bdaejec | 13c739544e392920c0e108aed613c98f097f985631c6cc118d796fcee59bab17

Analysis

max time kernel
297s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoofer/Cambiador de serial/spoofer.sys
Size

11KB
MD5

ece894602ee9353cce23dc4ece8a5445
SHA1

ba600000eb12f543516576035e4bb25dc5628b46
SHA256

93a516ebdd6bb1fe9dc5951b21fbacdff660997548bbb3df57dba92417caa33d
SHA512

0ad350f2d52e1b2c6f3b9a76cfcdb29307de22ea19ca71ab6cdea80350882eadb5ccf68d317360924fdd166ebd32eb2997167466c4407a2b5c45f4e6db7acc89
SSDEEP

192:QreOkMkNIcwT4ZdVynlkR2N6quhu58JLTWY4fuo5XDNboli:weuPnlkR2N6b3LTS0i

Score

10^/10

bdaejec aspackv2 backdoor discovery execution

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec

Detects Bdaejec Backdoor. 2 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral3/memory/4512-153-0x0000000000550000-0x0000000000559000-memory.dmp	family_bdaejec_backdoor
behavioral3/memory/1532-186-0x0000000000BA0000-0x0000000000BA9000-memory.dmp	family_bdaejec_backdoor

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
2796	powershell.exe
2912	powershell.exe
1260	powershell.exe
4764	powershell.exe
3396	powershell.exe
3856	powershell.exe
2044	powershell.exe
4008	powershell.exe
4664	powershell.exe
4176	powershell.exe
1740	powershell.exe
392	powershell.exe
4764	powershell.exe
3620	powershell.exe
3828	powershell.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x000600000001dae7-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FOwJYd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mNXfxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	mNXfxi.exe

Executes dropped EXE 3 IoCs

pid	Process
4512	FOwJYd.exe
1532	mNXfxi.exe
1964	mNXfxi.exe

Loads dropped DLL 64 IoCs

pid	Process
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
4564	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
3576	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
1220	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe
4492	log3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ip-api.com

