exelastealer | ddd3d4845c1793d54c69eecfde7fbdf29ebfa246b05fb5350899ccaa9a607baa

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RDPAccessorV4.exe
Size

21.2MB
MD5

bd36df9833732a95ee1c49688912f8ae
SHA1

fea78c7cfcf4a0038f02a9e54a74a728d19dacbd
SHA256

ddd3d4845c1793d54c69eecfde7fbdf29ebfa246b05fb5350899ccaa9a607baa
SHA512

7a7faf3bada6b0873616116173bbd32703a0c0176edc2b8c3ce1bf2e7195193587753f403bf921183b79278e7d0bb5e51aecfa62910e44d155b91f4388002519
SSDEEP

393216:2EygOPmCjPpY7tzSoaS5Bg2/k9Q4sUiZRlDbeibaDZf6ycplTbcBEJrYNX4LqL2p:2QpgPpqSS5zk9XgZr9qt6ysRAUYNILk4

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller ransomware spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2548	netsh.exe
1676	netsh.exe
3472	netsh.exe
1908	netsh.exe
2768	netsh.exe
1160	netsh.exe

Checks computer location settings 2 TTPs 59 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RDPAccessorV4.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4812	cmd.exe
4764	powershell.exe
3456	cmd.exe
2468	powershell.exe
3572	cmd.exe
4004	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2668	RDPAccessor.exe
2252	RDPAccessor.exe
2096	RDPAccessor.exe
3612	RDPAccessor.exe
4772	RDPAccessor.exe
3452	RDPAccessor.exe
3132	RDPAccessor.exe
4828	RDPAccessor.exe
2240	RDPAccessor.exe
4820	RDPAccessor.exe
3000	RDPAccessor.exe
1876	RDPAccessor.exe
4120	RDPAccessor.exe
2112	RDPAccessor.exe
376	RDPAccessor.exe
4448	RDPAccessor.exe
424	RDPAccessor.exe
4116	RDPAccessor.exe
4632	RDPAccessor.exe
1604	RDPAccessor.exe
1688	RDPAccessor.exe
4528	RDPAccessor.exe
2996	RDPAccessor.exe
2340	RDPAccessor.exe
636	RDPAccessor.exe
216	RDPAccessor.exe
2840	RDPAccessor.exe
4296	RDPAccessor.exe
2996	RDPAccessor.exe
2640	RDPAccessor.exe
4568	RDPAccessor.exe
4488	RDPAccessor.exe
2372	RDPAccessor.exe
4048	RDPAccessor.exe
3280	RDPAccessor.exe
2236	RDPAccessor.exe
2904	RDPAccessor.exe
2728	RDPAccessor.exe
1604	RDPAccessor.exe
4624	RDPAccessor.exe
2240	RDPAccessor.exe
1476	RDPAccessor.exe
2132	RDPAccessor.exe
4084	RDPAccessor.exe
3384	RDPAccessor.exe
1104	RDPAccessor.exe
4112	RDPAccessor.exe
4400	RDPAccessor.exe
3972	RDPAccessor.exe
1160	RDPAccessor.exe
1284	RDPAccessor.exe
4488	RDPAccessor.exe
2640	RDPAccessor.exe
4220	RDPAccessor.exe
5012	RDPAccessor.exe
1304	RDPAccessor.exe
2468	RDPAccessor.exe
4832	RDPAccessor.exe
696	RDPAccessor.exe
1948	RDPAccessor.exe
4432	RDPAccessor.exe
4716	RDPAccessor.exe
1116	RDPAccessor.exe
4112	RDPAccessor.exe

Loads dropped DLL 64 IoCs

pid	Process
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
2252	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
3612	RDPAccessor.exe
2252	RDPAccessor.exe
3452	RDPAccessor.exe
3452	RDPAccessor.exe
3452	RDPAccessor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com
75	discord.com
102	discord.com
36	discord.com
72	discord.com
103	discord.com
104	discord.com
105	discord.com
35	discord.com
76	discord.com
101	discord.com
34	discord.com
45	discord.com
73	discord.com
74	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
86	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4612	ARP.EXE
4072	cmd.exe
4060	ARP.EXE
4488	cmd.exe
1112	ARP.EXE
4376	cmd.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
4072	tasklist.exe
2148	tasklist.exe
2904	tasklist.exe
3020	tasklist.exe
2156	tasklist.exe
3632	tasklist.exe
3344	tasklist.exe
2364	tasklist.exe
620	tasklist.exe
3996	tasklist.exe
1696	tasklist.exe
3568	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
620	cmd.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
840	sc.exe
1512	sc.exe
2528	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023453-7.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023483-125.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
732	cmd.exe
3220	netsh.exe
4092	cmd.exe
4224	netsh.exe
2176	cmd.exe
1324	netsh.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2176	NETSTAT.EXE
4724	NETSTAT.EXE
2036	NETSTAT.EXE

