gurcu | 8d6eda15b51552fce75401a9cd2f5c57a4af4fbc5f7a7262385f0d2652024bcb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GhostBinder-FUD.exe
Size

11.7MB
MD5

c26e5cbca0f6cc30fc2af85f95942a82
SHA1

13c9a25bb4a57a119d6a10b7a940fc3a23906065
SHA256

8d6eda15b51552fce75401a9cd2f5c57a4af4fbc5f7a7262385f0d2652024bcb
SHA512

a54bd316887f4ebdbf51a614437733a3cbd0f9810e86ad3684b2c00db353f122cd349e0366c9c733b0d08282ba1f748155dcc01a6055465e5710e10b5a45507e
SSDEEP

196608:q9qMTFBJ82JYp3n780E998EFcCsqeaLJaAjEi71IUfvd3QzUy5kB2UQn2x/XZ3RT:q95lup3nI5vRTeeh71IUfvd35HLQni/3

Score

10^/10

gurcu stormkitty xworm credential_access discovery execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000234a7-6.dat	family_xworm
behavioral2/files/0x00080000000234c1-16.dat	family_xworm
behavioral2/files/0x00070000000234c2-27.dat	family_xworm
behavioral2/memory/1440-32-0x0000000000430000-0x000000000045C000-memory.dmp	family_xworm
behavioral2/memory/3092-35-0x0000000000080000-0x00000000000AE000-memory.dmp	family_xworm
behavioral2/memory/4936-38-0x0000000000E90000-0x0000000000EB8000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1440-280-0x000000001D8B0000-0x000000001D9D0000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
4256	powershell.exe
3232	powershell.exe
2928	powershell.exe
404	powershell.exe
4044	powershell.exe
1392	powershell.exe
4512	powershell.exe
2032	powershell.exe
2380	powershell.exe
2732	powershell.exe
3176	powershell.exe
1888	powershell.exe
3372	powershell.exe
2980	powershell.exe
4244	powershell.exe
3012	powershell.exe
1072	powershell.exe
1292	powershell.exe
924	powershell.exe
1832	powershell.exe
732	powershell.exe
636	powershell.exe
2880	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	GhostBinder-FUD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Chrome Update.exe

Drops startup file 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 14 IoCs

pid	Process
1440	Chrome Update.exe
3092	msedge.exe
4936	OneDrive.exe
5032	run.exe
4676	run.exe
3792	Chrome Update.exe
1788	msedge.exe
224	OneDrive.exe
1896	Chrome Update.exe
2412	msedge.exe
4256	OneDrive.exe
3136	Chrome Update.exe
4268	OneDrive.exe
3360	msedge.exe