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3692	tasklist.exe
4572	tasklist.exe
4052	tasklist.exe
4192	tasklist.exe
5024	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	FOwJYd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	FOwJYd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mNXfxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mNXfxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FOwJYd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4664	PING.EXE
1792	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4664	PING.EXE
1792	PING.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4176	powershell.exe
4176	powershell.exe
4176	powershell.exe
1740	powershell.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
4764	powershell.exe
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
1176	powershell.exe
3856	powershell.exe
1176	powershell.exe
3856	powershell.exe
3856	powershell.exe
2796	powershell.exe
2796	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
2796	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
1260	powershell.exe
1260	powershell.exe
4664	powershell.exe
4664	powershell.exe
1260	powershell.exe
4664	powershell.exe
4764	powershell.exe
4764	powershell.exe
3396	powershell.exe
3396	powershell.exe
4764	powershell.exe
3396	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	4572	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1424	WMIC.exe
Token: SeSecurityPrivilege	1424	WMIC.exe
Token: SeTakeOwnershipPrivilege	1424	WMIC.exe
Token: SeLoadDriverPrivilege	1424	WMIC.exe
Token: SeSystemProfilePrivilege	1424	WMIC.exe
Token: SeSystemtimePrivilege	1424	WMIC.exe
Token: SeProfSingleProcessPrivilege	1424	WMIC.exe
Token: SeIncBasePriorityPrivilege	1424	WMIC.exe
Token: SeCreatePagefilePrivilege	1424	WMIC.exe
Token: SeBackupPrivilege	1424	WMIC.exe
Token: SeRestorePrivilege	1424	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4512	2720	log1.exe	113
PID 2720 wrote to memory of 4512	2720	log1.exe	113
PID 2720 wrote to memory of 4512	2720	log1.exe	113
PID 2720 wrote to memory of 3664	2720	log1.exe	114
PID 2720 wrote to memory of 3664	2720	log1.exe	114
PID 3664 wrote to memory of 4176	3664	cmd.exe	116
PID 3664 wrote to memory of 4176	3664	cmd.exe	116
PID 3664 wrote to memory of 1740	3664	cmd.exe	117
PID 3664 wrote to memory of 1740	3664	cmd.exe	117
PID 3664 wrote to memory of 4712	3664	cmd.exe	118
PID 3664 wrote to memory of 4712	3664	cmd.exe	118
PID 3664 wrote to memory of 1028	3664	cmd.exe	119
PID 3664 wrote to memory of 1028	3664	cmd.exe	119
PID 2968 wrote to memory of 4056	2968	log1.exe	122
PID 2968 wrote to memory of 4056	2968	log1.exe	122
PID 4056 wrote to memory of 392	4056	cmd.exe	123
PID 4056 wrote to memory of 392	4056	cmd.exe	123
PID 4056 wrote to memory of 4764	4056	cmd.exe	124
PID 4056 wrote to memory of 4764	4056	cmd.exe	124
PID 4056 wrote to memory of 3412	4056	cmd.exe	125
PID 4056 wrote to memory of 3412	4056	cmd.exe	125
PID 4056 wrote to memory of 2284	4056	cmd.exe	126
PID 4056 wrote to memory of 2284	4056	cmd.exe	126
PID 5028 wrote to memory of 1532	5028	log2.exe	129
PID 5028 wrote to memory of 1532	5028	log2.exe	129
PID 5028 wrote to memory of 1532	5028	log2.exe	129
PID 5028 wrote to memory of 2964	5028	log2.exe	130
PID 5028 wrote to memory of 2964	5028	log2.exe	130
PID 2964 wrote to memory of 4664	2964	cmd.exe	132
PID 2964 wrote to memory of 4664	2964	cmd.exe	132
PID 2964 wrote to memory of 3620	2964	cmd.exe	133
PID 2964 wrote to memory of 3620	2964	cmd.exe	133
PID 4512 wrote to memory of 232	4512	FOwJYd.exe	134
PID 4512 wrote to memory of 232	4512	FOwJYd.exe	134
PID 4512 wrote to memory of 232	4512	FOwJYd.exe	134
PID 1532 wrote to memory of 5032	1532	mNXfxi.exe	136
PID 1532 wrote to memory of 5032	1532	mNXfxi.exe	136
PID 1532 wrote to memory of 5032	1532	mNXfxi.exe	136
PID 1228 wrote to memory of 4564	1228	log3.exe	139
PID 1228 wrote to memory of 4564	1228	log3.exe	139
PID 4564 wrote to memory of 1600	4564	log3.exe	140
PID 4564 wrote to memory of 1600	4564	log3.exe	140
PID 4564 wrote to memory of 3412	4564	log3.exe	141
PID 4564 wrote to memory of 3412	4564	log3.exe	141
PID 4564 wrote to memory of 720	4564	log3.exe	143
PID 4564 wrote to memory of 720	4564	log3.exe	143
PID 1600 wrote to memory of 1176	1600	cmd.exe	147
PID 1600 wrote to memory of 1176	1600	cmd.exe	147
PID 720 wrote to memory of 3692	720	cmd.exe	148
PID 720 wrote to memory of 3692	720	cmd.exe	148
PID 3412 wrote to memory of 3856	3412	cmd.exe	149
PID 3412 wrote to memory of 3856	3412	cmd.exe	149
PID 4564 wrote to memory of 1968	4564	log3.exe	151
PID 4564 wrote to memory of 1968	4564	log3.exe	151
PID 1968 wrote to memory of 4728	1968	cmd.exe	153
PID 1968 wrote to memory of 4728	1968	cmd.exe	153
PID 3332 wrote to memory of 3576	3332	log3.exe	155
PID 3332 wrote to memory of 3576	3332	log3.exe	155
PID 3576 wrote to memory of 1532	3576	log3.exe	156
PID 3576 wrote to memory of 1532	3576	log3.exe	156
PID 3576 wrote to memory of 2872	3576	log3.exe	157
PID 3576 wrote to memory of 2872	3576	log3.exe	157
PID 3576 wrote to memory of 1036	3576	log3.exe	158
PID 3576 wrote to memory of 1036	3576	log3.exe	158

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
  2⤵
  PID:872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe
  C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ed84570.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68A9.tmp\68AA.tmp\68AB.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings\general" /f
    3⤵
    PID:4712
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /f
    3⤵
    PID:1028

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\72AC.tmp\72AD.tmp\72AE.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings\general" /f
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /f
    3⤵
    PID:2284

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\60dd736c.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7E73.tmp\7E74.tmp\7E75.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File C:\Users\service.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4728

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1036
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1424