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2156	WMIC.exe
5112	WMIC.exe
2112	WMIC.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4216	ipconfig.exe
2176	NETSTAT.EXE
1780	ipconfig.exe
4724	NETSTAT.EXE
2936	ipconfig.exe
2036	NETSTAT.EXE

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4920	systeminfo.exe
1436	systeminfo.exe
1684	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe
Token: SeManageVolumePrivilege	5116	WMIC.exe
Token: 33	5116	WMIC.exe
Token: 34	5116	WMIC.exe
Token: 35	5116	WMIC.exe
Token: 36	5116	WMIC.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe
Token: SeManageVolumePrivilege	5116	WMIC.exe
Token: 33	5116	WMIC.exe
Token: 34	5116	WMIC.exe
Token: 35	5116	WMIC.exe
Token: 36	5116	WMIC.exe
Token: SeDebugPrivilege	4072	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4528	RDPAccessor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 2668	5056	RDPAccessorV4.exe	87
PID 5056 wrote to memory of 2668	5056	RDPAccessorV4.exe	87
PID 5056 wrote to memory of 2432	5056	RDPAccessorV4.exe	88
PID 5056 wrote to memory of 2432	5056	RDPAccessorV4.exe	88
PID 2668 wrote to memory of 2252	2668	RDPAccessor.exe	89
PID 2668 wrote to memory of 2252	2668	RDPAccessor.exe	89
PID 2252 wrote to memory of 4020	2252	RDPAccessor.exe	90
PID 2252 wrote to memory of 4020	2252	RDPAccessor.exe	90
PID 2252 wrote to memory of 1900	2252	RDPAccessor.exe	94
PID 2252 wrote to memory of 1900	2252	RDPAccessor.exe	94
PID 2252 wrote to memory of 1676	2252	RDPAccessor.exe	95
PID 2252 wrote to memory of 1676	2252	RDPAccessor.exe	95
PID 1900 wrote to memory of 5116	1900	cmd.exe	99
PID 1900 wrote to memory of 5116	1900	cmd.exe	99
PID 1676 wrote to memory of 2364	1676	cmd.exe	100
PID 1676 wrote to memory of 2364	1676	cmd.exe	100
PID 2432 wrote to memory of 2096	2432	RDPAccessorV4.exe	102
PID 2432 wrote to memory of 2096	2432	RDPAccessorV4.exe	102
PID 2432 wrote to memory of 216	2432	RDPAccessorV4.exe	103
PID 2432 wrote to memory of 216	2432	RDPAccessorV4.exe	103
PID 2096 wrote to memory of 3612	2096	RDPAccessor.exe	104
PID 2096 wrote to memory of 3612	2096	RDPAccessor.exe	104
PID 3612 wrote to memory of 1436	3612	RDPAccessor.exe	105
PID 3612 wrote to memory of 1436	3612	RDPAccessor.exe	105
PID 2252 wrote to memory of 620	2252	RDPAccessor.exe	107
PID 2252 wrote to memory of 620	2252	RDPAccessor.exe	107
PID 620 wrote to memory of 4288	620	cmd.exe	109
PID 620 wrote to memory of 4288	620	cmd.exe	109
PID 2252 wrote to memory of 3388	2252	RDPAccessor.exe	110
PID 2252 wrote to memory of 3388	2252	RDPAccessor.exe	110
PID 3388 wrote to memory of 4072	3388	cmd.exe	112
PID 3388 wrote to memory of 4072	3388	cmd.exe	112
PID 2252 wrote to memory of 376	2252	RDPAccessor.exe	113
PID 2252 wrote to memory of 376	2252	RDPAccessor.exe	113
PID 2252 wrote to memory of 1104	2252	RDPAccessor.exe	114
PID 2252 wrote to memory of 1104	2252	RDPAccessor.exe	114
PID 2252 wrote to memory of 724	2252	RDPAccessor.exe	115
PID 2252 wrote to memory of 724	2252	RDPAccessor.exe	115
PID 2252 wrote to memory of 4812	2252	RDPAccessor.exe	116
PID 2252 wrote to memory of 4812	2252	RDPAccessor.exe	116
PID 1104 wrote to memory of 4712	1104	cmd.exe	121
PID 1104 wrote to memory of 4712	1104	cmd.exe	121
PID 376 wrote to memory of 768	376	cmd.exe	122
PID 376 wrote to memory of 768	376	cmd.exe	122
PID 724 wrote to memory of 2148	724	cmd.exe	123
PID 724 wrote to memory of 2148	724	cmd.exe	123
