e7aa81ea922164bc2e110859f3455f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
26624b2ea2b9ec0e6ddec72f064c181a

SHA1
2658bae86a266def37cce09582874c2da5c8f6fa

SHA256
9fcab2f71b7b58636a613043387128394e29fe6e0c7ed698abdc754ba35e6279

SHA512
a5315700af222cdb343086fd4a4e8a4768050fdf36e1f8041770a131fc6f45fefe806291efc1cfb383f975e123d378a029d9884244a420523fc58b8178e8571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_multiprocessing.pyd

Filesize
27KB

MD5
2fa19c90ad762614ded548166e127ea5

SHA1
4d2313893d7980137c56034f8f8fa7e9a8de96a6

SHA256
2a3d8866bd7a901ab1784cc99565e8278db567f46dce0bce96e99762dd129bec

SHA512
fe1bd009a63138c30dec7976f0154f8ff41bfab8ecd5d15405dd95295167eba152e7dc4ab47968bac7cd5531bdf27b6ae75b5c1f788f0a3581b368d4cab74c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_overlapped.pyd

Filesize
33KB

MD5
ec59bf2a9e2da4291ea924bb86ab7362

SHA1
01dfdbc73bbe46f7cebd65a96d5021c0f195b81c

SHA256
a8a3f04ee4298f1b136d70c04d5c7aaa5785c41f9a0a23de39726ee3962fe5fd

SHA512
105c03d0cea327a003993e404b8479d739342d5102eabfd373ab6413049985c537c24bab3c632306b9e15bc588eda4a50fe29146dca4dcf8da5f54d06e330579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\_wmi.pyd

Filesize
28KB

MD5
0682a42141ad8e981d839a5d0da81c55

SHA1
6752a15877329ff9fd62a95908a77f0daca2eed3

SHA256
42442d889fb51755fc4a6e528a1e015e946d3a37e932479e0f806ea738dae89c

SHA512
881bc77c39813274f092642edd6c52184f50f71676019e534af23c5b81e7b9a43aef08d18e503b92dbb967db395e7aa71b122670feb2f06bed0e2a72d59a4a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
ea68b13d83a5c7521453120dd7bd4dfc

SHA1
182d77f89ceb44b524b9d53d6480343f9670fc9c

SHA256
c3d31f8842c002085e2d7aa43856c2297d6740f70450c2c4bf80dc1d8360cbc7

SHA512
41d3eddc57ee9c643ab28a6e0286cd39c2724a9d1bdf24d75d1dd3ec7900396768e6afa4702272b051627855bdcb12fac8d8834d1d1ddf1638c769c89c2b488d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
4b81e1518d8fc26804b26fa0099ee5b6

SHA1
b152ee2d7b843b883f830e69af629a49e2909dcf

SHA256
f00565d8909029ce00bc04048a551975db20eb8aa39d1e4a65b7e659c0945100

SHA512
09ad69911959418e458cf25c972b4d14983d58c4a48ae739c31d981125442673e66d935bf9c2ea0aa8fbfa20ba4434cf9aac6e6a3b0bd776cf4e46cb80b93949

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
c6b58473112940b1c51daab751ad600f

SHA1
f0653bbec27277efbd783a3b5fb5b2ae38ca53ae

SHA256
6c8d5a4ad401d3994dc8609dfd356382f3e3e1ab51225a8cad21434f9b75276a

SHA512
45e4ed13b924f9fb2073c4fd0f551394eefc962971e63473ab6d3b0e1dbfdf604af5591d53b92890b10904dc310ce71d12c99b6e53063f6c8c5ab1a70adcf20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\pyexpat.pyd

Filesize
88KB

MD5
d75d0abe353df292809535015888deb1

SHA1
3c1dfbc5f4ddc943cfe0fcba165fc5f269882854

SHA256
a9014ff4f0fc370a3a810fb82707d7d160d912c4f8998fd20c4c29547dd02299

SHA512
8cc4be2dbec8c27b27670e87d4ab5d2292770b0f808a7e7394189e44d46ba480057a615613445b086d9626fa8b53b0bfea8655c0e2fe6ef29ebd1baba4fce741

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35242\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxcbayu3.xjg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfI7yFRuka\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfI7yFRuka\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
memory/1016-274-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-273-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-279-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-269-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-278-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-267-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-277-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-268-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-276-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1016-275-0x000001F0A3420000-0x000001F0A3421000-memory.dmp