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  - Loads dropped DLL
  PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4868
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:388

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  - Loads dropped DLL
  PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2012

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    PID:4020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:4772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1800
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4612

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4852
- C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ca623e9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C773.tmp\C774.tmp\C775.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe""
  2⤵
  PID:3332
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File C:\Users\service.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
8f5fed54e01d5972fb9d27c1d40e522a

SHA1
0fcad0f97449528d45171c69ee1c990ee3a3582c

SHA256
dc457b84f671fd8cd7e0ca0586b7a96301d33f204cf978e56daebeaa2eee6815

SHA512
c3ef36ddf5773f24941718fadea4ff0ed904d3c594e4b71888c9a616f90819688ad7a2cfc19003223891f5cb4522dbdc8c9145ac12dbf28b24b9b8322d035fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
0af12004db5fe4272f4edb32014df51e

SHA1
d58f39958fb93f8b305ca7294bebb4978766dae6

SHA256
6e59b3f130a284b93d20a9ed46b3fa945f464dcc68f2f521df8eddbf5c8425bc

SHA512
a0ab53cd3cd7703584bc9d3ef2ede4ac60f536154434468cd861a1ed8d702cf6daea284641634a346b27b8a54411c7fedb762784ad596a7da296fb288553036c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23DA1D4D.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\60dd736c.bat

Filesize
187B

MD5
f1ccf1bad1ded30ff104394364381574

SHA1
7e6fa0056c9aff6dc15a0ddc1e52be9a1fe87422

SHA256
ed56bcce9b7678ae24b261f1d0890960bc26edc46a794400488202372b53262d

SHA512
199a8180ebf53dd797a619b6f1ba68f4f098619f66cb59bbd736451f1d188dd80b098540b4fcf19657324cc29c86074e0182941a4aaf12825a3cc94e336faccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\68A9.tmp\68AA.tmp\68AB.bat

Filesize
1KB

MD5
4fa3f51896539efc4e33072e36982ef2

SHA1
32f37a0c2eb87af2dc5e76d8c38d39475f6b4cc7

SHA256
faf2a2fa1e21ec5cb05a4ecf7cbd3e469bc79625b3601316fc3786f46c3845a3

SHA512
a3589076087fdd52d40b790912d8ed24d25c44311ac819c2deef1cd2eac8b7e243588021addf1fb60b1dea88dabe9d190ad3aa950b0c5c58f0a0362b395eb86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E73.tmp\7E74.tmp\7E75.bat

Filesize
1KB

MD5
e0f0f24047c4f2cf11b740ae7f32efd1

SHA1
271b1e88a1dc89c395854b5808a97f7b0b162f06

SHA256
5f7e01455bd8c7604f8e5b2cc069179015360505f08ffdb9a14c3abbcd478e5f

SHA512
55c1b69e7136b0e18da87fc29d5ac9974adfc019574cae14b906f46efc8dec02694f1d251c9d3d755918994ec9964aeed63f06ece317b066e6828abbb468b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ed84570.bat

Filesize
187B

MD5
add499f7ec1dc237b5dcaeb74bd563fe

SHA1
60eab3293fb882c7859d8156d00ba108bc7f10c2

SHA256
6ae550277eee177c8a461eccd057bb10c9f5a5ec8e0b483bbb6f274fd32f6899

SHA512
bced8cf8cdd1871af030944355827bab271ab96dee9e4dea0467b6894d360953d17d100d410c17e564821a54092e0c3e83eb8c459dd968adfedbe5bc4ed82d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\script.ps1

Filesize
409B

MD5
af5aefbf4681c1058c1e33b8bf09d316

SHA1
d6a797fcdbac3f9ababc4afe28f8dc1b6647db5e

SHA256
49a4c5b8c350d5b93d848c2cf9f3d108642ee15cf334897ee12d88008fe60692

SHA512
d29e5e760ef3fc586dbf34573784dae6169a74d9aeefe9455798bba477ed37ba084156931da6d3aca4e72bbb202c918bcdfa0d0dfc1488729fdecafd2bf76b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
3b3c26d2247b0a2928f643fda76264b1