PID 4712 wrote to memory of 4448	4712	cmd.exe	124
PID 4712 wrote to memory of 4448	4712	cmd.exe	124
PID 4812 wrote to memory of 4764	4812	cmd.exe	126
PID 4812 wrote to memory of 4764	4812	cmd.exe	126
PID 768 wrote to memory of 3456	768	cmd.exe	125
PID 768 wrote to memory of 3456	768	cmd.exe	125
PID 2252 wrote to memory of 2176	2252	RDPAccessor.exe	127
PID 2252 wrote to memory of 2176	2252	RDPAccessor.exe	127
PID 2252 wrote to memory of 4488	2252	RDPAccessor.exe	129
PID 2252 wrote to memory of 4488	2252	RDPAccessor.exe	129
PID 2176 wrote to memory of 1324	2176	cmd.exe	131
PID 2176 wrote to memory of 1324	2176	cmd.exe	131
PID 4488 wrote to memory of 4920	4488	cmd.exe	132
PID 4488 wrote to memory of 4920	4488	cmd.exe	132
PID 216 wrote to memory of 4772	216	RDPAccessorV4.exe	134
PID 216 wrote to memory of 4772	216	RDPAccessorV4.exe	134
PID 216 wrote to memory of 3996	216	RDPAccessorV4.exe	135
PID 216 wrote to memory of 3996	216	RDPAccessorV4.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
"C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
  "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:724
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4920
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2484
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4740
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3928
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:1156
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4296
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:4068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4664
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:4712
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4256
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:1848
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4820
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:3800
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:2636
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:3224
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3568
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:4216
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4236
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:1112
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2176
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:840
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2548
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:116
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3612
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4084
- C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
  "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
      "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1436
- - C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
    "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
      "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
      4⤵
      Executes dropped EXE
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
      "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
      4⤵
      Checks computer location settings
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        5⤵
        Executes dropped EXE
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        6⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        5⤵
        Checks computer location settings
        