Loads dropped DLL 17 IoCs

pid	Process
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe
4676	run.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com
26	pastebin.com
27	pastebin.com
60	pastebin.com
62	pastebin.com
63	pastebin.com
6	discord.com
61	pastebin.com
7	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org
5	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000234c3-44.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4504	timeout.exe
1736	timeout.exe
388	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
4044	schtasks.exe
4720	schtasks.exe
1036	schtasks.exe
4508	schtasks.exe
4548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
732	powershell.exe
1832	powershell.exe
732	powershell.exe
2556	powershell.exe
1832	powershell.exe
2556	powershell.exe
636	powershell.exe
636	powershell.exe
1392	powershell.exe
1888	powershell.exe
1888	powershell.exe
1392	powershell.exe
4256	powershell.exe
4512	powershell.exe
4512	powershell.exe
4256	powershell.exe
2032	powershell.exe
2032	powershell.exe
2880	powershell.exe
2880	powershell.exe
2380	powershell.exe
2380	powershell.exe
3012	powershell.exe
3012	powershell.exe
1440	Chrome Update.exe
3092	msedge.exe
4936	OneDrive.exe
3372	powershell.exe
1072	powershell.exe
2980	powershell.exe
3372	powershell.exe
1072	powershell.exe
2980	powershell.exe
4244	powershell.exe
3232	powershell.exe
4244	powershell.exe
3232	powershell.exe
2928	powershell.exe
1292	powershell.exe
404	powershell.exe
2928	powershell.exe
404	powershell.exe
1292	powershell.exe
924	powershell.exe
2732	powershell.exe
3176	powershell.exe
3176	powershell.exe
924	powershell.exe
2732	powershell.exe
4044	powershell.exe
4044	powershell.exe
4268	OneDrive.exe
3136	Chrome Update.exe
3360	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	Chrome Update.exe
Token: SeDebugPrivilege	3092	msedge.exe
Token: SeDebugPrivilege	4936	OneDrive.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1440	Chrome Update.exe
Token: SeDebugPrivilege	3092	msedge.exe
Token: SeDebugPrivilege	4936	OneDrive.exe
Token: SeDebugPrivilege	3792	Chrome Update.exe
Token: SeDebugPrivilege	1788	msedge.exe
Token: SeDebugPrivilege	224	OneDrive.exe
Token: SeDebugPrivilege	1896	Chrome Update.exe
Token: SeDebugPrivilege	2412	msedge.exe
Token: SeDebugPrivilege	4256	OneDrive.exe
Token: SeDebugPrivilege	3136	Chrome Update.exe
Token: SeDebugPrivilege	4268	OneDrive.exe
Token: SeDebugPrivilege	3360	msedge.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	4268	OneDrive.exe
Token: SeDebugPrivilege	3136	Chrome Update.exe
Token: SeDebugPrivilege	3360	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1440	Chrome Update.exe
3092	msedge.exe
4936	OneDrive.exe
4268	OneDrive.exe
3136	Chrome Update.exe
3360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1440	2880	GhostBinder-FUD.exe	85
PID 2880 wrote to memory of 1440	2880	GhostBinder-FUD.exe	85
PID 2880 wrote to memory of 3092	2880	GhostBinder-FUD.exe	86
PID 2880 wrote to memory of 3092	2880	GhostBinder-FUD.exe	86
PID 2880 wrote to memory of 4936	2880	GhostBinder-FUD.exe	87
PID 2880 wrote to memory of 4936	2880	GhostBinder-FUD.exe	87
PID 2880 wrote to memory of 5032	2880	GhostBinder-FUD.exe	88
PID 2880 wrote to memory of 5032	2880	GhostBinder-FUD.exe	88
PID 5032 wrote to memory of 4676	5032	run.exe	89
PID 5032 wrote to memory of 4676	5032	run.exe	89
PID 4936 wrote to memory of 2556	4936	OneDrive.exe	91
PID 4936 wrote to memory of 2556	4936	OneDrive.exe	91
PID 1440 wrote to memory of 732	1440	Chrome Update.exe	92
PID 1440 wrote to memory of 732	1440	Chrome Update.exe	92
PID 3092 wrote to memory of 1832	3092	msedge.exe	93
PID 3092 wrote to memory of 1832	3092	msedge.exe	93
PID 1440 wrote to memory of 636	1440	Chrome Update.exe	97
PID 1440 wrote to memory of 636	1440	Chrome Update.exe	97
PID 3092 wrote to memory of 1888	3092	msedge.exe	99
PID 3092 wrote to memory of 1888	3092	msedge.exe	99
PID 4936 wrote to memory of 1392	4936	OneDrive.exe	101
PID 4936 wrote to memory of 1392	4936	OneDrive.exe	101
PID 3092 wrote to memory of 4256	3092	msedge.exe	103
PID 3092 wrote to memory of 4256	3092	msedge.exe	103
PID 1440 wrote to memory of 4512	1440	Chrome Update.exe	105
PID 1440 wrote to memory of 4512	1440	Chrome Update.exe	105
PID 4936 wrote to memory of 2032	4936	OneDrive.exe	107
PID 4936 wrote to memory of 2032	4936	OneDrive.exe	107
PID 1440 wrote to memory of 2880	1440	Chrome Update.exe	109
PID 1440 wrote to memory of 2880	1440	Chrome Update.exe	109
PID 3092 wrote to memory of 2380	3092	msedge.exe	111
PID 3092 wrote to memory of 2380	3092	msedge.exe	111
PID 4936 wrote to memory of 3012	4936	OneDrive.exe	113
PID 4936 wrote to memory of 3012	4936	OneDrive.exe	113
PID 1440 wrote to memory of 4044	1440	Chrome Update.exe	115
PID 1440 wrote to memory of 4044	1440	Chrome Update.exe	115
PID 3092 wrote to memory of 4720	3092	msedge.exe	117
PID 3092 wrote to memory of 4720	3092	msedge.exe	117
PID 4936 wrote to memory of 1036	4936	OneDrive.exe	118
PID 4936 wrote to memory of 1036	4936	OneDrive.exe	118
PID 1440 wrote to memory of 2356	1440	Chrome Update.exe	133
PID 1440 wrote to memory of 2356	1440	Chrome Update.exe	133
PID 4936 wrote to memory of 1928	4936	OneDrive.exe	134
PID 4936 wrote to memory of 1928	4936	OneDrive.exe	134
PID 1440 wrote to memory of 1484	1440	Chrome Update.exe	137
PID 1440 wrote to memory of 1484	1440	Chrome Update.exe	137
PID 4936 wrote to memory of 2840	4936	OneDrive.exe	138
PID 4936 wrote to memory of 2840	4936	OneDrive.exe	138
PID 3092 wrote to memory of 3544	3092	msedge.exe	140
PID 3092 wrote to memory of 3544	3092	msedge.exe	140
PID 3092 wrote to memory of 2380	3092	msedge.exe	142
PID 3092 wrote to memory of 2380	3092	msedge.exe	142
PID 2840 wrote to memory of 4504	2840	cmd.exe	145
PID 2840 wrote to memory of 4504	2840	cmd.exe	145
PID 1484 wrote to memory of 1736	1484	cmd.exe	146
PID 1484 wrote to memory of 1736	1484	cmd.exe	146
PID 2380 wrote to memory of 388	2380	cmd.exe	147
PID 2380 wrote to memory of 388	2380	cmd.exe	147
PID 3136 wrote to memory of 3372	3136	Chrome Update.exe	148
PID 3136 wrote to memory of 3372	3136	Chrome Update.exe	148
PID 4268 wrote to memory of 1072	4268	OneDrive.exe	150
PID 4268 wrote to memory of 1072	4268	OneDrive.exe	150
PID 3360 wrote to memory of 2980	3360	msedge.exe	151
PID 3360 wrote to memory of 2980	3360	msedge.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GhostBinder-FUD.exe
"C:\Users\Admin\AppData\Local\Temp\GhostBinder-FUD.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\Chrome Update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4044
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Chrome Update"
    3⤵
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAEE0.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1736
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4720
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "msedge"
    3⤵
    PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAEFF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:388
- C:\Users\Admin\AppData\Roaming\OneDrive.exe
  "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1036
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "OneDrive"
    3⤵
    PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAEF0.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4504
- C:\Users\Admin\AppData\Roaming\run.exe
  "C:\Users\Admin\AppData\Roaming\run.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Roaming\run.exe
    "C:\Users\Admin\AppData\Roaming\run.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4676