SHA1
06d8d10ea6b23f886c832df4fe1122130e71bb22

SHA256
258ac28b71532d6f9419edce72961e2b9644b0f92de5ce002801cc9c3caf442e

SHA512
5b6dfc3fb97a4a2e906739531b6d3d066d9f12eab67d5051dbb99b260a2a51e5ca19ba449b8fd901fc1034fd2402ddfa2c87fd2ac6dc3e7bdd4e929d8426a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
5f1e568d0cdcf0d5d4f52fd2e8690b4a

SHA1
d582714273b6254249cf0bfc8ec41272eca2bc29

SHA256
ed94f413f576835acf4dade22ead7e764dd2f0242581090e3a2424452b49b9fe

SHA512
d283d739210ab29802c9df8588a5e0188dd3fd3a3061ed0aa5b5b3633e686a66ac9aa0c6fd7bfa696af7ff16da1f870b775a3a44c3a015f33a3dd83a56cfc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
d85b98d1e5746f36e8afb027756547cf

SHA1
91ef9250155d7685c5730c73c1a2de361e9ba772

SHA256
143c8bcc6ab0d6afa1dc03996b5256a6bccb3442dc4ff3182404fde8172de4b6

SHA512
6d1b507613ce85dedddb5d61a0ea3b926b79443c5688fe0ce9283ffae7ff27af93c418ec3b086f3a84e574afcc3a1170d0ab1d8b4d5976a71af79bbd351d7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
1ca45137e611548c8d090ebaa178d462

SHA1
ee84cb3d6ad1e6180a6825d9d293e7c9418c7153

SHA256
3c186afd5cf0e4314d0e15bd55832e976368d162331d5cb065fe890b88c9cfbd

SHA512
139349c90590d17a73d0dca3bcb72febaea1a8cf2a4da24716dcfbaacdf6c85260c5e792bb04f923975e918163a46524ebeed1f2f02494d9f271d73f8b558bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
eb5e7affe24ab532089733f8b708a1ff

SHA1
f3b1f20d29d8b38d8c47cf66c75d650c5b855738

SHA256
17ad72adbef247080dd456bb54f11bc782801381fc2aa2abe005cca9db6254c0

SHA512
69c148749f9b1729187c3d39d2d00ba952d22163ae393716b2096a869a97ead4cfed8edde303cc65c13cb30d6e44fcb2e4cb896b03dc14aac7cb49958a23e699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
a8b0327931fd2c863693634b3081e6a0

SHA1
d66cd78c124e931667b6079d5bc5adf55a644293

SHA256
1fa836b3704b29e7ad1ea1b0b457f62aae4435c6a1d745707631552a2f83d5f6

SHA512
1b8331ac9b17d3553a5c7b4572f826bb232b339c28f6c9a31a870097c7612587cd1dbe59fe294501ce11cf5bba973d83784108309617b6f7104f2aae8f723961

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
eb4c279c8386d4f30aab6d76feec3e5a

SHA1
0c611e8f56591f64841b846df7d5c07fd75b55a4

SHA256
56bc7d3dd48d9cb209195f71be67d0a90ca929a8d4e6ae5a481f3ab0345da294

SHA512
1869b0c843df05ba849e79aa15b25855aa5c2c2e5a932c0de650b83c8abe2371585731b0213061b8f4d781a87b352ad3a09bf8555fcf0f9422a0bcc1a9062781

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
cef770449597ee64eed064e5edf3f76b

SHA1
f759143f09f539e032a680b376f7362610215fe3

SHA256
2b52bf5a8c0bc2e93cebcce597c6693a118667e9f16836e65d8b166d33d33f49

SHA512
f899e00ae697c44c8b127dab548c25181e2772a9cb80e6887ed2435be7a03a51d2e77820456e984921b0252d77f0fecb7b1c5b08615b49e3c08d531a09c67279

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
2143036c7d2ba3cc75ecbc66f60d5259

SHA1
dd9192d9b4c7e90290796431db0ef8cc06210c73

SHA256
c8adf90a32936eaf678ed9a091d422e091e6b80d0431ec120e60febe1f617ac3

SHA512
94e4618b574924ae48386dfd520de6faf2ba1a3347fa56ded559bcf24f0e14bf1a7f442bdfa68244af5294fd83e8e334d7cc4959c14434665d731c9d5beadeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
47e43806d67d182ab20e77fd2b705cdc