        PID:3632
      - C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        6⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        7⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        6⤵
        Checks computer location settings
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        7⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        8⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        7⤵
        Checks computer location settings
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        8⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        9⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        8⤵
        Checks computer location settings
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        9⤵
        Executes dropped EXE
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        10⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        9⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        10⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        11⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        10⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        11⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        12⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        11⤵
        Checks computer location settings
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        12⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:544
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        14⤵
        
        PID:4840
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        15⤵
        Enumerates processes with tasklist
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        14⤵
        
        PID:992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        15⤵
        Enumerates processes with tasklist
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        14⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        15⤵
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp
        16⤵
        
        PID:1236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        14⤵
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        15⤵
        
        PID:4904
        
        C:\Windows\system32\chcp.com
        
        chcp
        16⤵
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        14⤵
        
        PID:4296
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        15⤵
        Enumerates processes with tasklist
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        14⤵
        Clipboard Data
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        15⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        14⤵
        Network Service Discovery
        
        PID:4376
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        15⤵
        Gathers system information
        
        PID:1436
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        15⤵
        
        PID:2640
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        15⤵
        Collects information from the system
        
        PID:5112
        
        C:\Windows\system32\net.exe
        
        net user
        15⤵
        
        PID:3592
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        16⤵
        
        PID:4256
        
        C:\Windows\system32\query.exe
        
        query user
        15⤵
        
        PID:4216
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        16⤵
        
        PID:4388
        
        C:\Windows\system32\net.exe
        
        net localgroup
        15⤵
        
        PID:1428
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        16⤵
        
        PID:4856
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        15⤵
        
        PID:4020
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        16⤵
        
        PID:1976
        
        C:\Windows\system32\net.exe
        
        net user guest
        15⤵
        
        PID:2840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        16⤵
        
        PID:4820
        
        C:\Windows\system32\net.exe
        
        net user administrator
        15⤵
        
        PID:904
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        16⤵
        
        PID:3560
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        15⤵
        
        PID:4368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        15⤵
        Enumerates processes with tasklist
        
        PID:2156
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        15⤵
        Gathers network information
        
        PID:1780
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        15⤵
        
        PID:680
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        15⤵
        Network Service Discovery
        
        PID:4612
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        15⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4724
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        15⤵
        Launches sc.exe
        
        PID:1512
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        15⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3472
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        15⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:732
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        15⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:4828
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        14⤵
        
        PID:3592
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        15⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        12⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        13⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        14⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        13⤵
        Checks computer location settings
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        14⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        15⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        14⤵
        Checks computer location settings
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        15⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        16⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        15⤵
        Checks computer location settings
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        16⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        17⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        16⤵
        Checks computer location settings
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        17⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        18⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        17⤵
        Checks computer location settings
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        18⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        19⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        18⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        19⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        20⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        19⤵
        Checks computer location settings
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        20⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        21⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        20⤵
        Checks computer location settings
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        21⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        22⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        21⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        22⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        23⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        22⤵
        Checks computer location settings
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        23⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        24⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        23⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        24⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        25⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        24⤵
        Checks computer location settings
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        25⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        26⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        25⤵
        Checks computer location settings
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        26⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        27⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        28⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        26⤵
        Checks computer location settings
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        27⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        28⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        29⤵
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        29⤵
        
        PID:4920
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        30⤵
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        29⤵
        
        PID:1884
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        30⤵
        Enumerates processes with tasklist
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        29⤵
        
        PID:3036
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        30⤵
        Enumerates processes with tasklist
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        29⤵
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        30⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp
        31⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        29⤵
        
        PID:4564
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        30⤵
        
        PID:3348
        
        C:\Windows\system32\chcp.com
        
        chcp
        31⤵
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        29⤵
        
        PID:1428
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        30⤵
        Enumerates processes with tasklist
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        29⤵
        Clipboard Data
        
        PID:3572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        30⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        29⤵
        Network Service Discovery
        
        PID:4072
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        30⤵
        Gathers system information
        
        PID:1684
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        30⤵
        
        PID:4612
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        30⤵
        Collects information from the system
        
        PID:2112
        
        C:\Windows\system32\net.exe
        
        net user
        30⤵
        
        PID:4256
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        31⤵
        
        PID:2728
        
        C:\Windows\system32\query.exe
        
        query user
        30⤵
        
        PID:4368
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        31⤵
        
        PID:2036
        
        C:\Windows\system32\net.exe
        
        net localgroup
        30⤵
        
        PID:3932
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        31⤵
        
        PID:4528
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        30⤵
        
        PID:2148
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        31⤵
        
        PID:2244
        
        C:\Windows\system32\net.exe
        
        net user guest
        30⤵
        
        PID:3428
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        31⤵
        
        PID:3904
        
        C:\Windows\system32\net.exe
        
        net user administrator
        30⤵
        
        PID:4572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        31⤵
        
        PID:3620
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        30⤵
        
        PID:4440
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        30⤵
        Enumerates processes with tasklist
        
        PID:620
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        30⤵
        Gathers network information
        
        PID:2936
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        30⤵
        
        PID:2728
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        30⤵
        Network Service Discovery
        
        PID:4060
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        30⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2036
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        30⤵
        Launches sc.exe
        
        PID:2528
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        30⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2768
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        30⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4092
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        30⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        29⤵
        
        PID:1092
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        30⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        29⤵
        