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4508

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2092

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome Update.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
37a924b11cf3f7f57fc56898abe9b0e6

SHA1
5ee379727611f74dc5fa677b65881d4c63e10f95

SHA256
6e7f7c5fddb3a0300740fdcbe1a8ec3a0be0f16dff193f9806364a19262b52bf

SHA512
903e1badb3577e0b3e92b69491596c9a402b51cdf3de43d5fb06b08c5689d2ff7ba25f8d1497d6527e943d9063a7ee79cbf2b47892de1de3b68cc7ca77853d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da185fddf7e751e39023edde12930f37

SHA1
657fcb7fda401b69d3bb97e7b6abf126ac36d4b2

SHA256
8928226805a92acd76d21e1a276176d9af3ca1ec31f14e45a2b4b88f4722cad5

SHA512
db7bc02a1bd86d587840a56334dee9cb80aa0a8635cd2eb1c490bc5466659350de4d625f320731e34fac235016515d0dddc05a6081149dc6c2e82c262be6b975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7773158c3c0a51b58343bbdd6377db5

SHA1
ad5866076c6a82746b528bc97e1d53aa0cb676aa

SHA256
1f156c7f197aa720b07de8e218e054df45290e3e655764ddd0a95db305a2e6dc

SHA512
168228a54eb2986d5c4b88c5f0978b535537a59e5844fac7a13598929240f37245cba0e7575ead73a33ecb16c086ba078833cb3e3191e68bd4b8a3b13a37c799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\base_library.zip

Filesize
1.3MB

MD5
ec06b85bb25c6136241bebf35f3e1f62

SHA1
f6aae8ec7ae916f67730f862338aeba5163feb4a

SHA256
e5d57cbe531bc934fbe70dc3b8fb2b8fb57ba7abb2c6470c3c10f124127d09c4

SHA512
9bc9745e70627939250dd5480e4991f24e7945682d28a37c1812f9d86f5ebc1f2116f6ec09967e8753baf56b57ac7de944eb1204e547ae36ff89e7a353a2ed8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyihet4k.di5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D7D.tmp.dat

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DAD.tmp.dat

Filesize
5.0MB

MD5
1e256b0e7a5e0a6451381d3fc3697dfc

SHA1
470fd743da4f7a18cde0ad8f7e70dcfefabd04b8

SHA256
30178a1c937192d3af93c49f9f885dc73f26b37987b130c59fe822b067ea1ce6

SHA512
a3aea8551c3c7efe31a98e4775508401ed2ff20013e4bd7b2aae17590ada67e0a0af21d6213b9da191019c12fc61ec950d48717b18a4126e5db03b74e0cbae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DAF.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E92.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E93.tmp.dat

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E94.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EA6.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EAA.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EAB.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EBB.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Roaming\run.exe

Filesize
11.2MB

MD5
b0f1c2cda8253f6235965f7f011b7eb8

SHA1
97628130056d62bf2d23aae2139fde9ab6efcc19

SHA256
bacae921eb0f1074c8d44976019fe58fb6721e707ab06c57ec640bbcbe1fc27c

SHA512
49326009dd6bb2a46b1afb8e5dfb820fb27b53673013468c4fb8c9bd8273d5bd248e5d61c6e3e2a0d70cfc3e1a4e66be00d3dd556b74402159da62a8bb3c8525

Download Submit
memory/732-139-0x00000263710E0000-0x0000026371102000-memory.dmp

Filesize
136KB

Download
memory/1440-271-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/1440-405-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/1440-280-0x000000001D8B0000-0x000000001D9D0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-37-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/1440-32-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/1440-254-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/1440-273-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/2880-0-0x00007FFA49CD3000-0x00007FFA49CD5000-memory.dmp

Filesize
8KB

Download
memory/2880-1-0x0000000000FB0000-0x0000000001B5E000-memory.dmp

Filesize
11.7MB

Download
memory/3092-272-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/3092-40-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/3092-35-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/3092-406-0x00007FFA49CD0000-0x00007FFA4A791000-memory.dmp

Filesize
10.8MB

Download
memory/4936-38-0x0000000000E90000-0x0000000000EB8000-memory.dmp

Filesize
160KB

Download