SHA1
bf7f4ffcaac83535146d372767db6f36bad3bb61

SHA256
52df3c5ded71786cf0f4f7545d59f5e6e168e6a499862c59b5985f6071f201ab

SHA512
28ea9b227b42e86ea7e16eabde3f6b01a86da21ca50119b173e98e736e4997a81f9ee20f7c11e5fdfe3c62255345c078bd9d9e51bd6b45911b14f90b0ed7b76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
7672f7af6df502bda30f98005487e24c

SHA1
d49003f56bd5d19ff265dab88fcf9d1bbd145a31

SHA256
52a11ca57d562ee1cfbb7d6c26253cbd67a39b55bf1a56cd0f9332136986e8cc

SHA512
0ee52bf600f70e16006ab159d4b3ea50241941fe9dc8031a78c8f0797374f6ae221ecb4be9789ae0b29fc1b8313951a79886b44b51cb6387e79059acc2e1e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
a94626cbc9c0e1b62619a8cf49504ff8

SHA1
047e2b1f21f1258242238043143f1d892538bbc3

SHA256
a36792281c0aaab929635bb1f40ee3627225e7e35e6a199c188f3f782c7e6c27

SHA512
b208602f33f02c92df718e4c009e6e8055e538c9451ef6f9682ce21db5258d799c09f689aae2879470a934b60b4f3d44ea82704933fa40f2ff408cf42bd1c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
130b06c83791d63b703d54291b69c789

SHA1
314e29b408a93343fa8e0666eb0d128e8e2f83ac

SHA256
bbf2556eff6f0bc6a11d73821aca2c14d5c8235143ceeb16b55b47eee453f179

SHA512
46a513a466a43ed1581a4406795bcf79576e731fc486d0b055be2f75cd6b9e5f6221bc76873941b8c8418ebae4aaacd7f689c3a01b2f42d89beca55406184837

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
ead87c06066422461368fa5dc07be9c0

SHA1
3009d09b9727df50e586217e98edcda9f46a7b30

SHA256
b39d21f236d903c34770d50da02c14e8d226e695138f3f6ace4eae11b6d6796d

SHA512
4f1eabc514b18b5704f90f87a7d0231ce47e9125c7f490570699519d5ee70cdfbba067ab67c6d9878a86129181367e55fada55a377efc6873afccc40763459ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
585c47a83cb7b3a69d23b840dc56ee6e

SHA1
b75739a142d1cdeae815404e10d7ef28230451db

SHA256
3fa37c4d72451e968217c20ec64a01f5d4f1a5af7b44a107607cad3d3618aee1

SHA512
ef76ace5b820fabfa142ab67f6ad2c68ef29fd95ed1b8d0d0d31759b18b3b218675ae5d7a45b533a4784629adc8c394fb6b0d2689e926700e7bf04f833673f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
e345e6656aeac37c80a404f032ba550b

SHA1
371eaeeb74227dd2e7b1bcf36e7aa2cde446a0aa

SHA256
31fd144dc063f7fac651147f0c3826fb0b33ca8028bd4f70a78d63cfb53d81a8

SHA512
6af30635d25ba9552498e78ef3332b60e03d070d6e503903145c8ae30930efeda75b687082cf46c0c25590d6459463f8d873f3e5176bafc9194156d8aaeaa045

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
b16e6798ad40000698a09276961fc2c3

SHA1
b5184d9bdb1f5e7cfe17b2ec305c8554362067de

SHA256
f8b7122ca5e1d473818940fea4d1155af429463038ba61953908fbbbb7a8d613

SHA512
a4737a2236eb35e1b4935a5e333c7f1c51588852a8daf654fd2e7ca6e945e40df9d001394c2f3e3a9d023b8d4e34e9753f6472ed58df245b104623d7dbde7423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
c06f8f8eed1581ffee9efd5fdbc44f5a

SHA1
b44aa8d6ab3a713c07bb68cbc153c78c634aebe8

SHA256
8b36bce1b7a881f85529eae56e5b75e32763eb14b6683f2203a957ec31336ce1

SHA512
13d369d61a953f92cb1a5935d8e69ec050d7291f8c83ffd09752112bfebcce8b8ae99fc168e969b00141816a1c6c3a981340cfaca319d4f7b188e3a20a43f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
1f79f843211cdbf6f109bc2e1eca522f