        PID:3424
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        30⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        27⤵
        Checks computer location settings
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        28⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        29⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        30⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        28⤵
        Checks computer location settings
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        29⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        30⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        31⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        29⤵
        Checks computer location settings
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        30⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        31⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        32⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        30⤵
        Checks computer location settings
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        31⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        32⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        33⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        31⤵
        Checks computer location settings
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        32⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        33⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        34⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        32⤵
        Checks computer location settings
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        33⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        34⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        35⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        33⤵
        Checks computer location settings
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        34⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        35⤵
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        36⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        34⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        35⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        36⤵
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        37⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        35⤵
        Checks computer location settings
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        36⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        37⤵
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        38⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        36⤵
        Checks computer location settings
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        37⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        38⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        39⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        37⤵
        Checks computer location settings
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        38⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        39⤵
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        40⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        38⤵
        Checks computer location settings
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        39⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        40⤵
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        41⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        39⤵
        Checks computer location settings
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        40⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        41⤵
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        42⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        40⤵
        Checks computer location settings
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        41⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        42⤵
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        43⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        41⤵
        Checks computer location settings
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        42⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        43⤵
        
        PID:4944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        44⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        42⤵
        Checks computer location settings
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        43⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        44⤵
        
        PID:4664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        45⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        43⤵
        Checks computer location settings
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        44⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        45⤵
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        46⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        44⤵
        Checks computer location settings
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        45⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        46⤵
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        47⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        45⤵
        Checks computer location settings
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        46⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        47⤵
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        48⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        46⤵
        Checks computer location settings
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        47⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        48⤵
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        49⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        47⤵
        Checks computer location settings
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        48⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        49⤵
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        50⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        48⤵
        Checks computer location settings
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        49⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        50⤵
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        51⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        49⤵
        Checks computer location settings
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        50⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        51⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        52⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        50⤵
        Checks computer location settings
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        51⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        52⤵
        
        PID:4716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        53⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        51⤵
        Checks computer location settings
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        52⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        53⤵
        
        PID:3836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        54⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        52⤵
        Checks computer location settings
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        53⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        54⤵
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        55⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        53⤵
        Checks computer location settings
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        54⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        55⤵
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        56⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        54⤵
        Checks computer location settings
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        55⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        56⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        57⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        55⤵
        Checks computer location settings
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        56⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        57⤵
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        58⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        56⤵
        Checks computer location settings
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        57⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        58⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        59⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        57⤵
        Checks computer location settings
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        58⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        59⤵
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        60⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        58⤵
        Checks computer location settings
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        59⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        60⤵
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        61⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        59⤵
        Checks computer location settings
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        60⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe"
        61⤵
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        62⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RDPAccessorV4.exe"
        60⤵
        
        PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDPAccessor.exe

Filesize
12.7MB

MD5
b2e5a88000f16edfb7e57b25c698f9a6

SHA1
ad388c1370f67b3fdf9b111e23b7e09a1caa4ae6

SHA256
35f3a54cb69a741994cc785f35168833034dc248204c7c38d4dfd2514c1b0048

SHA512
abc01a1b26751405312d736643432b7babed74fd877d8ae55d964e2ce5cfe0abc0a6091e3f11c266ead737fbc83e370278f18e0a80187249b275cd7dd99c7fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\attrs-24.2.0.dist-info\METADATA

Filesize
11KB

MD5
49cabcb5f8da14c72c8c3d00adb3c115

SHA1
f575becf993ecdf9c6e43190c1cb74d3556cf912

SHA256
dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c

SHA512
923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\attrs-24.2.0.dist-info\RECORD

Filesize
3KB

MD5
8037e693eafed6c3d0cce916babb50c4

SHA1
2321392aab7ae3a6a78248e5d5f454124d368ec1

SHA256
688073f6556808d9139fea52bec3802d8c0d7ce07978b98aae8db5c98facc0df

SHA512
95b9e6b8f946d2617098c338441afc5a555ff208947d5731e09ee17b959655161c397f57e14827a95a8fd4554de8c6e426dc316f858510ae4aa7ca8723c4cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\attrs-24.2.0.dist-info\WHEEL

Filesize
87B

MD5
52adfa0c417902ee8f0c3d1ca2372ac3

SHA1
b67635615eef7e869d74f4813b5dc576104825dd

SHA256
d7215d7625cc9af60aed0613aad44db57eba589d0ccfc3d8122114a0e514c516

SHA512
bfa87e7b0e76e544c2108ef40b9fac8c5ff4327ab8ede9feb2891bd5d38fea117bd9eebaf62f6c357b4deaddad5a5220e0b4a54078c8c2de34cb1dd5e00f2d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\attrs-24.2.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\METADATA