Filesize
4KB

Download
memory/1660-262-0x0000023B7AFE0000-0x0000023B7B002000-memory.dmp

Filesize
136KB

Download
memory/3548-202-0x00007FF918000000-0x00007FF918027000-memory.dmp

Filesize
156KB

Download
memory/3548-146-0x00007FF91C8B0000-0x00007FF91C8BD000-memory.dmp

Filesize
52KB

Download
memory/3548-171-0x00007FF91C580000-0x00007FF91C58B000-memory.dmp

Filesize
44KB

Download
memory/3548-173-0x00007FF918000000-0x00007FF918027000-memory.dmp

Filesize
156KB

Download
memory/3548-176-0x00007FF9080B0000-0x00007FF9081CB000-memory.dmp

Filesize
1.1MB

Download
memory/3548-175-0x00007FF91C590000-0x00007FF91C5A4000-memory.dmp

Filesize
80KB

Download
memory/3548-167-0x00007FF918030000-0x00007FF918048000-memory.dmp

Filesize
96KB

Download
memory/3548-165-0x00007FF91C950000-0x00007FF91C975000-memory.dmp

Filesize
148KB

Download
memory/3548-163-0x00007FF908500000-0x00007FF90867F000-memory.dmp

Filesize
1.5MB

Download
memory/3548-161-0x00007FF909010000-0x00007FF9096D4000-memory.dmp

Filesize
6.8MB

Download
memory/3548-160-0x00007FF918050000-0x00007FF918074000-memory.dmp

Filesize
144KB

Download
memory/3548-157-0x00007FF918130000-0x00007FF918142000-memory.dmp

Filesize
72KB

Download
memory/3548-192-0x00007FF918130000-0x00007FF918142000-memory.dmp

Filesize
72KB

Download
memory/3548-194-0x00007FF917FF0000-0x00007FF917FFC000-memory.dmp

Filesize
48KB

Download
memory/3548-195-0x00007FF917FE0000-0x00007FF917FEB000-memory.dmp

Filesize
44KB

Download
memory/3548-193-0x00007FF918050000-0x00007FF918074000-memory.dmp

Filesize
144KB

Download
memory/3548-191-0x00007FF918120000-0x00007FF91812B000-memory.dmp

Filesize
44KB

Download
memory/3548-198-0x00007FF917BF0000-0x00007FF917BFB000-memory.dmp

Filesize
44KB

Download
memory/3548-204-0x00007FF9080B0000-0x00007FF9081CB000-memory.dmp

Filesize
1.1MB

Download
memory/3548-205-0x00007FF917BC0000-0x00007FF917BCC000-memory.dmp

Filesize
48KB

Download
memory/3548-207-0x00007FF917B90000-0x00007FF917BA2000-memory.dmp

Filesize
72KB

Download
memory/3548-209-0x00007FF907120000-0x00007FF907369000-memory.dmp

Filesize
2.3MB

Download
memory/3548-208-0x00007FF917B80000-0x00007FF917B8C000-memory.dmp

Filesize
48KB

Download
memory/3548-206-0x00007FF917BB0000-0x00007FF917BBD000-memory.dmp

Filesize
52KB

Download
memory/3548-203-0x00007FF917BD0000-0x00007FF917BDC000-memory.dmp

Filesize
48KB

Download
memory/3548-155-0x00007FF918150000-0x00007FF918166000-memory.dmp

Filesize
88KB

Download
memory/3548-201-0x00007FF917C00000-0x00007FF917C0C000-memory.dmp

Filesize
48KB

Download
memory/3548-200-0x00007FF917EA0000-0x00007FF917EAC000-memory.dmp

Filesize
48KB

Download
memory/3548-199-0x00007FF917BE0000-0x00007FF917BEB000-memory.dmp

Filesize
44KB

Download
memory/3548-197-0x00007FF917E90000-0x00007FF917E9E000-memory.dmp

Filesize
56KB

Download
memory/3548-196-0x00007FF917EF0000-0x00007FF917EFC000-memory.dmp

Filesize
48KB

Download
memory/3548-190-0x00007FF918200000-0x00007FF91820C000-memory.dmp

Filesize
48KB

Download
memory/3548-211-0x00007FF91C950000-0x00007FF91C975000-memory.dmp

Filesize
148KB

Download