SHA1
b4a7a607e3eb04fb616d885768ec729273ec33ea

SHA256
5208000a52363b1de665d5d46cd6f4da45f0c19c74876918e165e23efed26e92

SHA512
4ac7797b2e84d2fade089bd6f4b44103eecd1369e47440f1abad3f06cfc2ea5408b8692af63b81769703898cef87068a1e8998efb91b13e60a93325e72dbdc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
6fc55f288e6124935beefdb24f98e4d6

SHA1
e9cff87ba41b04eaac6f7bbbdfdcb671857a2eb3

SHA256
6bf3e8a6cdb3ccaa52f05fa336bbe80e70351a3eb0c8a98ef599b596d11aaee5

SHA512
a675d0f195774ebe7e118d12932af97f15ebb982f7981552216aefc18b918934c863dd9cc35a67761ffb0dab6791f0363808256b2e708d2f93a5800c42475dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
9c69b176fdb21f68fbb36aedf237a18f

SHA1
aa25e9565d6fa887135318ab8c384180b575d916

SHA256
b48b10bfeda8c32e538b03a9db05864866f8a44d04824f63032f2dc33e39fa1b

SHA512
f34c0fe7b29f7c475d663e12dff71a9a93d76914072c69abca54e6780a81894e35d9650e855fd4be5485747dc4a24ed10cb658688432900a0ffe6489d622c1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
2d7db8919ceb847377e4c40c1ec7b842

SHA1
27371e9e311c7b8edc56084e41c25e7a87c7c265

SHA256
d3e6256c2dd7150cff8ffca9c9cc6ef477c1da72c0d32972d1022381927b8295

SHA512
b634c27cd0f50748c66f256e316d6aace23d358cbd9aedbab2a0bba9b1a77587422d77c6d161d129a57ca34dfb11507486e1cfbcb6d4ac9779c7a2989f3a29c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
44208a7738486bf56121c752df083658

SHA1
93665af04ce345174df47d7b39aac68327dd13a4

SHA256
85b8a6d64a66556f4501aaf120d699dba661841027d27becc6d7240dafb14138

SHA512
38680a4329da0ba501dd78a9005b3e8b54f1dec9fc8dbc08b969e70ebe480dc2444d3c4e66634b14e0e032573240524333e019e4b2c750d8dec1a9dd7b7632c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
f0f891d08e0e358327b323b38f3ffca2

SHA1
eb20f147c53f86c59603f5edbf60f936f768fb1b

SHA256
9c8461929b61e0fd269ce735d699e7e3b6c0159d3e2659f60d681290abf9eac5

SHA512
94e13c4d09ff35c2ded7fd2649b3542aade1414f05772e2034af7723f2622e662e8c0bb67e1eb288e230f8ae183d8f1296c2a134b7ae061a452fa3f7423d7694

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1417705c75240630943aaedd35a4b406

SHA1
74047910e023f6ab2ac5242c47147c1cb47a7d48

SHA256
76748b18c61fac93fe1c0587711e3ec0b306b2c92198f0b8b4f6bad8c6d9ba8f

SHA512
918987aa8e72b6875d0c1c53cc3521757eda25c746ae477fea545428be5da692fae60aac665dc15c3af89bad43e491a72d00302beb349f45e35e7c89217deea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
184a6a9df3526464a3a5f2dc1c21e55b

SHA1
33101ece94c15d733d985fc71ddb13ba4b70b9c7

SHA256
25bbdabc7b8d8edf5cd05b5591edca13236724cad1011393e010df3c58fd6f7e

SHA512
2c2162dbd2e36d81054feb064ea6850547dab270b95faa3dc878a11e47a9c0558ae2039cbb3bb3d1974c1582117d0f3022512a340241da5dbacfd5f94f713f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
dad955bbd1a073f1920bdacc7e9d4b32

SHA1
1ce733a4450d5426a78ef2bd1cdbe5d5ff958fd0

SHA256
fe368e5edf476436afea571faacf80d5d12a4b064d5736ee482b972eee82a64c

SHA512
294e838dc41f97afeecb90b58df5fd5449ff1582cb80185d7efe7cadf354ef9f0a1e374c50bca5f72f1859d88a832330caaa9d7a25e1da49195530f0ec26a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
36a4f9af7c7d93c49c973da11475d81e