Filesize
5KB

MD5
1682e8458a9f3565fd0941626cbe4302

SHA1
e5937d80b6ba976905491c9dbd8e16d0226795b5

SHA256
24f9838874233de69f9de9aebd95359e499498508d962b605d90186288d7d8c0

SHA512
2dc669a07dd263c967d637ac2e76ed3788830d96b91e256e16125997c4e3a68d268dc220c056bbfbc3b5e7def7d063b776d9d1da303a840ff203dae668d7a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\RECORD

Filesize
15KB

MD5
b4a0dca5a787b3c351dd3b888414a636

SHA1
bf078ce3a34f915c3492e46003a7c2b902870fb0

SHA256
d7b58bbd7b4c6d2cb7598431cc029f63a51c16b810e2eb99aef34b951c315149

SHA512
8e77f7f30d86a6de0268b59be13af1f097bd29bdf9d64e97a33a0cec0226c9fb24ee1b29145f217b1e8c3608a364ad32318bb10c73872e0feb655bb41b890ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\WHEEL

Filesize
94B

MD5
c869d30012a100adeb75860f3810c8c9

SHA1
42fd5cfa75566e8a9525e087a2018e8666ed22cb

SHA256
f3fe049eb2ef6e1cc7db6e181fc5b2a6807b1c59febe96f0affcc796bdd75012

SHA512
b29feaf6587601bbe0edad3df9a87bfc82bb2c13e91103699babd7e039f05558c0ac1ef7d904bcfaf85d791b96bc26fa9e39988dd83a1ce8ecca85029c5109f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\license_files\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\license_files\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-43.0.0.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_asyncio.pyd

Filesize
62KB

MD5
2859c39887921dad2ff41feda44fe174

SHA1
fae62faf96223ce7a3e6f7389a9b14b890c24789

SHA256
aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

SHA512
790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_cffi_backend.cp311-win_amd64.pyd

Filesize
177KB

MD5
210def84bb2c35115a2b2ac25e3ffd8f

SHA1
0376b275c81c25d4df2be4789c875b31f106bd09

SHA256
59767b0918859beddf28a7d66a50431411ffd940c32b3e8347e6d938b60facdf

SHA512
cd5551eb7afd4645860c7edd7b0abd375ee6e1da934be21a6099879c8ee3812d57f2398cad28fbb6f75bba77471d9b32c96c7c1e9d3b4d26c7fc838745746c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_multiprocessing.pyd

Filesize
32KB

MD5
1386dbc6dcc5e0be6fef05722ae572ec

SHA1
470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

SHA256
0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

SHA512
ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_overlapped.pyd

Filesize
48KB

MD5
01ad7ca8bc27f92355fd2895fc474157

SHA1
15948cd5a601907ff773d0b48e493adf0d38a1a6

SHA256
a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

SHA512
8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_sqlite3.pyd

Filesize
115KB

MD5
d4324d1e8db7fcf220c5c541fecce7e3

SHA1
1caf5b23ae47f36d797bc6bdd5b75b2488903813

SHA256
ddbed9d48b17c54fd3005f5a868dd63cb8f3efe2c22c1821cebb2fe72836e446

SHA512
71d56d59e019cf42cea88203d9c6e50f870cd5c4d5c46991acbff3ab9ff13f78d5dbf5d1c2112498fc7e279d41ee27db279b74b4c08a60bb4098f9e8c296b5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\_uuid.pyd

Filesize
23KB

MD5
9a4957bdc2a783ed4ba681cba2c99c5c

SHA1
f73d33677f5c61deb8a736e8dde14e1924e0b0dc

SHA256
f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44

SHA512
027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
53KB

MD5
6bb3156a2b10b7e282ab20f2114540c3

SHA1
2b973d47a20be09532320ae85b5b98041a9160d1

SHA256
ec3d5e02f4c81c04313702e8ee4a0749f5f505d8cb061856885b53ebe419fda6

SHA512
4a8b661736005313435c162c6874f635b816bec6f37fdad760d6fcc22377e3b5bb8d5d750facd1d641fe09aafe3cfa4e09ab109594019d6d5b1e7b331da69bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
258KB