memory/3548-228-0x00007FF918030000-0x00007FF918048000-memory.dmp

Filesize
96KB

Download
memory/3548-243-0x00007FF913480000-0x00007FF9134AE000-memory.dmp

Filesize
184KB

Download
memory/3548-221-0x00007FF908880000-0x00007FF908DA9000-memory.dmp

Filesize
5.2MB

Download
memory/3548-242-0x00007FF915F30000-0x00007FF915F59000-memory.dmp

Filesize
164KB

Download
memory/3548-210-0x00007FF909010000-0x00007FF9096D4000-memory.dmp

Filesize
6.8MB

Download
memory/3548-189-0x00007FF918260000-0x00007FF91826B000-memory.dmp

Filesize
44KB

Download
memory/3548-186-0x00007FF917C10000-0x00007FF917CDD000-memory.dmp

Filesize
820KB

Download
memory/3548-183-0x00007FF9182C0000-0x00007FF9182CB000-memory.dmp

Filesize
44KB

Download
memory/3548-182-0x00007FF918330000-0x00007FF918363000-memory.dmp

Filesize
204KB

Download
memory/3548-181-0x00007FF91E4B0000-0x00007FF91E4BF000-memory.dmp

Filesize
60KB

Download
memory/3548-142-0x00007FF91C920000-0x00007FF91C94D000-memory.dmp

Filesize
180KB

Download
memory/3548-143-0x00007FF91C8E0000-0x00007FF91C916000-memory.dmp

Filesize
216KB

Download
memory/3548-144-0x00007FF91C8C0000-0x00007FF91C8D9000-memory.dmp

Filesize
100KB

Download
memory/3548-150-0x00007FF91E4B0000-0x00007FF91E4BF000-memory.dmp

Filesize
60KB

Download
memory/3548-153-0x00007FF917C10000-0x00007FF917CDD000-memory.dmp

Filesize
820KB

Download
memory/3548-151-0x00007FF918330000-0x00007FF918363000-memory.dmp

Filesize
204KB

Download
memory/3548-148-0x00007FF908880000-0x00007FF908DA9000-memory.dmp

Filesize
5.2MB

Download
memory/3548-145-0x00007FF91CA10000-0x00007FF91CA1D000-memory.dmp

Filesize
52KB

Download
memory/3548-166-0x00007FF908880000-0x00007FF908DA9000-memory.dmp

Filesize
5.2MB

Download
memory/3548-147-0x00007FF91C590000-0x00007FF91C5A4000-memory.dmp

Filesize
80KB

Download
memory/3548-113-0x00007FF91D1E0000-0x00007FF91D1FA000-memory.dmp

Filesize
104KB

Download
memory/3548-109-0x00007FF91FFE0000-0x00007FF91FFEF000-memory.dmp

Filesize
60KB

Download
memory/3548-314-0x00007FF918330000-0x00007FF918363000-memory.dmp

Filesize
204KB

Download
memory/3548-319-0x00007FF908500000-0x00007FF90867F000-memory.dmp

Filesize
1.5MB

Download
memory/3548-302-0x00007FF909010000-0x00007FF9096D4000-memory.dmp

Filesize
6.8MB

Download
memory/3548-107-0x00007FF91C950000-0x00007FF91C975000-memory.dmp

Filesize
148KB

Download
memory/3548-98-0x00007FF909010000-0x00007FF9096D4000-memory.dmp

Filesize
6.8MB

Download
memory/3548-387-0x00007FF91D2F0000-0x00007FF91D2FF000-memory.dmp

Filesize
60KB

Download
memory/3548-427-0x00007FF91E4B0000-0x00007FF91E4BF000-memory.dmp

Filesize
60KB

Download
memory/3548-436-0x00007FF918120000-0x00007FF91812B000-memory.dmp

Filesize
44KB

Download
memory/3548-439-0x00007FF917FE0000-0x00007FF917FEB000-memory.dmp

Filesize
44KB

Download
memory/3548-438-0x00007FF918130000-0x00007FF918142000-memory.dmp

Filesize
72KB

Download
memory/3548-461-0x00007FF917B80000-0x00007FF917B8C000-memory.dmp

Filesize
48KB

Download
memory/3548-463-0x00007FF915F30000-0x00007FF915F59000-memory.dmp

Filesize
164KB

Download
memory/3548-462-0x00007FF907120000-0x00007FF907369000-memory.dmp