SHA1
8167f90ee36a9c24c53ce78bac9427b8dafdd5d5

SHA256
29656b4f4f985952c5edee8e66ad7901e47c3c5619965dddc9939c5ce5ab7d58

SHA512
92449c67dba558b54c71c88bbfee5a245078238642fdd5368b1d0f41439dfb62fa9292b4fe00162605dbe3d14c8847c3bde4f14c1f06f5271d6392c81278d74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
f6c3b0cd6c578f544e94d75d9c9ffaec

SHA1
1b4b1babda538e23cbf2bc458303d7ae70741347

SHA256
6e65f088e4ecb0cf8306766c59190ce3efbc8a190fcbb53572cc61e35d2787f1

SHA512
0dfcfe028970dd70653b3dfecac4ac5672a3b5c6aae0252ca54a1226e19c4cd2bad5b32eb6ff75765cf82cd82ad986d95aef6d12e3a4a291baf6615cb6e96356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
6d8959da747b68298f6d8f81cf23c077

SHA1
e7c7b64ef5e5faa0da00430a81dd85765661649c

SHA256
1bc96d86e373fcb77e3d2e48440f0eafb7e42a88a5a82e0ace01967acf236d3b

SHA512
0838c8adcea9127bb1f39a70d07ac7bde0ea23c4fd8f418517aef72f590c3f644e9fd7a1a571231e7d47311e66cca1f71187337e634c1e3fdbf8e0d0016b112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd5fc38ed969ff4b3aca435c70eb2132

SHA1
becb1d7b94d4d99222cdd4c4c7472f0448c3a65c

SHA256
69e5f222dc622555c88e3bc4cfef42f64237728bd02d00c9281203e512ca77b2

SHA512
4680d5ff8d40bf58b6e1bd3a8bcef7caf9f0b652993faa22958d0315e259acf2177fe8e3e579065641bddd4bfc8eea34f47aca63ac8b07a56de7c952adeafd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
5f6c4318712ef0c644d39c088b660ebd

SHA1
44b166918cb8208bec51ff46ddbaa49cf023fbd1

SHA256
e4244f90307ab003cb5cc9bcd729ef897abcf26785df9277cbe389e328e0fe0b

SHA512
ad272ece4c4fd3f8362d8ff91d3c3e738e2df8281c319744d7d72792f203ac40cd0c4082550815690036320756b57ed8e51c9efb01ed4c2fe01138b98f9deba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
0ad8330a78941c63f4fed28440163005

SHA1
47a73d254ecd71273f71bfb67ca43dbd974d3791

SHA256
0dbe94bdfb49ba93ccd7db40323b824b4f1941cd340916d73ba2241a7d34fc1e

SHA512
bdfa386b2a5c3b31f29592e6c76e6e36a4489aeb2edb8d713d6dec99fbd3bb6cd97195fe81ab30bdfb2e26bbb57102c25961739734035c482227f40bad585a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
36cbafa7d455a21362af5153ff1c1367

SHA1
6842ed962111f40463d5b672d13542bca1909608

SHA256
48655a29504bcdb1a7f5c2b316f9cd71ab35ca521d2659df105f49c40b0f92f0

SHA512
e9deb4ba721524c633302028fb8ea0dd962e7e546016e0f145769648d3afd7f1a637ea47b520eae19af1f1d6ab11f11399d4c05c8206b8011140341c3ff3e488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12282\ucrtbase.dll

Filesize
1011KB

MD5
7e39d82adf5da0b51a968c764e0e15c1

SHA1
79e75ccde95798f21a34e5650b29dbebe79c1b43

SHA256
d67926328a72816d2944d7c88df6ff4bfccd41a9ce39af0309a0639829d0e7fb

SHA512
1c58d53c40535f80f482a5f406ef5bf9c2f963b9db5969c37ef47b0c59522a1a9bde3f3589538a7ae7d99d567a43170b384761e572c740010feb86894ce7322a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_queue.pyd

Filesize
32KB

MD5
1c03caa59b5e4a7fb9b998d8c1da165a

SHA1
8a318f80a705c64076e22913c2206d9247d30cd7

SHA256
b9cf502dadcb124f693bf69ecd7077971e37174104dbda563022d74961a67e1e

SHA512
783ecda7a155dfc96a718d5a130fb901bbecbed05537434e779135cba88233dd990d86eca2f55a852c9bfb975074f7c44d8a3e4558d7c2060f411ce30b6a915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_sqlite3.pyd