MD5
aab11b0e9d8595fcbea00f1dfae7b294

SHA1
2b1df4a4579d8d65e391b67f3458b910a3bf4641

SHA256
9bc41b017ec2fee1e36bc1b375f682f4a7817ca65078f31f1d5d44641d008ecf

SHA512
dadfe919d632a3c406bea0f6780610bf9930b3e6c3972383dc3e5a99aa7eba521f6dbc4b8033006e40af01c6248d3e8ac0d079aa5fdde7ae3ef90d64792dec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
48KB

MD5
b1dd6b357d4cb6058f7059d9814809c3

SHA1
cabb7310d303d3d6a9e405e1e01feb612ca3fa5c

SHA256
d2c930f0bd8416449d1341ad37ebe9ba315f610e5db52117d976daf6996b0f50

SHA512
dc439311bfe33002a0542fe26f2bff601e14950851882ef7e0f827bb623ddd294f4f207e2dedd6f25db7e7471d7b34087543879d09fc0079ef064d30d3426623

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
36KB

MD5
6e9dc8ea9421a910bcaa3add0abd1334

SHA1
41e14cfeccd3ea283985fd507db35b7ab226ad6a

SHA256
b70a999115115171f003a0b7b5d1d3a013dd257fcc067f412b434d7f206e6ad3

SHA512
f8f8f795be00d6def06e883c7164b11bfe68d7d53376b2f414b010c5f66c36a72fdf3f1bcbc9f1cfdff1624d74566e6c16566f1ce39f033685554b304bacfc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.6MB

MD5
b98d491ead30f30e61bc3e865ab72f18

SHA1
db165369b7f2ae513b51c4f3def9ea2668268221

SHA256
35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98

SHA512
044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
84KB

MD5
19a838a9f6b71d405c025c762ec67b9d

SHA1
2871b1ab459f6e4e10ba00553e7a7bb1c27a0588

SHA256
0f7538441c1668248618ee15d11414ce68642c2cbdd1636b903ecefacf88652d

SHA512
5d7b31b4ac745ea4815be122c622989fa408adaeb2f3ba37a9495497e58467dffbeb6d9cd595d49c82cae83e5869ad9a643dd9ca691f46761eb3a20a28d73a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\multidict\_multidict.cp311-win_amd64.pyd

Filesize
45KB

MD5
53c003dec693f83c57f326b6df5d5f05

SHA1
6977ebcbf74a039501825697021c504d7cc63928

SHA256
32555defdb044714dbaaec281820fa7a0c226545d40561b905294d2e0bdba102

SHA512
2c4b9dff022d25906981d52f68a9bda8e7840597bea6cbea9bc8036392dea56fbecaedcd1b9f6547074c28b018266e424ca0ae8e66bad947544a8571f83fd2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\sqlite3.dll

Filesize
1.4MB

MD5
ac633a9eb00f3b165da1181a88bb2bda

SHA1
d8c058a4f873faa6d983e9a5a73a218426ea2e16

SHA256
8d58db3067899c997c2db13baf13cd4136f3072874b3ca1f375937e37e33d800

SHA512
4bf6a3aaff66ae9bf6bc8e0dcd77b685f68532b05d8f4d18aaa7636743712be65ab7565c9a5c513d5eb476118239fb648084e18b4ef1a123528947e68bd00a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26682\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
93KB

MD5
3ccc89b98dab137bc5af9c1e62923829

SHA1
55d93e9782094925d80e4ce27d13a0a9761b7002

SHA256
40e91aaa369a5c171c0d30630707ae9bb64412fedf149aeecfa5707a2324f770

SHA512
4ebe427c75d83c019f8d378a030ae21e07decf30cd10623115eb0cc6ad7a689159e95c7fabac82ce82cea3720fae6c6faf712b600236dad039255884872eb6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47722\attrs-24.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zkq5cve.apd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2432-160-0x00007FF8D0B10000-0x00007FF8D15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2432-34-0x00007FF8D0B10000-0x00007FF8D15D1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-231-0x000001D4CADF0000-0x000001D4CAE12000-memory.dmp

Filesize
136KB

Download
memory/5056-0-0x00007FF8D0B13000-0x00007FF8D0B15000-memory.dmp

Filesize
8KB

Download
memory/5056-51-0x00007FF8D0B10000-0x00007FF8D15D1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-3-0x00007FF8D0B10000-0x00007FF8D15D1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-1-0x0000000000E40000-0x0000000002372000-memory.dmp

Filesize
21.2MB

Download