Filesize
2.3MB

Download
memory/3548-460-0x00007FF917B90000-0x00007FF917BA2000-memory.dmp

Filesize
72KB

Download
memory/3548-459-0x00007FF917BB0000-0x00007FF917BBD000-memory.dmp

Filesize
52KB

Download
memory/3548-458-0x00007FF9080B0000-0x00007FF9081CB000-memory.dmp

Filesize
1.1MB

Download
memory/3548-457-0x00007FF918000000-0x00007FF918027000-memory.dmp

Filesize
156KB

Download
memory/3548-456-0x00007FF917E90000-0x00007FF917E9E000-memory.dmp

Filesize
56KB

Download
memory/3548-455-0x00007FF917BE0000-0x00007FF917BEB000-memory.dmp

Filesize
44KB

Download
memory/3548-454-0x00007FF917BF0000-0x00007FF917BFB000-memory.dmp

Filesize
44KB

Download
memory/3548-453-0x00007FF918030000-0x00007FF918048000-memory.dmp

Filesize
96KB

Download
memory/3548-452-0x00007FF917C00000-0x00007FF917C0C000-memory.dmp

Filesize
48KB

Download
memory/3548-451-0x00007FF917EF0000-0x00007FF917EFC000-memory.dmp

Filesize
48KB

Download
memory/3548-450-0x00007FF918050000-0x00007FF918074000-memory.dmp

Filesize
144KB

Download
memory/3548-449-0x00007FF917BC0000-0x00007FF917BCC000-memory.dmp

Filesize
48KB

Download
memory/3548-448-0x00007FF908500000-0x00007FF90867F000-memory.dmp

Filesize
1.5MB

Download
memory/3548-447-0x00007FF917C10000-0x00007FF917CDD000-memory.dmp

Filesize
820KB

Download
memory/3548-446-0x00007FF918260000-0x00007FF91826B000-memory.dmp

Filesize
44KB

Download
memory/3548-445-0x00007FF9182C0000-0x00007FF9182CB000-memory.dmp

Filesize
44KB

Download
memory/3548-444-0x00007FF917FF0000-0x00007FF917FFC000-memory.dmp

Filesize
48KB

Download
memory/3548-443-0x00007FF917BD0000-0x00007FF917BDC000-memory.dmp

Filesize
48KB

Download
memory/3548-442-0x00007FF91C580000-0x00007FF91C58B000-memory.dmp

Filesize
44KB

Download
memory/3548-441-0x00007FF917EA0000-0x00007FF917EAC000-memory.dmp

Filesize
48KB

Download
memory/3548-440-0x00007FF908880000-0x00007FF908DA9000-memory.dmp

Filesize
5.2MB

Download
memory/3548-437-0x00007FF918150000-0x00007FF918166000-memory.dmp

Filesize
88KB

Download
memory/3548-435-0x00007FF918200000-0x00007FF91820C000-memory.dmp

Filesize
48KB

Download
memory/3548-434-0x00007FF91C920000-0x00007FF91C94D000-memory.dmp

Filesize
180KB

Download
memory/3548-433-0x00007FF918330000-0x00007FF918363000-memory.dmp

Filesize
204KB

Download
memory/3548-432-0x00007FF91C590000-0x00007FF91C5A4000-memory.dmp

Filesize
80KB

Download
memory/3548-431-0x00007FF91C8B0000-0x00007FF91C8BD000-memory.dmp

Filesize
52KB

Download
memory/3548-430-0x00007FF91CA10000-0x00007FF91CA1D000-memory.dmp

Filesize
52KB

Download
memory/3548-429-0x00007FF91C8C0000-0x00007FF91C8D9000-memory.dmp

Filesize
100KB

Download
memory/3548-428-0x00007FF91C8E0000-0x00007FF91C916000-memory.dmp

Filesize
216KB

Download
memory/3548-426-0x00007FF91D1E0000-0x00007FF91D1FA000-memory.dmp

Filesize
104KB

Download
memory/3548-425-0x00007FF91FFE0000-0x00007FF91FFEF000-memory.dmp

Filesize
60KB

Download
memory/3548-424-0x00007FF91C950000-0x00007FF91C975000-memory.dmp

Filesize
148KB

Download
memory/3548-423-0x00007FF909010000-0x00007FF9096D4000-memory.dmp

Filesize
6.8MB

Download