Filesize
125KB

MD5
d4e5be27410897ac5771966e33b418c7

SHA1
5d18ff3cc196557ed40f2f46540b2bfe02901d98

SHA256
3e625978d7c55f4b609086a872177c4207fb483c7715e2204937299531394f4c

SHA512
4d40b4c6684d3549c35ed96bedd6707ce32dfaa8071aeadfbc682cf4b7520cff08472f441c50e0d391a196510f8f073f26ae8b2d1e9b1af5cf487259cc6ccc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\_ssl.pyd

Filesize
177KB

MD5
1c0e3e447f719fbe2601d0683ea566fc

SHA1
5321ab73b36675b238ab3f798c278195223cd7b1

SHA256
63ae2fefbfbbbc6ea39cde0a622579d46ff55134bc8c1380289a2976b61f603e

SHA512
e1a430da2a2f6e0a1aed7a76cc4cd2760b3164abc20be304c1db3541119942508e53ea3023a52b8bada17a6052a7a51a4453efad1a888acb3b196881226c2e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
71a78ca51c03c4b0b464fb33f146b111

SHA1
5c2a992dd6349d728d993e5074273939896806b5

SHA256
550ea9556ba9197b25b7eb9d12ca9dd9ad0e820e4dba91f94dd54b57a2e6934f

SHA512
7a8907c9c364b9436bc20a70084410100ac7b95eb028571046f2c1854cd6431bac560d0f28f47cd93b7e096c4aab9349da186f4abd503d768af9651a93faab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
cfe9e3331815616f392ce1db58e01adc

SHA1
2f4ea14189ff21adb507fb09f3cbcf92c7ecde63

SHA256
341f489491f992bece2879fea3b660ff2dcd04a59bdb5f3998d58e5ac8ce3341

SHA512
33c6c3babfdc5b01118f411070983579b01711b3f67f9cbcddb861ec655c3989ab670b62422aabac382a4f953887f4cf5549a23feb0683d4c6eee8965bf030a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
c492ee40814b7586f554ec0223b14430

SHA1
b8a929929c8936cbe387000d7d0cef5ba04abfaf

SHA256
2b7fed76ba52606e442d5069f42077f0cf304e49326dddcf3695a06530c4b5c1

SHA512
2b7873ebdb1873e718754477fee55fde7b9de752b23648554198ff6b69042565c47cc8ddf25fa75e1fb9b9f6f8ac2b7d972594b8c038d3ac65a0c9dbdb26f882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
294e2caf335a8a68b64d5623d0cb5fd3

SHA1
93888112a512afa6107ca303a343ddea70271c77

SHA256
47aa51ad00153edd4f3dd42bf89da2325f9e0106e9772396c066666182b22d07

SHA512
d2fc964a6523d15a5d471b1409d65e2278ae8b97279705c37a3e00afcf6d8d7671bfd174d59a7f36aace21c0caef9c01645e919ff2fa26cc32abc774c769cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\sqlite3.dll

Filesize
1.5MB

MD5
7e632f3263d5049b14f5edc9e7b8d356

SHA1
92c5b5f96f1cba82d73a8f013cbaf125cd0898b8

SHA256
66771fbd64e2d3b8514dd0cd319a04ca86ce2926a70f7482ddec64049e21be38

SHA512
ca1cc67d3eb63bca3ce59ef34becce48042d7f93b807ffcd4155e4c4997dc8b39919ae52ab4e5897ae4dbcb47592c4086fac690092caa7aa8d3061fba7fe04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41762\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1qkdppp.ykl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\service.ps1

Filesize
789B

MD5
aa2cd59ea141ff113f958c07463c6868

SHA1
3763ef8a8f3db01edec2d07c1a020ad42adf890d

SHA256
ab2df8cb646673257a9bcb55c4749afe0d112fc37729e23abd9b8adf33432c98

SHA512
847020a4124a4717be57a04edcfb7ae0becae481084f091c6fa31413498bf410ba482a5bae9b0adbe30db0f5c5585f964851e224a38c47fe75a7943f20c1129f

Download Submit
memory/1532-186-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/1532-108-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

Filesize
36KB

Download
memory/1964-621-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/1964-626-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2720-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4176-30-0x0000013155170000-0x0000013155192000-memory.dmp

Filesize
136KB

Download
memory/4512-153-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/4512-4-0x0000000000550000-0x0000000000559000-memory.dmp

Filesize
36KB

Download
memory/4852-638-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download